fix(build): add granular grype-soft-fail for PR validation

[WilliamBerryiii]

IMPORTANT: Before submitting, please remove all sensitive data, secrets, tokens, or confidential information. Ensure you've redacted any NDA-covered information, IP addresses, resource names, or security-related details that shouldn't be publicly disclosed.

Description

Adds a granular grype-soft-fail input to the reusable security-scan workflow so PR validation can treat Grype vulnerability findings as warnings while keeping Gitleaks and Secretlint as hard gates. This breaks the deadlock where dependabot PRs cannot merge because Grype flags pre-existing CVEs in unrelated dependencies.

The PR validation workflow now passes grype-soft-fail: true, and .grype.yaml is cleaned of all CVE ignore entries since dependabot resolved all underlying vulnerabilities.

Related Issue

Closes #308

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Blueprint modification or addition
• Component modification or addition
• Documentation update
• CI/CD pipeline change
• Other (please describe):

Implementation Details

security-scan.yml — Added grype-soft-fail boolean input (required: false, default: false). Refactored the "Fail on Security Violations" gate step so Gitleaks and Secretlint failures always set HARD_FAILURE=true, while Grype failures respect the GRYPE_SOFT_FAIL flag. The existing soft-fail input remains as a global override.

pr-validation.yml — Added with: grype-soft-fail: true to the security-scan job call. No other changes.

main.yml — Intentionally unchanged. Grype hard-fail is retained as a post-merge safety net.

.grype.yaml — Reduced from 18 lines to 2 lines (fail-on-severity: high only). Removed five CVE ignore entries that dependabot has since resolved.

Testing Performed

• Terraform plan/apply
• Blueprint deployment test
• Unit tests
• Integration tests
• Bug fix includes regression test (see Test Policy)
• Manual validation
• Other:

Validation Steps

1. Verify security-scan.yml YAML syntax is valid.
2. Confirm grype-soft-fail defaults to false — existing callers are unaffected.
3. Verify pr-validation.yml passes grype-soft-fail: true to security-scan.
4. Confirm main.yml does not pass grype-soft-fail — Grype remains a hard gate on main.
5. Confirm .grype.yaml contains only fail-on-severity: high.

Checklist

• I have updated the documentation accordingly
• I have added tests to cover my changes
• All new and existing tests passed
• I have run terraform fmt on all Terraform code
• I have run terraform validate on all Terraform code
• I have run az bicep format on all Bicep code
• I have run az bicep build to validate all Bicep code
• I have checked for any sensitive data/tokens that should not be committed
• I have run MegaLinter on my code (mega-linter-runner)

Additional Notes

The soft-fail global override and grype-soft-fail scanner-specific input are complementary. soft-fail: true disables all scanner failures; grype-soft-fail: true only disables Grype failures while preserving Gitleaks and Secretlint as hard gates.

Screenshots (if applicable)

N/A