add CI for vulnerability scanning (#939)

.github/workflows/vulnerabilities.yml

@@ -0,0 +1,40 @@
+name: Check vulnerabilities
+
+on:
+  push:
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    branches:
+      - master
+    paths-ignore:
+      - '!**.md'
+  release:
+    types:
+      - released
+
+jobs:
+  clone:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Setup Python
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+          architecture: x64
+      - name: Checkout pycsw
+        uses: actions/checkout@master
+
+  vulnerabilities:
+    needs: [clone]
+    runs-on: ubuntu-22.04
+
+    steps:
+    - name: Scan vulnerabilities with trivy
+      run: |
+        sudo apt-get install -y wget apt-transport-https gnupg lsb-release
+        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+        echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+        sudo apt-get update
+        sudo apt-get install -y trivy
+        trivy --exit-code 1 fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL --ignore-unfixed .

README.md

@@ -4,6 +4,7 @@
 [![Build Status](https://github.com/geopython/pycsw/workflows/build%20%E2%9A%99%EF%B8%8F/badge.svg)](https://github.com/geopython/pycsw/actions)
 [![Join the chat at https://gitter.im/geopython/pycsw](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/geopython/pycsw)
 [![Documentation](https://readthedocs.org/projects/pycsw/badge/)](https://docs.pycsw.org)
+[![Vulnerabilities](https://github.com/geopython/pycsw/actions/workflows/vulnerabilities.yml/badge.svg)](https://github.com/geopython/pycsw/actions/workflows/vulnerabilities.yml)
 
 [pycsw](https://pycsw.org) is an OGC API - Records and CSW server implementation written in Python.