implement basic automatic code scanning

[rcambrj]

• scans dependencies with actions/dependency-review-action (only during pull request workflow, and only scans new dependencies) - this is what it looks like

  

• scans all code (including Go, but I suspect excluding nix) with github/codeql-action - this is what it looks like

  

• scans the built container image with anchore/scan-action (a wrapper around grype) - this is what it looks like

  

• and locks all uses: to a fixed commit hash whilst retaining a human-friendly reference to the version in a comment

Bits I don't like (could be improved later)

• there is no nix code scanning - vulnix exists there is no github action that I could find, and given that nix plays only a devshell role, I figured we could tackle this another day.
• the grype container image scanner requires that the container image be uploaded (pushed) and then downloaded (pulled) before scanning. For this reason, the container image gets pushed even when the workflow's input push-container-image is false - only the latest and tag versions get pushed when push-container-image is true.

[rytswd]

The key logic makes sense and LGTM, just left a comment about the version sha

[rytswd]

I think it is common to use a version tag than commit sha with GitHub Actions, but I'm fine with this. We'd need a quick script or some logic to update this though

[rcambrj]

I came across this approach while researching these code scanning tools, where I came saw code written by more security-conscious folk. The concern with tags, as usual, is that they can change. You would normally have a lockfile with a hash for dependencies, but in the case of github workflows there is none. This is the next best thing.

I accept that it's a bit janky and appreciate that this requires some flexibility from developers' POV, and I agree that an updater tool would be great.