feat(ci): add Trivy container security scanning before push

Add a scan job between check-docker and build-and-push. Builds each image
locally (no push, current platform only), runs Trivy v0.35.0 against it,
and fails on unfixed HIGH/CRITICAL CVEs. build-and-push only runs if both
scans pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.forgejo/workflows/docker-build.yml

@@ -33,7 +33,43 @@ jobs:
             fi
           done
 
+  scan:
+    needs: check-docker
+    runs-on: docker-cli
+    services:
+      docker:
+        image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
+        options: --privileged
+    container:
+      image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v4
+      - name: Build proxy image for scanning
+        run: docker build -t scan/proxy:latest ./proxy
+      - name: Scan proxy image
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: scan/proxy:latest
+          format: table
+          exit-code: '1'
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          vuln-type: os,library
+      - name: Build claude image for scanning
+        run: docker build -t scan/claude:latest ./claude
+      - name: Scan claude image
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: scan/claude:latest
+          format: table
+          exit-code: '1'
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          vuln-type: os,library
+
   build-and-push:
+    needs: scan
     runs-on: docker-cli
     services:
       docker: