Add "ci:brakeman:strict" task

Currently, the `ci:brakeman` task looks for / reports on changes in the number of Brakeman issues.

For projects that currently have no outstanding issues, we should support a "strict mode" alternative that continues to warn should any issues be introduced, rather than just warn against the single commit that introduced the issue (as `ci:brakeman` does).