fix: improve security scan to use CycloneDX SBOM for accurate vulnerability detection

Switch from scanning Gradle cache dir to generating a proper CycloneDX SBOM
via the cyclonedx-gradle-plugin and feeding it to Grype. This ensures shaded/fat
JARs (e.g. testsigma-java-sdk) have their bundled transitive dependencies fully
resolved and reported, closing the gap where 'dir:' scanning missed embedded libs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: vikram-chaitanya

.github/workflows/security-scan.yml

@@ -16,24 +16,27 @@ jobs:
           java-version: '11'
           distribution: 'zulu'
 
-      - name: Download dependencies
-        run: ./gradlew dependencies --no-daemon
+      - name: Generate CycloneDX SBOM
+        # Resolves all transitive dependencies and produces build/reports/bom.json
+        run: ./gradlew cyclonedxBom --no-daemon
 
       - name: Install Grype
         run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
 
       - name: Run Grype vulnerability scanner
         run: |
-          GRADLE_CACHE="$HOME/.gradle/caches/modules-2/files-2.1"
-          echo "Scanning Gradle cache: $(find $GRADLE_CACHE -name '*.jar' | wc -l) JARs found"
-          grype "dir:$GRADLE_CACHE" \
+          echo "=== Vulnerability table ==="
+          grype "sbom:build/reports/bom.json" \
             --output table
-          grype "dir:$GRADLE_CACHE" \
+
+          grype "sbom:build/reports/bom.json" \
             --output sarif > grype-results.sarif
 
       - name: Upload scan results as artifact
         uses: actions/upload-artifact@v4
         if: always()
         with:
           name: grype-scan-results
-          path: 'grype-results.sarif'
+          path: |
+            grype-results.sarif
+            build/reports/bom.json

build.gradle

@@ -17,6 +17,7 @@ plugins {
     id 'maven-publish'
     id 'signing'
     id 'com.vanniktech.maven.publish' version '0.34.0'
+    id 'org.cyclonedx.bom' version '1.10.0'
 }
 
 repositories {