feat: dependency management — application source code

[ms280690]

Context

Sub-issue of #8. Covers PR vulnerability scanning for application source code dependencies across all supported language ecosystems.

Target ecosystems: Python (requirements.txt, pyproject.toml, Pipfile), JavaScript/TypeScript (package-lock.json, yarn.lock, pnpm-lock.yaml), Go (go.sum), Ruby (Gemfile.lock), Rust (Cargo.lock), Java/Kotlin (pom.xml, build.gradle).

The workflow must be language-agnostic — consuming repos declare no ecosystem-specific configuration in the workflow call itself.

Automated update PRs are handled by the central Renovate workflow in this repo (see #8). This issue covers only the PR scan gate.

---

Stage — PR vulnerability scan (osv-scanner)

Trigger	Tool	Action
on: pull_request	osv-scanner	Scans all lockfiles present in the repo; blocks on Critical CVEs; warns on High and below

osv-scanner queries the OSV database against every lockfile it finds. It is language-agnostic — the same workflow invocation works regardless of ecosystem. Findings are posted as PR annotations and uploaded as SARIF to GitHub Advanced Security.

Consuming repos call the workflow with:

uses: sparkgeo/github-actions/.github/workflows/dep-scan-app.yml@main
with:
  fail-on-severity: critical  # default; set to 'high' for stricter posture

---

Acceptance criteria

• Reusable dep-scan-app.yml workflow: runs osv-scanner on pull_request; scans all lockfiles; posts findings as PR annotations; blocks on Critical CVEs; uploads SARIF to GitHub Advanced Security
• fail-on-severity input (default critical) allows consuming repos to tighten the gate
• Tested against a Python repo and a Node.js repo to confirm ecosystem-agnostic behaviour

---

References

• osv-scanner: https://github.com/google/osv-scanner
• OSV database: https://osv.dev
• Central Renovate runner: feat: dependency management reusable workflows [parent] #8