Cheap Scans - Placeholder Dependency Scanning

Release notes

Problem to solve

for effieiency and speed and reduction of risk we want to allow many ways to be alerted to new findings, not just when pipelines run

also want to prevent in an MR items which were not introduced within the MR to be brought up and possibly halt the developer

Proposal

After SBOM is complete - use the SBOM and run a check (triggered job) when vuln db updates to check for new vulns in existing dependencies and alert users

should be used in conjunction with scheduled pipeline scans (to be done) and normal pipeline scans

Metrics

Cross-Stage

Must work with Category:Vulnerability Management and ~"Category:Vulnerability Database" closely as we need to know when updates, what updated, as well as how to inject/insert for smoothlness so they count against/in the same way as pipeline runs