[Security] Add security scanners to CI pipeline

[JonasCir]

Situation Description & Motivation

log4shell was a close call and we need plan ahead for the next crisis. One step forward is to make more use of static security tools and dependency analysis. Catch well known security issues at compile time.

Use cases

High-Level Explanation

Timeline

Tasks

• Add CodeQL to GitHub actions #7504
• Add trivy and sonar repo scan to GitHub actions [3] #7542
• Use MobSF Action to security scan the App #11661
• Use dependency review action [0.5] #11658
• Introduce a minimal dependabot config for GH Actions for testing #11676
• Enable automatic dependabot PRs [1] #7507
• Add trivy container scan (Needs more analysis as our current container build pipeline is sub optimal. We could setup a weekly GitHub Action scan of the docker images published to docker hub) -> Doesn't make sense now: 1. We want to integrate the docker settings into the SORMAS-Project repository. 2. The recent changes make it very likely that we will move the docker images to the github repository https://www.heise.de/news/Docker-Hub-streicht-kostenloses-Angebot-Open-Source-Projekte-muessen-handeln-7547959.html
• Add owasp-dependency-check and fail on insecure builds -> Covered by trivy and sonarcloud
• Checkout https://github.com/github/ossar-action --> only runs on windows
• Evaluate https://github.com/SUPERAndroidAnalyzer/super --> outdated

Alternatives

None really, this is the bare minimum we need to do.

Risks

Additional Information