Add vulnerabilties check in CI

Author: anhthii

.github/workflows/ci.yml

@@ -60,9 +60,190 @@ jobs:
           version: latest
           args: --timeout=5m
 
+  # Security vulnerability scanning
+  security-scan:
+    runs-on: ubuntu-latest
+    name: Security Vulnerability Scan
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.23"
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Install dependencies
+        run: go mod download
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck
+        run: govulncheck ./...
+
+      - name: Install gosec
+        run: go install github.com/securecodewarrior/gosec/v2/cmd/gosec@latest
+
+      - name: Run gosec security scanner
+        run: gosec -fmt sarif -out gosec-results.sarif ./...
+
+      - name: Upload gosec results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: gosec-results.sarif
+
+  # CodeQL Analysis
+  codeql-analysis:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['go']
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.23"
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Install dependencies
+        run: go mod download
+
+      - name: Build for CodeQL
+        run: |
+          go build -v ./cmd/mpcium
+          go build -v ./cmd/mpcium-cli
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{matrix.language}}"
+
+  # SBOM Generation
+  sbom:
+    runs-on: ubuntu-latest
+    name: Generate SBOM
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.23"
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Install dependencies
+        run: go mod download
+
+      - name: Build binaries
+        run: |
+          go build -o mpcium ./cmd/mpcium
+          go build -o mpcium-cli ./cmd/mpcium-cli
+
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Generate SBOM with Syft (SPDX-JSON)
+        run: |
+          syft . -o spdx-json=sbom.spdx.json
+
+      - name: Generate SBOM with Syft (CycloneDX)
+        run: |
+          syft . -o cyclonedx-json=sbom.cyclonedx.json
+
+      - name: Generate SBOM with Syft (Syft JSON)
+        run: |
+          syft . -o syft-json=sbom.syft.json
+
+      - name: Upload SBOM artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-files
+          path: |
+            sbom.spdx.json
+            sbom.cyclonedx.json
+            sbom.syft.json
+          retention-days: 30
+
+      - name: Scan SBOM with Grype
+        uses: anchore/scan-action@v3
+        with:
+          path: sbom.spdx.json
+          fail-build: false
+          output-format: sarif
+          output-file: grype-results.sarif
+
+      - name: Upload Grype results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: grype-results.sarif
+
+      - name: Display SBOM summary
+        run: |
+          echo "📦 SBOM Generation Summary"
+          echo "========================="
+          echo "Generated SBOM files:"
+          ls -la sbom.*
+          echo ""
+          echo "SBOM package count:"
+          echo "SPDX: $(jq '.packages | length' sbom.spdx.json)"
+          echo "CycloneDX: $(jq '.components | length' sbom.cyclonedx.json)"
+          echo "Syft: $(jq '.artifacts | length' sbom.syft.json)"
+
   build:
     runs-on: ubuntu-latest
-    needs: [test, lint]
+    needs: [test, lint, security-scan, codeql-analysis, sbom]
 
     steps:
       - name: Checkout code