Feature: support for hermeticity

[laurentsimon]

trafficstars

The go project does support hermeticity at the moment by building in 2 steps:

1. Vendoring go mod vendor
2. Build with go build --mod=vendor

However we currently:

1. Do not add this information to the provenance
2. Do not set up networking rules to verify that nothing is fetched during build - this is enforced by the option --mod=vendor though.

In the case where we filter certain arguments (currently the case), I think this gives us hermeticity. However, if we relax and decide to not filter the user-provided argument (e.g., a user could provide --mod=XXX that overwrites the --mod=vendor), we may need some OS-level guarantees to enforce hermeticity. We can do that:

1. Thru setting IP tables ourselves, and maybe dropping privileges/locking down sudo
2. Use dockerfiles to run the build - which achieves the same as previous point