code-marketplace is used by air-gapped users in regulated and security-conscious environments. Given this security-critical use case, we should implement automated security scanning similar to what exists in the main https://github.com/coder/coder repository.

Currently, code-marketplace lacks automated vulnerability scanning, which means:

• Go dependency vulnerabilities may go undetected
• Docker image vulnerabilities are not automatically discovered
• No continuous code security analysis
• No security best practices assessment