Eveluate other dependency scanning compared to dependabot

[mflendrich]

Issue originally authored by tnozicka as #1469

We should look into the vulnerability scanning and our options compared to just dependabot.

@mykaul sugested to have a look at https://github.com/aquasecurity/trivy for example

[mflendrich]

Discussed with @rzetelskik in slack. This is not feasible because of the degree of complexity in the repos.
Almost every change requires regeneration workflows to run, or supplementary PRs to the release / CI machinery repos.

Unless we streamline the workflow., there is not use for tools like dependabot.

[rzetelskik]

Discussed with @rzetelskik in slack. This is not feasible because of the degree of complexity in the repos.

My point was only about dependabot. This (and the fact that we have some gaps in other areas) is probably the reason this issue is about evaluating alternatives.