Rune Security Pipeline Flaw: Feature Branches Silently Bypass Critical CVE Gates

A critical security control failure has been exposed within the Rune project's CI/CD pipeline. The automated `security-sbom` job, which scans for software vulnerabilities, contains logic that deliberately suppresses failures for Critical and High-severity CVEs on feature branches. This design flaw allows developers to merge code containing known, severe vulnerabilities directly into the codebase, as long as the final merge to the default branch passes the check. The bypass mechanism is embedded in the `strict_branch` conditional logic within the GitHub Actions workflows for the `rune`, `rune-charts`, and `rune-ui` repositories.

The issue directly violates IEC 62443 ML4 security standards, which mandate objective reviewer requirements and explicitly forbid branch-dependent bypasses. The standard requires that vulnerabilities be addressed—either fixed or formally risk-accepted via a Vulnerability Exploitability eXchange (VEX) document—during active development, not deferred until the moment of merging. This creates a dangerous window where vulnerable code can be integrated and built upon, fundamentally undermining the software supply chain security posture.

To remediate the flaw, the `strict_branch` conditional must be stripped from the `security-sbom` job in all three repositories. CVE severity thresholds must apply uniformly across every branch. The fix mandates that if a developer encounters a Critical or High CVE on a feature branch, the pipeline must fail, forcing the developer to either fix the vulnerable dependency or provide a documented VEX justification. The target for this change is the `.github/workflows/quality-gates.yml` file (or its equivalent), which governs these security gates.