ci: generate an SBOM and vulnerability scan for the published container image

## Context

As a maintainer, I need CI to produce an SBOM for the published Katra container image and scan that image for known vulnerabilities so we can track what ships in the image and catch image-layer security issues.

## Acceptance Criteria

- [ ] CI generates an SBOM for the built container image.
- [ ] CI scans the published image for known vulnerabilities.
- [ ] Scan output is preserved in workflow logs or attached artifacts.
- [ ] The workflow defines how accepted findings are handled, including suppression or policy thresholds if needed.

## Notes

This is separate from source/build SBOM generation because image contents and base layers introduce additional supply-chain risk.

## Out of Scope

- Source-only dependency scanning without the built image
- Runtime admission control in deployment platforms


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ci: generate an SBOM and vulnerability scan for the published container image #68

Context

Acceptance Criteria

Notes

Out of Scope

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

ci: generate an SBOM and vulnerability scan for the published container image #68

Description

Context

Acceptance Criteria

Notes

Out of Scope

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions