ci: disable code scanning workflow

.github/workflows/security.yml

@@ -15,7 +15,6 @@ concurrency:
 
 permissions:
   contents: read
-  security-events: write
 
 jobs:
   # ── Dependency Audit ─────────────────────────────────────────────
@@ -96,24 +95,6 @@ jobs:
           cache-from: type=gha,scope=api-scan
           cache-to: type=gha,mode=max,scope=api-scan
 
-      - name: Run Trivy vulnerability scanner (API)
-        uses: aquasecurity/trivy-action@v0.36.0
-        with:
-          image-ref: "goodgo-api:scan"
-          format: "sarif"
-          output: "trivy-api-results.sarif"
-          severity: "CRITICAL,HIGH"
-          # Ignore unfixed vulns to reduce noise
-          ignore-unfixed: true
-
-      - name: Upload Trivy SARIF (API)
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        continue-on-error: true
-        with:
-          sarif_file: "trivy-api-results.sarif"
-          category: "trivy-api"
-
       - name: Trivy table output (API)
         uses: aquasecurity/trivy-action@v0.36.0
         with:
@@ -145,23 +126,6 @@ jobs:
           cache-from: type=gha,scope=web-scan
           cache-to: type=gha,mode=max,scope=web-scan
 
-      - name: Run Trivy vulnerability scanner (Web)
-        uses: aquasecurity/trivy-action@v0.36.0
-        with:
-          image-ref: "goodgo-web:scan"
-          format: "sarif"
-          output: "trivy-web-results.sarif"
-          severity: "CRITICAL,HIGH"
-          ignore-unfixed: true
-
-      - name: Upload Trivy SARIF (Web)
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        continue-on-error: true
-        with:
-          sarif_file: "trivy-web-results.sarif"
-          category: "trivy-web"
-
       - name: Trivy table output (Web)
         uses: aquasecurity/trivy-action@v0.36.0
         with:
@@ -193,23 +157,6 @@ jobs:
           cache-from: type=gha,scope=ai-scan
           cache-to: type=gha,mode=max,scope=ai-scan
 
-      - name: Run Trivy vulnerability scanner (AI)
-        uses: aquasecurity/trivy-action@v0.36.0
-        with:
-          image-ref: "goodgo-ai:scan"
-          format: "sarif"
-          output: "trivy-ai-results.sarif"
-          severity: "CRITICAL,HIGH"
-          ignore-unfixed: true
-
-      - name: Upload Trivy SARIF (AI)
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        continue-on-error: true
-        with:
-          sarif_file: "trivy-ai-results.sarif"
-          category: "trivy-ai"
-
       - name: Trivy table output (AI)
         uses: aquasecurity/trivy-action@v0.36.0
         with:
@@ -228,25 +175,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Run Trivy filesystem scanner
-        uses: aquasecurity/trivy-action@v0.36.0
-        with:
-          scan-type: "fs"
-          scan-ref: "."
-          format: "sarif"
-          output: "trivy-fs-results.sarif"
-          severity: "CRITICAL,HIGH"
-          ignore-unfixed: true
-          scanners: "vuln,secret,misconfig"
-
-      - name: Upload Trivy SARIF (filesystem)
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        continue-on-error: true
-        with:
-          sarif_file: "trivy-fs-results.sarif"
-          category: "trivy-filesystem"
-
       - name: Trivy filesystem table output
         uses: aquasecurity/trivy-action@v0.36.0
         with: