Test vulnerability scan

Author: kuan121

.github/workflows/release.yml

@@ -272,13 +272,13 @@ jobs:
                   '{channel: $channel, text: $text}')"
 
       - name: Install cyclonedx-npm
-        run: npm install -g @cyclonedx/cyclonedx-npm@4.0.2
+        run: npm install -g @cyclonedx/cyclonedx-npm@4.1.2
 
       - name: Generate CycloneDX SBOM
         run: cyclonedx-npm --output-format json --output-file sbom.json
 
       - name: Scan SBOM for vulnerabilities using Trivy
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.34.0
         with:
           scan-type: sbom
           scan-ref: sbom.json

.github/workflows/vulnerability-scan.yml

@@ -0,0 +1,69 @@
+# Scans dependencies for CRITICAL/HIGH vulnerabilities using SBOM and Trivy (same flow as release.yml).
+
+name: Vulnerability Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+  workflow_dispatch:
+
+jobs:
+  vulnerability-scan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Use Node.js 24.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24.x
+
+      - name: Setup npm version 10
+        run: |
+          npm i -g npm@10 --registry=https://registry.npmjs.org
+
+      - name: Cache node modules
+        id: cache-nodemodules
+        uses: actions/cache@v4
+        env:
+          cache-name: cache-node-modules
+        with:
+          # caching node_modules
+          path: |
+            node_modules
+            */*/node_modules
+          key: ${{ runner.os }}-deps-24.x-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-deps-24.x-
+
+      - name: Install Dependencies
+        if: steps.cache-nodemodules.outputs.cache-hit != 'true'
+        run: npm ci
+
+      - name: Install cyclonedx-npm
+        run: npm install -g @cyclonedx/cyclonedx-npm@4.1.2
+
+      - name: Generate CycloneDX Software Bill of Materials (SBOM) in JSON format
+        run: cyclonedx-npm --output-format json --output-file sbom.json
+
+      - name: Scan SBOM for vulnerabilities using Trivy
+        uses: aquasecurity/trivy-action@0.34.0
+        with:
+          scan-type: sbom
+          scan-ref: sbom.json
+          format: table
+          exit-code: 0  # TODO: Change to 1 to fail CI on vulnerabilities
+          output: vuln-report.txt
+          severity: CRITICAL,HIGH
+
+      - name: Print vulnerability report
+        if: always()
+        run: |
+          echo "=== Vulnerability Scan Report ==="
+          cat vuln-report.txt
+