Summary

• Fix GitLab Dependency Scanning report (gl-dependency-scanning-report.json) failing schema validation
• Populate vulnerability data in the report when running full scans (non-diff mode)

Changes

Security report schema fixes

• Changed start_time/end_time from datetime.utcnow().isoformat() + "Z" (includes microseconds) to strftime("%Y-%m-%dT%H:%M:%S") matching the v15.0.0 schema pattern
• Added the required root-level dependency_files array, populated from alert manifest file locations with package manager mapping
• Fixed datetime.utcnow() deprecation warning by switching to datetime.now(timezone.utc)

Full scan alert population

• create_full_scan_with_report_url() now fetches SBOM data and extracts alerts into diff.new_alerts so GitLab/JSON/SARIF output formats have vulnerability data
• Gated behind enable_gitlab_security || enable_json || enable_sarif flags - no performance impact for users not using these output formats

Diff scan alert population

• GitLab report now includes both new_alerts and unchanged_alerts, so repeated scans with no dependency changes still show all known vulnerabilities in the Security Dashboard
• Other output formats (JSON, SARIF, console) are unchanged -- they show only new alerts by default, or new + existing with --strict-blocking

Commit status fix

• --enable-commit-status now counts blocking alerts from both new and unchanged alerts when --strict-blocking is enabled
• Description now distinguishes new vs existing blockers (e.g. "3 blocking alert(s) found (1 new, 2 existing)")

CLI documentation

• Added schema version compatibility note (v15.0.0 targeting, cross-version support)
• Added performance note for full scan alert fetching
• Documented alert population differences between GitLab vs JSON/SARIF output formats
• Documented comment-based ignore behavior for the GitLab Security Dashboard
• Updated troubleshooting for full scan empty vulnerabilities

E2E testing

• Consolidated all e2e CI checks into a single matrix workflow for easier troubleshooting
• Expanded e2e test coverage to include GitLab schema checks and other output forms

Testing steps

• Existing 116 unit tests pass (including 5 new GitLab format tests)
• Validate with PR preview Docker image against a GitLab CI pipeline
• Verify gl-dependency-scanning-report.json passes GitLab schema validation
• Confirm full scan with --enable-gitlab-security produces non-empty vulnerabilities array
• Confirm scan without output flags has no additional API calls (no performance regression)