chore: add trivy as a second security scanner

.github/actions/security-scans/action.yml

@@ -62,3 +62,28 @@ runs:
       if: ${{ steps.snyk.outcome == 'success' }}
       with:
         sarif_file: snyk.sarif
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.33.1
+      id: trivy
+      continue-on-error: true
+      with:
+        version: 'latest'
+        image-ref: '${{ inputs.image }}'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v4
+      if: ${{ steps.trivy.outcome == 'success' }}
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+    - name: Review Security checks
+      if: |
+        steps.snyk.outcome != 'success' &&
+        steps.trivy.outcome != 'success'
+      shell: bash
+      run: |
+        echo "None of the security checks succeeded (Snyk and Trivy)"
+        exit 1

.github/workflows/bake_targets.yml

@@ -39,7 +39,7 @@ jobs:
   testbuild:
     # Start by building images for testing. We want to run security checks before pushing those to production.
     name: PostgreSQL ${{ inputs.postgresql_version }}
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest-16-cores
     permissions:
       contents: read
       packages: write
@@ -130,7 +130,7 @@ jobs:
 
   security:
     name: Security checks
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-4-cores
     permissions:
       contents: read
       packages: read
@@ -145,7 +145,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Security checks
-        uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main
+        uses: ./.github/actions/security-scans/
         with:
           image: "${{ matrix.image }}"
           registry_user: ${{ github.actor }}