ci(trivy): skip base runner externals and scan vuln only

- Add --scanners vuln to disable secret scanning (faster)
- Add --skip-dirs /home/runner/externals to skip base Node/npm tree

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: miragecentury

.github/workflows/validate.yaml

@@ -90,8 +90,10 @@ jobs:
           IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
         run: |
           trivy image \
+            --scanners vuln \
             --ignore-unfixed \
             --pkg-types library \
+            --skip-dirs /home/runner/externals \
             --ignorefile .trivyignore \
             --severity HIGH,CRITICAL \
             --exit-code 1 \

scripts/builder.sh

@@ -288,8 +288,10 @@ trivy_scan () {
     set +e
     trivy_scan_exec=$(\
             trivy image \
+            --scanners vuln \
             --ignore-unfixed \
             --pkg-types library \
+            --skip-dirs /home/runner/externals \
             --ignorefile .trivyignore \
             --input ${BUILD_DIR}/${IMAGE_NAME}-${IMAGE_TAG}.tar \
             --format github \