CCM-1725: grype report

[timireland]

Description

Updated scripts so that a readable summary of findings is produced from grype, and will fail pipeline if there are any finding with severity HIGH

Context

Trivy was previously used - however this tool is currently on the AVOID list on the Tech Radar.

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I am familiar with the contributing guidelines
• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

[Copilot]

Pull request overview

This PR enhances the dependency vulnerability scanning workflow by adding a post-processing step that turns the Grype JSON report into a human-readable markdown summary, publishes that summary to the GitHub job summary and as an artifact, and fails the pipeline when Critical/High vulnerabilities are detected.

Changes:

• Add a new parse-vulnerabilities.sh script to render a markdown summary (counts + tables + priority packages) from the Grype JSON report.
• Update the scan-dependencies composite action to generate/upload the summary and to fail the job if Critical/High findings exist.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
scripts/reports/parse-vulnerabilities.sh	New script to transform the Grype JSON report into a markdown summary.
.github/actions/scan-dependencies/action.yaml	Runs the parser, appends output to $GITHUB_STEP_SUMMARY, uploads the summary artifact, and fails on Critical/High findings.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[aidenvaines-cgi]

@timireland have a look at https://github.com/NHSDigital/nhs-notify-repository-template/blob/main/.github/workflows/cicd-1-pull-request.yaml for how we did the label to bypass this new methodology blocking all contributors while someone is working on this

[aidenvaines-cgi]

worth adding the thing to prevernt merge if the label isnt present? as it stands this will entirely block progress while someone fixes the problem

https://github.com/NHSDigital/nhs-notify-repository-template/blob/main/.github/workflows/cicd-1-pull-request.yaml for how we did it with trivy