VIH-11085 Add OSV Scanner GitHub action (#1452)

* VIH-11085 Add OSV Scanner GitHub action

* Create launch-darkly-flag-sync.yml

.github/workflows/launch-darkly-flag-sync.yml

@@ -0,0 +1,22 @@
+name: Find LaunchDarkly flag code references
+on: push
+# cancel in-flight workflow run if another push was triggered
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  launchDarklyCodeReferences:
+    name: LaunchDarkly Code References
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 11 # This value must be set if the lookback configuration option is not disabled for find-code-references. Read more: https://github.com/launchdarkly/ld-find-code-refs#searching-for-unused-flags-extinctions
+      - name: LaunchDarkly Code References
+        uses: launchdarkly/find-code-references@v2
+        with:
+          accessToken: ${{ secrets.LD_SERVICE_TOKEN }}
+          projKey: VH
+          debug: true
+          prune: true

.github/workflows/osv-scanner-pr.yml

@@ -0,0 +1,20 @@
+name: OSV-Scanner PR Scan
+
+# Change "main" to your default branch if you use a different name, i.e. "master"
+on:
+  pull_request:
+    branches: [master]
+  merge_group:
+    branches: [master]
+
+permissions:
+  # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117
+  actions: read
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Only need to read contents
+  contents: read
+
+jobs:
+  scan-pr:
+    uses: 'google/osv-scanner-action/.github/workflows/[email protected]'