[plan] add sarif output to npm audit workflow

[github-actions]

Objective

Enhance the dependency-audit.yml workflow to upload npm audit results as SARIF to the GitHub Security tab, improving visibility of dependency vulnerabilities.

Context

Currently, npm audit results only appear in workflow logs, making it difficult to:

• Track vulnerabilities across PRs
• Triage security issues in one place
• Get alerts for new vulnerabilities

CodeQL and Trivy already upload SARIF successfully.

Approach

1. Update .github/workflows/dependency-audit.yml
2. Add step to convert npm audit JSON output to SARIF format
3. Use github/codeql-action/upload-sarif@v3 to upload results
4. Consider using a tool like:
   • npm-audit-resolver with SARIF export
   • Custom script to convert npm audit JSON to SARIF
   • Switch to jeremylong/DependencyCheck which has built-in SARIF support

Files to Modify

• Update: .github/workflows/dependency-audit.yml
• Potentially create: scripts/npm-audit-to-sarif.js (if custom conversion needed)

Acceptance Criteria

• npm audit results appear in Security tab (Code scanning alerts)
• SARIF upload succeeds in workflow
• Vulnerabilities are properly categorized by severity
• Workflow continues to fail on high/critical vulnerabilities

References

• SARIF format: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
• GitHub SARIF upload: https://github.com/github/codeql-action/tree/main/upload-sarif
• Example: .github/workflows/codeql.yml (existing SARIF upload)
  Related to [plan] improve ci/cd pipeline and quality gates #348

AI generated by Plan Command for discussion #345

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster