Add workflow to perform vulns scan for pull requests #2

	# Scans dependencies for CRITICAL/HIGH vulnerabilities using SBOM and Trivy (same flow as release.yml).

	name: Vulnerability Scan

	on:
	push:
	branches: [main]
	pull_request:
	types: [opened, synchronize, reopened, ready_for_review]
	workflow_dispatch:

	jobs:
	vulnerability-scan:
	runs-on: ubuntu-latest
	timeout-minutes: 10
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Use Node.js 24.x
	uses: actions/setup-node@v4
	with:
	node-version: 24.x

	- name: Setup npm version 10
	run: \|
	npm i -g npm@10 --registry=https://registry.npmjs.org

	- name: Cache node modules
	id: cache-nodemodules
	uses: actions/cache@v4
	env:
	cache-name: cache-node-modules
	with:
	# caching node_modules
	path: \|
	node_modules
	//node_modules
	key: ${{ runner.os }}-deps-24.x-${{ hashFiles('**/package-lock.json') }}
	restore-keys: \|
	${{ runner.os }}-deps-24.x-

	- name: Install Dependencies
	if: steps.cache-nodemodules.outputs.cache-hit != 'true'
	run: npm ci

	- name: Install cyclonedx-npm
	run: npm install -g @cyclonedx/cyclonedx-npm@4.1.2

	- name: Generate CycloneDX Software Bill of Materials (SBOM) in JSON format
	run: cyclonedx-npm --output-format json --output-file sbom.json

	- name: Scan SBOM for vulnerabilities using Trivy
	uses: aquasecurity/trivy-action@0.34.0
	with:
	scan-type: sbom
	scan-ref: sbom.json
	format: table
	exit-code: 0 # TODO: Change to 1 to fail CI on vulnerabilities
	output: vuln-report.txt
	severity: CRITICAL,HIGH

	- name: Print vulnerability report
	if: always()
	run: \|
	echo "=== Vulnerability Scan Report ==="
	cat vuln-report.txt

Provide feedback