Introduce vulnerability scanner that fails PRs on critical vulnerabil…

…ities (#16028)

This github action leverages https://github.com/anchore/grype to scan a tarball artifact

.github/workflows/critical_vulnerability_scan.yml

@@ -0,0 +1,27 @@
+name: Scan for vulnerabilities
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+  workflow_dispatch:
+
+jobs:
+  scan_image:
+    runs-on: ubuntu-latest
+    steps: 
+      - name: checkout repo content
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+          ref: ${{ github.head_ref }}
+      - name: build tar distribution
+        run: ./gradlew clean assembleTarDistribution
+      - run: mkdir scan
+      - run: tar -zxf ../build/logstash-*.tar.gz
+        working-directory: ./scan
+      - name: scan image
+        uses: anchore/scan-action@v3
+        with:
+          path: "./scan"
+          fail-build: true
+          severity-cutoff: critical