Investigate GitHub's code scanning API and SARIF

[dominikh]

https://github.blog/2020-10-05-announcing-third-party-code-scanning-tools-static-analysis-and-developer-security-training/

• https://github.com/microsoft/sarif-tutorials
• https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning

[dominikh]

• https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github
• https://github.com/github/codeql-action/blob/484a9ad67e4d74d821daec945e959e2442a22121/upload-sarif/action.yml
• https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html

[dominikh]

Initial work on SARIF support happened in ec9c2456d6a82849b4f3485d0f78cd48931b512b

[dominikh]

After ebb060ea5998284e78f37571699c761fdd7d2c41 we're in a pretty usable state. We still need to fix column info for non-ASCII text (UTF-16 is at it again), and the way we handle some non-diagnostic errors isn't ideal. However, this is probably usable enough to include in the next release and to offer as an option in our GitHub Action.