Enhanced dependabot configuration for comprehensive Docker base image CVE tracking

[Copilot]

This PR enhances the dependabot configuration to provide comprehensive Docker base image tracking and automatic CVE response capabilities for the Retina repository.

Problem

The existing dependabot configuration only tracked Docker images from the root directory (/), which provided limited granularity for the 7 different directories containing Dockerfiles across the repository. This approach made it difficult to:

• Respond quickly to CVEs in specific components
• Manage update frequency appropriately for different types of images
• Track security issues at the component level

Solution

Enhanced Dependabot Configuration:

• Replaced single root directory tracking with 7 specific directory-based configurations
• Added granular tracking for all directories containing Dockerfiles:
  • Critical components (/controller, /shell, /cli, /operator) - Daily checks
  • Test infrastructure (/test/image) - Daily checks
  • Development tools (/hack/tools/kapinger, /hack/tools/toolbox) - Weekly checks
• Enhanced labeling with security-specific tags for better issue categorization
• Optimized PR limits to prevent overwhelming maintainers while ensuring timely updates

Validation and Maintenance:

• Created scripts/validate-dependabot-docker-coverage.sh to ensure ongoing coverage
• Added comprehensive documentation in the development guide explaining the dependency management process
• Validated that all existing SHA-pinned base images remain accessible

Benefits

• Faster CVE Response: Dependabot will automatically detect and create PRs for base image vulnerabilities
• Better Granularity: Security issues are scoped to specific components rather than repository-wide
• Appropriate Scheduling: Critical components checked daily, tools checked weekly to reduce noise
• Maintainable: Validation script ensures new Dockerfiles don't break coverage
• Enhanced Security: Works alongside existing Trivy scanning for comprehensive vulnerability management

The repository now has a robust, automated system for tracking and updating Docker base images when security vulnerabilities are detected, significantly improving the project's security posture.

Fixes #1884.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/microsoft/retina/releases/latest
  • Triggering command: curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[Copilot]

@matmerr 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.