chore: add Snyk scans to docs

[crenshaw-dev]

We currently maintain Snyk scans in the Snyk web UI.

This has two downsides:

1. It's difficult to keep the web UI in sync with the current repo state (latest versions, latest ignore rules, latest image tags from manifests).
2. It's not public.

By generating the scans weekly and placing them in the docs, we can give users a reasonably up-to-date picture of the state of the currently-maintained versions of Argo CD.

The new page looks like this:

Each link goes to a scan detail page that looks like this:

[codecov]

Codecov Report

Merging #9856 (626254d) into master (708906d) will decrease coverage by 0.09%.
The diff coverage is n/a.

❗ Current head 626254d differs from pull request most recent head 5dde501. Consider uploading reports for the commit 5dde501 to get more accurate results

@@            Coverage Diff             @@
##           master    #9856      +/-   ##
==========================================
- Coverage   45.96%   45.87%   -0.10%     
==========================================
  Files         227      227              
  Lines       27279    27373      +94     
==========================================
+ Hits        12538    12556      +18     
- Misses      13039    13113      +74     
- Partials     1702     1704       +2     

Impacted Files	Coverage Δ
util/grpc/useragent.go	45.83% <0.00%> (-10.42%)	⬇️
server/rbacpolicy/rbacpolicy.go	82.35% <0.00%> (-2.43%)	⬇️
util/io/files/tar.go	56.56% <0.00%> (-0.73%)	⬇️
util/grpc/logging.go	58.33% <0.00%> (ø)
pkg/apiclient/grpcproxy.go	0.00% <0.00%> (ø)
cmd/argocd/commands/app.go	20.37% <0.00%> (+0.37%)	⬆️
...is/applicationset/v1alpha1/applicationset_types.go	34.69% <0.00%> (+2.55%)	⬆️
server/logout/logout.go	84.37% <0.00%> (+6.59%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 708906d...5dde501. Read the comment docs.

[jannfis]

Wow! This is awesome, @crenshaw-dev. Great work.

I have a few comments, which are not formal requests for change, just thoughts that came to my mind.

[crenshaw-dev]

@jannfis can you take another look?

[jannfis]

Shall the cronjob run off the stable release branch or off master?

I think it should run off the master branch (so we don't have to cherry-pick changes to the script), and store the results in the stable branch. 🤔

[crenshaw-dev]

Ah wow, good point. Will fix.

[crenshaw-dev]

@jannfis the git checkout for the target branch now happens in the script instead of in the workflow. Can you take another look?

[todaywasawesome]

We need to add this to a security policy as well.

1. Last 3 versions maintained etc
2. Severity to be updated

[crenshaw-dev]

@todaywasawesome I'll create a follow-up PR for those. Tracked here: #10030

@jannfis is this otherwise good to go?

[jannfis]

LGTM with some minor nits and/or questions

Thanks @crenshaw-dev !

[jetersen]

Some of these path names lead to:

Cloning into 'argo-cd'...
remote: Enumerating objects: 90785, done.
remote: Counting objects: 100% (465/465), done.
remote: Compressing objects: 100% (272/272), done.
remote: Total 90785 (delta 259), reused 341 (delta 185), pack-reused 90320
Receiving objects: 100% (90785/90785), 68.47 MiB | 16.73 MiB/s, done.
Resolving deltas: 100% (56895/56895), done.
error: invalid path 'docs/snyk/master/ghcr.io_dexidp_dex:v2.32.0.html'
fatal: unable to checkout working tree
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry with 'git restore --source=HEAD :/'

exit status 128

Files with : is not valid

[crenshaw-dev]

@jetersen thanks for catching that! Fix opened: #10183