# Implementation Plan: Syft & Grype Scanner

## Objective
Implement the SBOM generation (Syft) and vulnerability scanning (Grype) step as a parallel task in the DAG.

## Requirements
- Define a task template named `scan-syft-grype`.
- Depend on the `clone-repo` task.
- Mount the shared PVC at `/workspace`.
- Step A: Run Syft against `/workspace` to generate an SBOM (SPDX/CycloneDX format) -> `/workspace/reports/sbom.json`.
- Step B: Run Grype against the generated SBOM (or the workspace directly) to find vulnerabilities.
- Output Grype findings in SARIF format.
- Save the Grype output to `/workspace/reports/grype.sarif`.
- Ensure the task exits successfully (`|| true`) to allow Phase 3 aggregation.

## Agent Instructions
1. Add the `scan-syft-grype` template to the `ClusterWorkflowTemplate`.
2. Wire it into the DAG alongside the other scanners.
3. **CRITICAL: File Splitting:** Do NOT put everything into one giant file! Split your YAML manifests or configurations into separate, smaller files (e.g. using separate Helm template files, configmaps, or helper scripts) to prevent exhausting the context window.