Test vulnerability scan

Author: kuan121

.github/workflows/nodejs.yml

@@ -233,3 +233,47 @@ jobs:
       - name: Stop docker container
         if: always()
         run: docker stop rippled-service
+
+  # Scans dependencies for CRITICAL/HIGH vulnerabilities using SBOM and Trivy (same flow as release.yml).
+  vulnerability-scan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ env.GIT_REF }}
+          fetch-depth: 0
+
+      - name: Use Node.js 24.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24.x
+
+      - name: Setup npm version 10
+        run: |
+          npm i -g npm@10 --registry=https://registry.npmjs.org
+
+      - name: Install Dependencies
+        run: npm ci
+
+      - name: Install cyclonedx-npm
+        run: npm install -g @cyclonedx/cyclonedx-npm@4.0.2
+
+      - name: Generate CycloneDX SBOM
+        run: cyclonedx-npm --output-format json --output-file sbom.json
+
+      - name: Scan SBOM for vulnerabilities using Trivy
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: sbom
+          scan-ref: sbom.json
+          format: table
+          exit-code: 0  # TODO: Change to 1 to fail CI on vulnerabilities
+          output: vuln-report.txt
+          severity: CRITICAL,HIGH
+
+      - name: Print vulnerability report
+        if: always()
+        run: |
+          echo "=== Vulnerability Scan Report ==="
+          cat vuln-report.txt