Refactor Trivy scan steps to use direct Trivy commands instead of Docker runs

.gitea/workflows/trivy-security-scan.yml

@@ -20,14 +20,14 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
       - name: Trivy filesystem scan
         run: |
-          docker run --rm \
+          trivy fs --no-progress --severity HIGH,CRITICAL \
-            -v /var/run/docker.sock:/var/run/docker.sock \
+            --format json . \
-            -v $HOME/.cache:/root/.cache/ \
-            -v ${{ github.workspace }}:/root/src \
-            aquasec/trivy:canary fs --no-progress --severity HIGH,CRITICAL \
-            --format json /root/src \
             > /tmp/fs-scan.json || true
 
       - name: Build and scan Docker images
@@ -42,10 +42,7 @@ jobs:
             docker build -t "${NAME}:latest" -f "${DOCKERFILE}" "${CONTEXT}"
 
             echo "Scanning image: ${NAME}"
-            docker run --rm \
+            trivy image --no-progress --severity HIGH,CRITICAL \
-              -v /var/run/docker.sock:/var/run/docker.sock \
-              -v $HOME/.cache:/root/.cache/ \
-              aquasec/trivy:canary image --no-progress --severity HIGH,CRITICAL \
               --format json "${NAME}:latest" \
               > "/tmp/image-scan-${NAME}.json" || true
           done