Replace Snyk with SBOM + pip-audit dependency scan workflow

- Remove Snyk badge (needs PyPI publication)
- Add sbom.yml: generates CycloneDX SBOM, scans ALL dependencies
  (direct + transitive) with pip-audit, license audit with pip-licenses
- Uploads SBOM + audit report as downloadable artifacts (90 day retention)
- Runs on every push, weekly, and manual trigger
- Dynamic badge shows workflow pass/fail status

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: aksOps

.github/workflows/sbom.yml

@@ -0,0 +1,75 @@
+name: SBOM + Dependency Audit
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  sbom-and-audit:
+    name: Generate SBOM & scan dependencies
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install project + tools
+        run: |
+          pip install .
+          pip install pip-audit cyclonedx-bom pip-licenses
+
+      - name: Generate CycloneDX SBOM (JSON)
+        run: |
+          cyclonedx-py environment \
+            --output-format json \
+            --outfile sbom-cyclonedx.json \
+            2>&1 || cyclonedx-py --format json -o sbom-cyclonedx.json 2>&1 || true
+          echo "CycloneDX SBOM generated"
+
+      - name: Generate dependency list with licenses
+        run: |
+          pip-licenses --format=json --with-urls --with-description > dependencies-licenses.json
+          pip-licenses --format=plain --with-urls
+          echo ""
+          echo "=== License summary ==="
+          pip-licenses --summary
+
+      - name: Audit dependencies for vulnerabilities
+        run: |
+          echo "=== Scanning all installed packages (including transitive) ==="
+          pip-audit --desc --format=json --output=audit-report.json 2>&1 || true
+          echo ""
+          echo "=== Audit Results ==="
+          pip-audit --desc 2>&1 || true
+
+      - name: Count results
+        run: |
+          echo "=== Installed packages ==="
+          pip list --format=columns | wc -l
+          echo ""
+          echo "=== Direct dependencies ==="
+          python3 -c "import tomli; deps=tomli.load(open('pyproject.toml','rb'))['project']['dependencies']; print(f'{len(deps)} direct dependencies')"
+          echo ""
+          echo "=== Transitive dependencies ==="
+          pip list --format=json | python3 -c "import sys,json; pkgs=json.load(sys.stdin); print(f'{len(pkgs)} total packages installed (direct + transitive)')"
+
+      - name: Upload SBOM artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-report
+          path: |
+            sbom-cyclonedx.json
+            dependencies-licenses.json
+            audit-report.json
+          retention-days: 90

README.md

@@ -11,7 +11,7 @@
   <a href="https://github.com/RandomCodeSpace/code-iq/releases"><img src="https://img.shields.io/github/v/release/RandomCodeSpace/code-iq?include_prereleases&style=flat-square&logo=github&label=Release" alt="Release"></a>
   <a href="https://www.python.org/downloads/"><img src="https://img.shields.io/badge/python-3.11%2B-blue?style=flat-square&logo=python&logoColor=white" alt="Python 3.11+"></a>
   <a href="https://github.com/RandomCodeSpace/code-iq/blob/main/LICENSE"><img src="https://img.shields.io/github/license/RandomCodeSpace/code-iq?style=flat-square&label=License" alt="MIT License"></a>
-  <a href="https://app.snyk.io"><img src="https://img.shields.io/snyk/vulnerabilities/github/RandomCodeSpace/code-iq?style=flat-square&logo=snyk&label=Snyk" alt="Snyk Vulnerabilities"></a>
+  <a href="https://github.com/RandomCodeSpace/code-iq/actions/workflows/sbom.yml"><img src="https://img.shields.io/github/actions/workflow/status/RandomCodeSpace/code-iq/sbom.yml?branch=main&style=flat-square&logo=shieldsdotio&logoColor=white&label=SBOM%20%2B%20Audit" alt="SBOM + Dependency Audit"></a>
   <a href="https://sonarcloud.io/summary/overall?id=RandomCodeSpace_code-iq"><img src="https://sonarcloud.io/api/project_badges/measure?project=RandomCodeSpace_code-iq&metric=security_rating&style=flat-square" alt="Sonarcloud Security"></a>
   <a href="https://sonarcloud.io/summary/overall?id=RandomCodeSpace_code-iq"><img src="https://sonarcloud.io/api/project_badges/measure?project=RandomCodeSpace_code-iq&metric=reliability_rating" alt="Sonarcloud Reliability"></a>
   <a href="https://sonarcloud.io/summary/overall?id=RandomCodeSpace_code-iq"><img src="https://sonarcloud.io/api/project_badges/measure?project=RandomCodeSpace_code-iq&metric=sqale_rating" alt="Sonarcloud Maintainability"></a>