Add security and vulnerability scanning tools (#1703)

Author: mre

data/tools/dockle.yml

@@ -0,0 +1,18 @@
+name: Dockle
+categories:
+  - linter
+tags:
+  - container
+  - security
+  - dockerfile
+license: Apache License 2.0
+types:
+  - cli
+source: "https://github.com/goodwithtech/dockle"
+homepage: "https://github.com/goodwithtech/dockle"
+description: >-
+  Container Image Linter for Security helping build the Best-Practice Docker
+  Image. Scans Docker images for security vulnerabilities and CIS Benchmark
+  compliance. Checks for secrets, credential exposure, and security best
+  practices. Provides multiple severity levels (FATAL, WARN, INFO) and
+  supports various output formats for CI/CD integration.

data/tools/grype.yml

@@ -0,0 +1,18 @@
+name: Grype
+categories:
+  - linter
+tags:
+  - security
+  - container
+license: Apache License 2.0
+types:
+  - cli
+source: "https://github.com/anchore/grype"
+homepage: "https://github.com/anchore/grype"
+description: >-
+  Vulnerability scanner for container images and filesystems. Developed by
+  Anchore, it scans container images, directories, and archives for known
+  vulnerabilities. Supports multiple image formats, SBOM integration, and
+  VEX (Vulnerability Exploitability eXchange) for accurate vulnerability
+  assessment. Works with various vulnerability databases and provides
+  detailed reporting.

data/tools/osv-scanner.yml

@@ -0,0 +1,17 @@
+name: OSV-Scanner
+categories:
+  - linter
+tags:
+  - security
+  - go
+license: Apache License 2.0
+types:
+  - cli
+source: "https://github.com/google/osv-scanner"
+homepage: "https://osv.dev/"
+description: >-
+  Vulnerability scanner written in Go which uses the data provided by OSV.dev.
+  Developed by Google to scan dependencies across multiple languages and
+  package managers for known vulnerabilities. Supports container scanning,
+  license scanning, and guided remediation. Works with lockfiles, SBOMs,
+  and container images to identify security issues.

data/tools/pip-audit.yml

@@ -0,0 +1,17 @@
+name: pip-audit
+categories:
+  - linter
+tags:
+  - python
+  - security
+license: Apache License 2.0
+types:
+  - cli
+source: "https://github.com/pypa/pip-audit"
+homepage: "https://github.com/pypa/pip-audit"
+description: >-
+  Tool for scanning Python packages for known vulnerabilities. Developed by
+  the Python Packaging Authority (PyPA) and supported by Trail of Bits and
+  Google. Scans Python environments and requirements files to identify
+  vulnerable packages and suggests remediation. Supports GitHub Actions,
+  pre-commit hooks, and multiple vulnerability service integrations.

data/tools/safety.yml

@@ -0,0 +1,17 @@
+name: Safety
+categories:
+  - linter
+tags:
+  - python
+  - security
+license: MIT License
+types:
+  - cli
+source: "https://github.com/pyupio/safety"
+homepage: "https://safetycli.com/"
+description: >-
+  Python dependency vulnerability scanner designed to enhance software supply
+  chain security by detecting packages with known vulnerabilities. Checks
+  Python dependencies against a database of known security vulnerabilities
+  and provides detailed reports. Supports CI/CD integration and multiple
+  output formats.