Support Trivy source code scans

[cjnosal]

The starboard operator currently watches pods to trigger a scan. In some cases it's desirable to scan an artifact before the code is deployed and running.

A new SourceReference CRD could be defined:

kind: SourceReference
spec:
  repository: github.com/myrepo
  reference: # tag/branch
  commit: # optional if tag not specified
  secretName: # optional - for private repos

A new controller would then trigger a scan when a new SourceReference instance is created. The initial implementation could rely on the operator to update the CRD when a new commit is pushed.

The functionality could be extended to support polling the repo for new tags or commits on a branch if neither is specified. This may require a status field for the reconciler to capture what was scanned:

kind: SourceReference
spec:
  repository: github.com/myrepo
  reference: # branch
  secretName: # optional - for private repos
status:
  scannedCommit: ...

The implementation could largely reuse the logic of VulnerabilityReportReconciler.reconcilePods (read the artifact reference, check ownership, check for existing VulnerabilityReport/Job, check throttling, submit the scan). Changed would be needed in a few areas:

1. Because there is no image in this flow, the usage of corev1.PodSpec and ContainerImages would need to be abstracted.
2. The Trivy plugin would need an update to invoke trivy repo with appropriate parameters
3. The VulnerabilityReport would need appropriate metadata for a source reference instead of an image