feat: add local ignore overrides for rule IDs + filepaths

[lelia]

Summary

• Add a local SAST ignore mechanism so users can suppress narrowly scoped findings that are blocking PRs without disabling the entire rule globally
• Improve GitHub PR state handling so ignored or resolved findings no longer leave behind misleading blocking status, stale severity labels, or stale scanner comments

Changes

• Add sast_ignore_overrides parameter so Socket Basics users can ignore SAST findings by rule_id or exact rule_id:path and make ignored findings stop contributing to blocking CI results
• Normalize CI checkout paths for exact-path overrides across GitHub Actions and other common CI environments
  • Add clear diagnostics for invalid override paths (log warning, troubleshooting docs)
  • Include actionReason metadata to explain why a finding was ignored
• Update GitHub PR reporting to reconcile managed severity labels across reruns
  • Scope all-clear comment rewrites to the correct scanner section so one scanner going clean does not overwrite unrelated Socket Basics comments

Testing

• Verified local/unit coverage for override parsing, CI path normalization, invalid-path diagnostics, ignore provenance metadata, and GitHub PR label/comment lifecycle behavior
• Validated in a separate GitHub Actions testing repository using rule-only, exact rule_id:path, mixed comma-separated override strings, valid and invalid file paths, and dashboard-level rule disable interactions
• Confirmed that ignored findings no longer block the PR, invalid override paths emit warnings without falling back to rule-only matching, labels downgrade/clear correctly across reruns, and all-clear updates only rewrite the corresponding scanner comment