feat: SBOM + vulnerability scans

[KrisF-Midnight]

https://shielded.atlassian.net/browse/SRE-1741

Overview

Add SBOM (Software Bill of Materials) generation and vulnerability scanning to CI/CD pipelines. This implements Phase 3 of the container security initiative, building on the Cosign image signing from Phase 1.

What this adds:

• SBOM generation using Syft (SPDX-JSON format)
• Vulnerability scanning with Grype (fails on high/critical CVEs)
• SBOM attestation to images using Cosign keyless signing
• Reusable workflow for consistent scanning across all pipelines

Key design decisions:

• SBOM scans gate image publishing (atomic releases - all images pass or none publish)
• External/fork PRs skip attestation (no OIDC token) but still generate SBOMs
• Severity threshold set to high (fails on critical + high CVEs)
• Architecture-specific images scanned (not multi-arch manifests)

🗹 TODO before merging

• Ready

📌 Submission Checklist

• Changes are backward-compatible (or flagged if breaking)
• Pull request description explains why the change is needed
• Self-reviewed the diff
• I have included a change file, or skipped for this reason: CI-only changes
• If the changes introduce a new feature, I have bumped the node minor version
• Update documentation (if relevant)
• Updated AGENTS.md if build commands, architecture, or workflows changed
• No new todos introduced

🧪 Testing Evidence

Please describe any additional testing aside from CI:

• Local testing of sbom-scan.sh functions against test images

• Verified Cosign attestation verification commands work locally

• Additional tests are provided (if possible)

🔱 Fork Strategy

• Node Runtime Update
• Node Client Update
• Other: CI/CD pipeline enhancement - no impact on node runtime or client
• N/A

Links

[github-actions]

KICS version: v2.1.16

Category Results CRITICAL 0 HIGH 0 MEDIUM 94 LOW 12 INFO 83 TRACE 0 TOTAL 189	Metric Values Files scanned 29 Files parsed 29 Files failed to scan 0 Total executed queries 73 Queries failed to execute 0 Execution time 6