security: add SPDX SBOM and Trivy vulnerability scanning by InfinityHack3r · Pull Request #3 · InfinityHack3r/REC

InfinityHack3r · 2026-03-03T03:53:57Z

Summary

Adds a hand-maintained SPDX 2.3 SBOM and Trivy-based vulnerability scanning to the CI pipeline.

sbom.spdx.json — SPDX 2.3 SBOM documenting the project and its 2 CDN font dependencies (Share Tech Mono, Rajdhani via Google Fonts)
.github/workflows/package.yml — new steps in the test job:
- Generate SBOM report — reads sbom.spdx.json, outputs sbom-report.md
- Install Trivy — via official install script (no action dependency)
- Scan SBOM — fails build on CRITICAL findings
- Save JSON results — full CRITICAL/HIGH/MEDIUM/LOW scan
- Generate vulnerability report — outputs vuln-report.md
- Upload artifact — sbom-report artifact with all 4 files, retained 90 days
- sbom.spdx.json bundled in release zip and attached as standalone release asset

All steps verified locally via act — job succeeded with 0 vulnerabilities found.

…failure

InfinityHack3r added 2 commits March 3, 2026 03:36

security: add SPDX SBOM and Trivy vuln scanning to CI

cae0827

fix: replace trivy-action with direct install to fix binary download …

abd173d

…failure

InfinityHack3r merged commit d038670 into main Mar 3, 2026
6 checks passed