Define and implement repo-level UB validation

[premun]

Context

There are several validations running in the VMR at the moment such as license or binary file scanning. Once we move to the full VMR code flow, it is possible that repos will keep breaking these validations more and more. From the past experience with SB and the SB legs running in repos, we know that it's great to shift these checks left and deal with them right when when they are created - in the original repositories.

Goal

• Collect and define the set of validations run in repos before they accept a change.
  • License scans
  • Binary scans
  • ???
• Build tooling and pipeline templates (in Arcade) and add a new build leg to every repo that flows into the VMR that runs these validations. You can get inspired with the already existing Source Build legs.
• Create documentation and guidance to validation failures for devs who encounter these.

Work Items

• Move VMR cloaking rules to repositories dotnet#1012
• 1ES enforced CodeQL times out the Windows leg #4276

[jkotas]

it is possible that repos will keep breaking these validations more and more

It would be useful to see the frequency of these breaks and compare it to relative frequency of other types of breaks before deciding about the validations to push to individual repos.

In general, we have a tiered validation system, and we accept that some limited number of breaks is allowed to enter the system and that these breaks are only found later.

[MichaelSimons]

[Triage] The license scan isn't something that is plausible to run as part of PR validation. Therefore there is questionable value in having it at the repo level as it is likely to not be monitored.