chore: migrate from Trivy to Grype for vulnerability scanning

Replace aquasecurity/trivy-action with anchore/scan-action (Grype) v7.3.2
for vulnerability scanning.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: JAORMX

.github/workflows/_security-checks.yml

@@ -4,22 +4,21 @@ on:
 permissions:
   contents: read
 jobs:
-  trivy:
-    name: Trivy
+  grype:
+    name: Grype
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Scan repo
-        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
+        id: grype-scan
+        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
         with:
-          scan-type: 'fs'
-          scan-ref: '.'
-          scanners: 'vuln,secret,config'
-          exit-code: '1'
-          ignore-unfixed: 'true'
-          severity: 'MEDIUM,HIGH,CRITICAL'
+          path: "."
+          fail-build: true
+          only-fixed: true
+          severity-cutoff: "medium"
 
   npm-audit:
     name: PNPM Audit