[FEAT] Reusable CVE notification workflows

[nsklikas]

Is your feature request related to a problem? Please describe.
There are use cases where we don't want our images to be published to the canonical docker registry (e.g. internal services). Oci-factory provides some useful reusable workflows for building and testing the image, BUT the workflows for scanning for CVEs and notifying (either through MM or gh issues) are not easy to reuse.

Describe the solution you'd like
It would be nice if the workflows for vulnerability scanning (and releasing?) were refactored so that they could be used from other repos.

[zhijie-yang]

Hi @nsklikas ,

the workflows for scanning for CVEs and notifying (either through MM or gh issues) are not easy to reuse

You can use Test-Rock.yaml workflow to perform the scanning and testing of the rock, which will not notify through MM or GH issues. It will only write a summary for the specific workflow run if there are vulnerabilities found.

[cjdcordeiro]

@zhijie-yang , @nsklikas is asking to have that feature - the ability to also get notifications/gh issues when reusing the test-rock workflow