otp scan PRs for vulnerabilities

- scan PRs for vendor vulnerabilities.
- the submission of the vendor SBOM should happen only on push events.
- vulnerability scanning of dependencies must happen on a per PR basis,
  and on a per push basis (although Dependatbot should inform us of this).

Author: kikofernandez

.github/workflows/main.yaml

@@ -850,7 +850,6 @@ jobs:
   vendor-analysis:
     name: Vendor Dependency Analysis
     runs-on: ubuntu-latest
-    if: github.event_name == 'push'
     needs:
         - sbom
         - pack
@@ -878,8 +877,22 @@ jobs:
 
       # allows Dependabot to give us alert of the vendor libraries that use semantic versioning
       - name: Upload SBOM to Github Dependency API
+        if: github.event_name == 'push'
         uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # ratchet:advanced-security/[email protected]
 
+      # check that PRs do not introduce vulnerabilities in vendor dependencies
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 #ratchet:actions/dependency-review-action@v4
+        with:
+          vulnerability-check: true
+          fail-on-severity: low        # fail if there are dependency issues with low severity impact.
+          license-check: false         # skip, we have our license process
+          comment-summary-in-pr: never # displays summary as a comment. we could test with 'on-failure'
+          warn-only: false             # do not warn only (fail instead)
+          show-openssf-scorecard: true # applied to dependencies changed in this PR, not to OTP
+          warn-on-openssf-scorecard-level: 3 # scorecard level in which a dependency is considered problematic
+
+
   ## If this is an "OTP-*" tag that has been pushed we do some release work
   release:
     name: Release Erlang/OTP