feat: add Source column to vulnerability scan tables

Show the Trivy target (OS layer, binary path, package file) in the
vulnerability table so users can identify where each vulnerability
originates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: marc-barry

.github/workflows/container-rescan.yaml

@@ -48,11 +48,12 @@ jobs:
             if (vulns.length === 0) {
               summary += '_No vulnerabilities found._\n';
             } else {
-              summary += '| Library | CVE | Severity | Installed | Fixed | Title |\n|---|---|---|---|---|---|\n';
+              summary += '| Source | Library | CVE | Severity | Installed | Fixed | Title |\n|---|---|---|---|---|---|---|\n';
               for (const v of vulns) {
                 const title = (v.Title || '').replace(/\|/g, '\\|').substring(0, 80);
                 const cve = v.PrimaryURL ? `[${v.VulnerabilityID}](${v.PrimaryURL})` : v.VulnerabilityID;
-                summary += `| ${v.PkgName} | ${cve} | ${SEVERITY_LABEL[v.Severity] || v.Severity} | ${v.InstalledVersion} | ${v.FixedVersion || 'N/A'} | ${title} |\n`;
+                const source = (v.target || '').replace(/\|/g, '\|');
+                summary += `| ${source} | ${v.PkgName} | ${cve} | ${SEVERITY_LABEL[v.Severity] || v.Severity} | ${v.InstalledVersion} | ${v.FixedVersion || 'N/A'} | ${title} |\n`;
               }
             }
             fs.appendFileSync(process.env.GITHUB_STEP_SUMMARY, summary);