Enforcement and auditing of scan execution policies

Context

Scan execution policies rely on CI pipelines to run.

The intention of scan execution policies is to be able to require the scans in a way that the developers cannot prevent the scans from running. However, there are situations where developers can bypass the scan; e.g.: #355891 (closed).

Proposal

In addition to addressing situations where a scan can be easily bypassed or disabled, we should create an auditing and/or notification mechanism that would be triggered whenever a policy isn't executed as expected.

/cc @sam.white