NPA-6800: Update PR check in each repo to fail on High severity rather than critical

[davesmallnhs]

Pull Request

🧾 Ticket Link

https://nhsd-jira.digital.nhs.uk/browse/NPA-6800

---

📄 Description/Summary of Changes

• NB: Currently, grype.yaml has no fail-on-severity set at all, meaning the scan generates a report but never actually fails the build regardless of what it finds.
• Added fail-on-severity config for grype: set to high

---

🧪 Developer Testing Carried Out

---

📋 PR Principles

• Keep PRs Small and Focused: Ensure the PR addresses a single task or feature to make it easier to review.
• Multiple PRs for one Ticket: When splitting work into multiple PRs, clearly describe what this PR addresses and outline the remaining work to complete the ticket.
• Ensure Tests Are Included: Add or update unit, integration, or end-to-end tests to cover the changes made.
• Follow Coding Standards: Ensure the code adheres to the team's coding guidelines and best practices.
• Resolve Comments Promptly: If you raise a comment, ensure you follow up and resolve it before approving the PR to maintain clarity and ensure comments are addressed.
• Foster Learning: PR reviews are an opportunity to share knowledge, provide constructive feedback, and encourage a collaborative environment.

🏷️ Naming Conventions Reminder

Please ensure the following naming conventions are followed:

• PR title follows the format: NPA-XXXX: <short-description>
• Branch name follows the convention: <type>/NPA-XXXX/<short-description>
• Commit messages follow the template: NPA-XXXX: <short-description>

[Copilot]

Pull request overview

This PR updates the Grype vulnerability scanning configuration so CI fails when High-severity (or above) vulnerabilities are detected, turning the scan into an enforceable quality gate.

Changes:

• Add fail-on-severity: high to the Grype configuration.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.