[Task]: Exclude specific developers (or their add-ons) from specific scanner rules, to reduce false positives without disabling the rule globally

[bacharakis]

Description

Problem
Scanner rules can generate recurring false positives for similar add-ons from a single developer group.
Currently, each case follows the same loop: auto-disable -> developer appeal -> reviewer re-review -> re-enable.
This is costly for reviewers and developers, especially when the developer(s) publish multiple add-ons weekly.

Proposed solution
A way to allowlist specific developer accounts against specific scanner rules:

• Per-rule configuration of exempted developer account IDs
• Scoped to one rule, not a blanket scanner bypass
• Audit trail for additions/removals

Acceptance Criteria

• Scanner rule configuration supports an allowlist of developer account IDs
• Exemptions are scoped per-rule (not a global scanner bypass)
• Add-ons from an allowlisted developer skip the configured rule during scans
• All other rules continue to apply normally to allowlisted developers
• Admins can add and remove developer IDs from a rule's allowlist

┆Issue is synchronized with this Jira Task

[diox]

However we do this, an implementation gotcha to consider:

yara scanner rules and webhook scanner rules for the during_validation event run on FileUploads, not Versions. That FileUpload doesn't necessarily have an Addon instance attached. Which means we can't find the authors of the add-on the upload corresponds to, only the uploader of that XPI itself.

Other scanners use a Version and don't have this problem.

For the exclude_promoted_addons we cheat and check in run_action(), and avoid executing the action for the rule - but the match is recorded before that.