Secure Build Pipeline

[dagan]

We should have a build pipeline that:

1. Performs SAST
2. Scans for known vulnerabilities
3. Generates/publishes an SBOM
4. Builds/Publishes an OCI image

[dsm0014]

Couple comments/questions on this one..

1. How do we feel about SAST (ex. Snyk) to be blocking on PR's and if so -- what severity of detected CVE should be blocking (critical? high?). Keep in mind that Github's Code Scanning view (Security Tab > Code Scanning) is only available for free to public repos -- otherwise it's a paid feature. So without a license our scanning runs can't be published there.

2. If we do go with Snyk, it'll require a Snyk account's API token to be used in Github Actions. We can use my personal one for now, but would be more prudent to go ahead and create some kind of Konfirm Snyk account specific to this. I can do this if we'd like, but we need to discuss what email/auth is used and where those get stored securely.