From b978f4735a7ae3f9dbf0e2860f479780208a6bc7 Mon Sep 17 00:00:00 2001
From: Jonathan Tsai <tryweb@ichiayi.com>
Date: Thu, 26 Mar 2026 10:04:01 +0800
Subject: [PATCH] ci(sca): add npm ci before Trivy scan

Install actual node_modules so Trivy can scan the full dependency
tree rather than just package-lock.json metadata.
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1c58301..6aa0728 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,6 +24,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Install dependencies
+        run: npm ci
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with: