Fix CVE gate hard-failing on baseline runs

[wnstfy]

Summary

• cve-delta.py applied --fail-on even on a baseline run (no previous scan to diff against). Any PR that adds a brand-new image — which by definition has no base-branch counterpart — had every CVE in that image counted as "introduced," tripping the required scan check.
• A baseline run has no prior state, so it cannot represent a regression. The fix reports the findings informationally and returns 0 instead of exit 2. Normal delta runs (real regressions) still hard-fail.

Test plan

• Baseline run (head has a HIGH, empty base) → exit 0 (was 2)
• Real regression (base clean, head adds a net-new HIGH) → exit 2 (unchanged)
• No-change run → exit 0 (unchanged)
• Baseline report still lists the image's CVEs under an informational section

[github-actions]

Trivy misconfiguration findings (HIGH + CRITICAL)

✅ No HIGH or CRITICAL misconfigurations detected.