Improve SAST baseline suppression lifecycle gates

[shensz2017]

Summary

Closes #2112.

Adds baseline and suppression lifecycle gates to sast-config so reviewers can distinguish controlled temporary SAST baselines from permanent blind spots, and can verify suppression owner, reason, expiry, SARIF identity, required PR gates, and scheduled full-scan reconciliation.

What changed

• Bumped sast-config to 1.0.1.
• Added Baseline and Suppression Lifecycle after false-positive management.
• Added baseline evidence guidance for:
  • baseline scope
  • owner and expiry
  • new-finding enforcement
  • full-scan reconciliation
  • SARIF result identity / partialFingerprints
  • suppression registers
• Added SAST-LIFE-01 through SAST-LIFE-08 finding triggers covering indefinite baselines, non-blocking new findings, missing reconciliation, weak SARIF identity, unmanaged suppressions, whole-rule/path/language suppression, missing external audit, and diff-only scanning without full scans.
• Added suppression reason categories and required evidence.
• Added a baseline and suppression lifecycle table to the output template.
• Added vulnerable and benign fixtures under skills/devsecops/sast-config/tests/.

Validation

• git diff --cached --check
• Frontmatter required-field check matching .github/workflows/lint-skills.yml
• index.yaml file-existence check matching .github/workflows/validate-index.yml
• Markdown code fence balance check for changed Markdown files
• ASCII-only check for changed files
• Prompt-injection scan matching .github/workflows/injection-scan.yml
• SAST lifecycle marker check for SAST-LIFE-*, partialFingerprints, new-finding enforcement, full-scan reconciliation, SARIF identity, suppression register, and official Semgrep/GitHub SARIF references
• Fixture marker check for unmanaged baseline failures and controlled temporary baseline evidence

Note: YAML parser validation was attempted, but a local YAML parser was not available (yaml Node module unavailable; Ruby and PyYAML also unavailable in this environment).

References

• GitHub SARIF support for code scanning: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
• Semgrep ignore files and code: https://semgrep.dev/docs/ignoring-files-folders-code
• SARIF v2.1.0 specification: https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/sarif-v2.1.0-errata01-complete.pdf

Bounty

Requesting Improver - Moderate ($100). Preferred payment method: GitHub Sponsors if accepted, otherwise private payment details can be provided after acceptance.