Add more (security) code checkers to CI

[secworks]

There are a few interesting linters, STAs that we could add to the CI flow to improve checks:

Flawfinder
https://dwheeler.com/flawfinder/

splint
https://splint.org/

scan-build - exists as action in github
https://clang-analyzer.llvm.org/scan-build.html

Some more advanced analysis tools are semgrep:
https://github.com/0xdea/semgrep-rules

Libfuzzer:
https://github.com/google/fuzzing/blob/master/tutorial/libFuzzerTutorial.md

We should also use gcc as secondary compiler, parser with flags such as:
-g -Og -fasynchronous-unwind-tables -fexceptions -fno-omit-frame-pointer -Wall -Wextra -pedantic -Werror -Wformat=2 -Wconversion -Wdouble-promotion -Wshadow -Wundef -fanalyzer -Wcast-qual -Wcast-align -Wredundant-decls -Winline -Wdisabled-optimization -Wnested-externs -fstrict-aliasing -fsanitize=address,undefined

[mchack-work]

I agree more analysis tools would be good. splint is already added to check at least firmware code. See the "check" target in `hw/application_fpga/Makefile` which also calls clang-tidy with at least the `cert-*` checks. splint currently gives us a lot of warnings, mostly because we haven't added all the formal comments that splint wants us to insert in our code, but there may be nuggets here. We pass clang-tidy's check. However, splint, as you know, seems dead as a project and clang-tidy gives us much more. The `make check` isn't in CI, so yes, very good idea to add it, but perhaps either delete splint or carefully go through its output. SonarQube's cloud offering seems to be available free for FLOSS projects. We probably qualify and should definitely look into it. scan-build is new to me. I have to look into it.