[Bug] config/defaults.yaml has no vuln-scan section: vuln-scan settings cannot be configured via config file

[wiebe-vandendriessche]

AIBoMGen CLI version

v0.2.1

Go version (if built from source)

go1.25.x

Operating system

Any

Command used

# With vuln-scan.hf-token set in config/defaults.yaml (does not exist)
aibomgen-cli vuln-scan --input ./dist/aibom.json

Expected behavior

The vuln-scan command reads its defaults from config/defaults.yaml like all other commands, allowing vuln-scan.input, vuln-scan.hf-token, vuln-scan.hf-timeout, vuln-scan.enrich, vuln-scan.output, vuln-scan.log-level, and other flags to be set via config file or environment variable.

Actual behavior

config/defaults.yaml contains sections for generate, scan, enrich, validate, completeness, and merge, but has no vuln-scan: section. The vuln-scan command binds all its flags to viper keys under vuln-scan.* via viper.BindPFlag, but since no defaults exist in the config file, every setting falls back to the flag default or zero value. Setting AIBOMGEN_VULN_SCAN_HF_TOKEN also has no effect due to the separate AutomaticEnv bug.

Additional context

Fix: add a vuln-scan: section to config/defaults.yaml documenting all configurable keys with their defaults, matching the pattern of every other command section in that file.