Add CVE scan GitHub workflow that is triggered on pull requests

[weresch]

Thank you for contributing to the CF CLI! Please read the following:

• Please make sure you have implemented changes in line with the contributing guidelines
• We're not allowed to accept any PRs without a signed CLA, no matter how small. If your contribution falls under a company CLA but your membership is not public, expect delays while we confirm.
• All new code requires tests to protect against regressions.
• Contributions must be made against the appropriate branch. See the contributing guidelines
• Contributions must conform to our style guide. Please reach out to us if you have questions.

Note: Please create separate PR for every branch (main, v8 and v7) as needed.

Description of the Change

Adding a CVE scan GitHub workflow on PRs.

Why Is This PR Valuable?

The CVE scan GitHub workflow on PRs helps prevent known CVEs from being added to the codebase.

Applicable Issues

No applicable issues

How Urgent Is The Change?

Not urgent

Other Relevant Parties

No one else

[weresch]

I paired on this work with @chinigo

[a-b]

Considering the volume of shell scripts we're writing, should we try https://github.com/shellspec/shellspec ?