fix(ci): load Grype ignore config in supply chain verification

.github/skills/security-scan-docker-image-scripts/run.sh

@@ -139,7 +139,10 @@ log_info "This may take 30-60 seconds on first run (database download)"
 
 # Run Grype against the SBOM (generated from image, not filesystem)
 # This matches exactly what CI does in supply-chain-pr.yml
+# --config ensures .grype.yaml ignore rules are applied, separating
+# ignored matches from actionable ones in the JSON output
 if grype sbom:sbom.cyclonedx.json \
+    --config .grype.yaml \
     --output json \
     --file grype-results.json; then
     log_success "Vulnerability scan complete"
@@ -149,6 +152,7 @@ fi
 
 # Generate SARIF output for GitHub Security (matches CI)
 grype sbom:sbom.cyclonedx.json \
+    --config .grype.yaml \
     --output sarif \
     --file grype-results.sarif 2>/dev/null || true
 

.github/workflows/supply-chain-pr.yml

@@ -281,7 +281,7 @@ jobs:
           echo "component_count=${COMPONENT_COUNT}" >> "$GITHUB_OUTPUT"
           echo "✅ SBOM generated with ${COMPONENT_COUNT} components"
 
-      # Scan for vulnerabilities using manual Grype installation (pinned to v0.107.1)
+      # Scan for vulnerabilities using manual Grype installation (pinned to v0.110.0)
       - name: Install Grype
         if: steps.set-target.outputs.image_name != ''
         run: |
@@ -292,8 +292,8 @@ jobs:
         id: grype-scan
         run: |
           echo "🔍 Scanning SBOM for vulnerabilities..."
-          grype sbom:sbom.cyclonedx.json -o json > grype-results.json
-          grype sbom:sbom.cyclonedx.json -o sarif > grype-results.sarif
+          grype sbom:sbom.cyclonedx.json --config .grype.yaml -o json > grype-results.json
+          grype sbom:sbom.cyclonedx.json --config .grype.yaml -o sarif > grype-results.sarif
 
       - name: Debug Output Files
         if: steps.set-target.outputs.image_name != ''