Summary

• Fix GitLab Dependency Scanning report (gl-dependency-scanning-report.json) failing schema validation
• Populate vulnerability data in the report when running full scans (non-diff mode)

Changes

Security report schema fixes

• Changed start_time/end_time from datetime.utcnow().isoformat() + "Z" (includes microseconds) to strftime("%Y-%m-%dT%H:%M:%S") matching the v15.0.0 schema pattern
• Added the required root-level dependency_files array, populated from alert manifest file locations with package manager mapping
• Fixed datetime.utcnow() deprecation warning by switching to datetime.now(timezone.utc)

Full scan alert population

• create_full_scan_with_report_url() now fetches SBOM data and extracts alerts into diff.new_alerts so GitLab/JSON/SARIF output formats have vulnerability data
• Gated behind enable_gitlab_security || enable_json || enable_sarif flags - no performance impact for users not using these output formats

CLI documentation

• Added schema version compatibility note (v15.0.0 targeting, cross-version support)
• Added performance note for full scan alert fetching
• Updated troubleshooting for full scan empty vulnerabilities

E2E testing

• Consolidated all e2e CI checks into a single matrix workflow for easier troubleshooting
• Expanded e2e test coverage to include GitLab schema checks and other output forms

Testing steps

• Existing 116 unit tests pass (including 5 new GitLab format tests)
• Validate with PR preview Docker image against a GitLab CI pipeline
• Verify gl-dependency-scanning-report.json passes GitLab schema validation
• Confirm full scan with --enable-gitlab-security produces non-empty vulnerabilities array
• Confirm scan without output flags has no additional API calls (no performance regression)