update CI workflow permissions and add CVE analysis steps; enhance .dockerignore for compose files

Author: argentinaluiz

.github/workflows/ci.yaml

@@ -17,6 +17,11 @@ jobs:
   ci:
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Ler o conteúdo do repositório
+      packages: write # Permitir publicar pacotes no GitHub Packages
+      pull-requests: write # Permitir criar e atualizar pull requests
+      security-events: write # Enviar eventos de segurança para o Github Security
 
     steps:
       - name: Checkout repository
@@ -67,3 +72,30 @@ jobs:
           secrets: |
             github_token=${{ secrets.MY_GITHUB_TOKEN }}
       
+      - name: Analyze for critical and high CVEs
+        id: docker-scout-cves
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
+          only-severities: critical,high
+          only-fixed: true
+          summary: true # publicar github actions e pull request
+          exit-code: true
+      
+      - name: Analyze for all CVEs
+        id: docker-scout-all-cves
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
+          summary: true
+          sarif-file: sarif.output.json
+
+      - name: Upload SARIF result
+        id: upload-sarif
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: sarif.output.json
+      

src/ci/nestjs-project/.dockerignore

@@ -22,6 +22,8 @@
 **/*.jfm
 **/charts
 **/docker-compose*
+**/compose.*yml
+**/compose.*yaml
 **/compose.y*ml
 **/Dockerfile*
 **/node_modules