Integrate SBOM/Sign checks in the project pipeline

The idea of this issue is to verify at any point if we are introducing a non-OSI compliant license within the project (including in the Docker containers we produce).

For this, we could work with two tools used by Univention to create the SBOM cross-vendor :

• https://github.com/ckotzbauer/sbom-operator
• https://github.com/anchore/syft