feat(security): SAST integration via GitHub App

[jychp]

Description: We should consider enabling static application security testing (SAST) on Cartography to detect common issues like dependency misuse, injection risks, and insecure constructs early in the development lifecycle.

Two potential providers stand out with free enterprise-grade offerings for open source projects:

• Snyk: Supports Python SAST and integrates seamlessly as a GitHub App.
• SonarCloud: Provides deep code quality and security analysis with good Python support, also via GitHub App.

Both tools offer transparent GitHub integration (no extra CI/CD changes needed), and both support full-featured enterprise plans at no cost for public repositories.

Reference: Previous security-related PR https://github.com/cartography-cncf/cartography/pull/1036

I used to work with SonarCloud, but very interested by testing Snyk, as they seems to include a lot of AI based features.

[heryxpc]

I would suggest Semgrep https://semgrep.dev/docs/semgrep-pro-vs-oss, which cloud offering is free for up to 10 contributors. There is also the fork alternative https://www.opengrep.dev/, which basically has a different licensing for rules.

[rileydakota]

+1 on SemGrep - as it would allow us to write rules specific to the cartography codebase (think common anti-patterns), as well as having a decent ruleset and also being free (as @heryxpc mentioned).

Also worth noting that CodeQL (GitHub Advanced Security) is free for public repositories, worth considering as an option: https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security

In the past, I found it to produce high fidelity results, but it would lack the ease of customization that SemGrep has.