Add repository scanning mode with SARIF export and workflow integration

[ig596]

Motivation

• Enable scanning a repository for IP/domain/CIDR indicators so the action can auto-discover and evaluate indicators across a codebase.
• Provide SARIF export and GitHub Actions annotations so findings can be surfaced in Code Scanning / PRs.
• Improve CLI/Action flexibility by making target optional when a scan path is provided and adding safer input sanitization and workflow command escaping.

Description

• Added --scan-path and --sarif-file options to the CLI and corresponding inputs in action.yml and .github/workflows/run-reputation-check.yaml, and added output-file passthrough for raw JSON output.
• Implemented repository indicator discovery in network_reputation_check/scanner.py which extracts, normalizes, deduplicates, and filters public indicators while skipping large files and common dirs.
• Implemented SARIF generation and severity classification in network_reputation_check/sarif.py and integrated SARIF emission and per-location workflow annotations into network_reputation_check/main.py (including sanitize_target, _escape_workflow_command_value, and emit_annotation).
• Updated the README to document scan mode and SARIF usage and adjusted the GitHub Actions workflow to request security-events: write and upload SARIF when provided.

Testing

• Ran the test suite with pytest, including updated tests/test_cli.py and new tests/test_scanner_and_sarif.py, which exercise CLI behavior, scan-mode SARIF generation, sanitizer/escape helpers, scanner extraction, and SARIF levels.
• All automated tests completed successfully (no failing tests).

---

Codex Task

[github-actions]

⚠️ This PR contains unsigned commits. To get your PR merged, please sign those commits (git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}) and force push them to this branch (git push --force-with-lease).

If you're new to commit signing, there are different ways to set it up:

Sign commits with gpg

Follow the steps below to set up commit signing with gpg:

1. Generate a GPG key
2. Add the GPG key to your GitHub account
3. Configure git to use your GPG key for commit signing

Sign commits with ssh-agent

Follow the steps below to set up commit signing with ssh-agent:

1. Generate an SSH key and add it to ssh-agent
2. Add the SSH key to your GitHub account
3. Configure git to use your SSH key for commit signing

Sign commits with 1Password

You can also sign commits using 1Password, which lets you sign commits with biometrics without the signing key leaving the local 1Password process.

Learn how to use 1Password to sign your commits.