Description of changes:

This PR introduces a security scanning workflow that analyzes dependencies of Code Editor using Amazon Inspector's vulnerability scanning. The workflow uses Amazon Inspector's ScanSbom API to perform security analysis on Software Bill of Materials (SBOM) files generated using the @cyclonedx/cyclonedx-npm and syft.

Workflow Triggers

The security scanning workflow can be initiated through three methods:

1. Automatic PR Scanning: Triggered when pull requests are created against main or *.* base branches
2. Scheduled Scanning: Runs daily at 00:13 UTC to scan main and *.* branches
3. Manual Execution: Can be manually triggered for on-demand scanning of main and *.* branches

Scan Coverage

Directory Scanning

The workflow scans production dependencies in the following directories (consistent with internal AWSCodeOSS scanning):

1. code-editor-src
2. code-editor-src/extensions
3. code-editor-src/remote
4. code-editor-src/remote/web

Additional Components

Beyond Code Editor dependencies, the workflow also scans:

1. Node.js binaries bundled up in Code Editor. The node version is read from third-party-src/remote/.npmrc file.
2. @electrovir/oss-attribution-generator
3. semver package https://www.npmjs.com/package/semver
4. GitHub Advisories for the VS Code repository

Smart Scheduling

The workflow includes intelligent scheduling to avoid duplicate scans:

• For scheduled runs, it checks for successful scans from the previous day (00:00-23:59 UTC)
• Only branches with no successful scans in the previous day are processed

Output and Monitoring

1. Artifacts: Generated SBOM files and detailed scan results are preserved after each workflow execution
2. Metrics: Success/failure metrics are automatically published to CloudWatch for monitoring and alerting

Testing

1. Failed job because of tar-fs@2.0.0: https://github.com/sachinh-amazon/code-editor/actions/runs/17237972254/job/48907936820
2. Successful run after removing tar-fs: https://github.com/sachinh-amazon/code-editor/actions/runs/17238337967/job/48908527445
3. Successful run for all targets: https://github.com/sachinh-amazon/code-editor/actions/runs/17238568527
4. Successful for manual invocation: https://github.com/sachinh-amazon/code-editor/actions/runs/17239518066/job/48912596077
5. Successful run for NodeJS binary scans and Github Advisory scan: https://github.com/sachinh-amazon/code-editor/actions/runs/17251975669
6. Intentional failure for Github Advisory scan: https://github.com/sachinh-amazon/code-editor/actions/runs/17251937343
7. Branches which are already scanned in the past are skipped: https://github.com/sachinh-amazon/code-editor/actions/runs/17386725636 Tested by scanning the main branch first and then verified that branches 1.1 and 2.1 are scanned and main branch is skipped.
8. The security workflow does not run if PR is created against a branch which does not follow the digit.digit pattern: Random name edit sachinh-amazon/code-editor#8
9. The security workflow is created successfully for a PR: https://github.com/sachinh-amazon/code-editor/actions/runs/17386249906/job/49353112055
10. Checked that the workflow keeps running even if one branch or target fails: https://github.com/sachinh-amazon/code-editor/actions/runs/17387275237/job/49356151477 . Runs successfully for 4.1 branch and fails for 3.1 branch which is expected.

The current security scanning workflow which runs automatically in response to a PR creation will fail. The error is expected and will be fixed once the changes are merged to the main branch.

Additional packages that will be added to the workflow for security scanning

1. All non-production dependencies should be scanned but only display warnings if vulnerabilities are detected.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.