feat: scan for vuln

[naveensrinivasan]

Description

• Scans Vulnerabilities for upstream and IronBank
• Uses SBOM and grype to get the Vulns
• The Vulns are reported into GH repo using SARIF

Related Issue

Fixes #

Relates to #

Type of change

• [ ] Bug fix (non-breaking change which fixes an issue)
• [ ] New feature (non-breaking change which adds functionality)
• [x] Other (security config, docs update, etc)

Checklist before merging

• [ ] Test, docs, adr added or updated as needed
• [x] Contributor Guide Steps followed

[github-advanced-security[bot]]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[naveensrinivasan]

The output here is quite verbose - is it possible to dedupe some of these that are repeated?

https://github.com/defenseunicorns/uds-package-gitlab/security/code-scanning?query=pr%3A98+is%3Aopen

There also seem to be some that are titled as "medium" or "low" but labeled as "critical" or "high"

1. Image corresponding to the CVE- all of these CVEs have which image is reporting the CVE. registry1.dso.mil_ironbank_redhat_ubi_ubi9_9.3:1 https://github.com/defenseunicorns/uds-package-gitlab/security/code-scanning/10337

2. Duplicate issue - All the zlib issues are from different containers.https://github.com/defenseunicorns/uds-package-gitlab/security/code-scanning?query=pr%3A98+is%3Aopen+zlib

3. Critical Issue having low in the title - The https://github.com/defenseunicorns/uds-package-gitlab/security/code-scanning/10212 is low because of the probability of exploiting the Vulnerability, and that is the reason low with Vuln being still critical.

Some help from ChatGPT for low TL;DR:

• Vulnerability severity is based on potential impact, exploit complexity, mitigations, impact, user interaction, exploitation environment, patch availability, and historical context.
• Mitigating complexity, mitigations, limited impact, user interaction, and restricted exploitation environment can lower severity.
• Prompt patches and historical context also influence severity classification.
• The process ensures the effective allocation of resources to address pressing security concerns.

[Racer159]

closing this do to becoming stale (we can reopen / readdress later)