Problem
No supply-chain controls: there is no dependabot.yml, no npm audit gate in CI, no container image scanning (Trivy/Grype), and no SBOM.
Proposal
- Add Dependabot for npm + GitHub Actions.
- Add an
npm audit (or equivalent SCA) gate to CI.
- Scan the built image (Trivy/Grype) in CI.
- Generate and publish an SBOM with releases.
Acceptance
- Dependency and image vulnerabilities are surfaced in CI; SBOM ships with releases.
Part of #163.
Problem
No supply-chain controls: there is no
dependabot.yml, nonpm auditgate in CI, no container image scanning (Trivy/Grype), and no SBOM.Proposal
npm audit(or equivalent SCA) gate to CI.Acceptance
Part of #163.