Scan job: run Trivy before the security gate to emit a CycloneDX SBOM
for each image (exit-code 0), then run the HIGH/CRITICAL gate as before.
SBOMs are uploaded as a pipeline artifact (90-day retention) with
if: always() so they're available even when the security gate fails.
Build job: add sbom: true and provenance: true to both build-push steps
so BuildKit attaches SBOM and provenance attestations to the image
manifest in the registry.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add a scan job between check-docker and build-and-push. Builds each image
locally (no push, current platform only), runs Trivy v0.35.0 against it,
and fails on unfixed HIGH/CRITICAL CVEs. build-and-push only runs if both
scans pass.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
