ci: scan generated SBOMs for known vulnerabilities

[ibourgeois]

Context

As a maintainer, I need CI to check generated SBOMs for known vulnerabilities so we can catch risky dependencies before or during release publication.

Acceptance Criteria

• CI scans the generated SBOM for known vulnerabilities.
• The scan produces clear findings in workflow output or uploaded reports.
• The workflow supports suppressing or acknowledging specific findings with a committed allowlist or equivalent mechanism.
• The workflow fails according to a documented policy when unsuppressed vulnerabilities exceed the accepted threshold.

Notes

Suppression support is required so the workflow can handle false positives, accepted risk, or temporary upstream issues without becoming unusable.

Out of Scope

• Container image vulnerability scanning
• Automated remediation or dependency upgrades