Investigate scanner-cli to provide password and (other) secrets scanning

[maoo]

See https://github.com/hawkeyesec/scanner-cli

Scanner-cli provides a wide range of features; as a proof of concept, it is required to:

• [ ] Add the scanner-cli depdendency
• [ ] configure scanner-cli using .hawkeyerc and .hawkeyeignore
• [ ] Create a check in git-proxy that invokes scanner-cli
• [ ] Log and return results

[coopernetes]

In addition to actually executing the secret scanning, git-proxy (via #47) can simply check that built-in GitHub secret scanning is enabled on the upstream repo before allowing a push to go forward. In combination with GitHub's push protection, this is a light-weight method for detecting secrets in source.

Many organizations have secrets such as LDAP credentials that do not get detected by the partner patterns so some extensibility is still needed and it makes sense to have another defensive layer to detect custom or in-house secrets via git-proxy.

[maoo]

Love the idea, thanks @coopernetes !

It's worth mentioning that Goldman Sachs contributed to FINOS a secret scanning tool called CatchIT, see https://github.com/finos/catchit