Add cve pipeline

[moleske]

Some folks have been asking internally for cve pipeline. They made https://github.com/cloudfoundry-incubator/concourse-cve-scan as an example. This is a first pass setting critical as the threshold for failure

Currently running as separate pipeline at https://ci.capi.land/teams/main/pipelines/cve-scan. At somepoint maybe we should make it blocking, but for now it is informational

[moleske]

for what it is worth, I'm not thrilled about this pipeline. It is only pointing out test dependencies (ginkgo/gomega stuff) and our docs (which aren't shipped in a capi release) have potential cves. This seems like noise to me rather than usefulness. Though maybe it would have found some blobstore stuff like nginx?

[moleske]

I'm going to merge and keep it in, but I think we should consider deleting this pipeline in the future. Especially if it is not providing value over just staying up to date on dependencies (which I feel capi has generally done an ok job at)