Feature: add check for vulnerability alerts

[laurentsimon]

trafficstars

Most package managers have a *-audit tool: pip-audit, cargo-audit, npm-audit, etc. that pull security advisories from public databases (OSV, CVEs, package-specific databases, etc) Dependabot and renovabot also have options to alerts uses when vulnerabilities in their dependencies are disclosed.

It would be useful to capture this in scorecard. This could live under Dependency-Update-Tool (which we could rename to Dependency-Management-Tool).

For commands, we may need to parse commands in run field of GH workflows, as suggested in https://github.com/ossf/scorecard/issues/1031#issuecomment-967352430, unless there is a GitHub action for it.

Note that we already parse commands for the Pinned-Dependency check but we have not yet separated out command parsing https://github.com/ossf/scorecard/issues/1220