chore(ci): add static-analysis checks to CI/CD (#1219)

## Description

There are additional code quality checks we can run in CI. This PR adds
some of them.

## Related Issue

Fixes #1198

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)

## Checklist before merging
- [x] Unit,
[Journey](https://github.com/defenseunicorns/pepr/tree/main/journey),
[E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples),
[docs](https://github.com/defenseunicorns/pepr/tree/main/docs),
[adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or
updated as needed
- [x] [Contributor Guide
Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request)
followed

.github/workflows/vulnerability-scan.yaml → .github/workflows/container-scan.yaml

@@ -1,7 +1,8 @@
-name: Grype Vulnerability Scan
+name: Container Scans
 
 permissions:
-  contents: read
+  actions: read
+  contents: write # for sbom-action artifact uploads
 
 on:
   push:
@@ -12,7 +13,7 @@ on:
       - main
 
 jobs:
-  grype-scan:
+  container-scans:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
@@ -23,11 +24,17 @@ jobs:
           cache: "npm"
       - name: Install Pepr Dependencies
         run: npm ci
-      - name: Build Pepr Dev Image
+      - name: Build Pepr Controller Image
         run: npm run build:image
-      - name: Scan image
+      - name: Vulnerability Scan
         uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
         with:
           image: "pepr:dev"
           fail-build: true
           severity-cutoff: high
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: pepr:dev
+          upload-artifact: true
+          upload-artifact-retention: 30

.github/workflows/dependency-review.yml

@@ -20,3 +20,26 @@ jobs:
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+
+  circular-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - name: setup node
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        with:
+          node-version: 20
+          cache-dependency-path: pepr
+      - name: 'Checkout Repository'
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Circular Dependency Check
+        run: |
+          npx madge --circular --ts-config tsconfig.json --extensions ts,js src/ > tmp.log || true # Force exit 0 for post-processing
+          tail -n +4 tmp.log > circular-deps.log
+          if [ $(wc -l < circular-deps.log) -gt 18 ]; then
+            echo "circular-deps.log has more than 18 circular dependencies."
+            wc -l circular-deps.log
+            exit 1
+          else
+            echo "circular-deps.log has 18 or fewer circular dependencies."
+            exit 0
+          fi

.github/workflows/secret-scan.yml

@@ -0,0 +1,15 @@
+name: secret-scan
+on: pull_request
+
+jobs:
+  secret-scan: # scan for any live secrets in the repository using trufflehog
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      with:
+        fetch-depth: 0
+    - name: Default Secret Scanning
+      uses: trufflesecurity/trufflehog@main
+      with:
+        extra_args: --debug --no-verification # Warn on potential violations

.gitignore

@@ -1,5 +1,6 @@
 
 # Binaries for programs and plugins
+*.log
 *.exe
 *.exe~
 *.dll