Add repository scan mode with SARIF output, scanner and SARIF generation; update CLI, action inputs, and CI

[ig596]

Motivation

• Enable repository scanning to auto-discover IP/domain/CIDR indicators and produce SARIF for GitHub Code Scanning and PR annotations.
• Emit safe workflow annotations and normalize inputs to prevent injection and invalid control characters.
• Make CI less intrusive by restricting permissions and removing automated commit pushes for badges and pre-commit fixes.

Description

• Add network_reputation_check/scanner.py to discover, normalize, deduplicate, and filter public indicators from a repository path and add network_reputation_check/sarif.py to build SARIF payloads and classify severity levels.
• Extend the CLI (network_reputation_check/main.py) with --scan-path and --sarif-file options, a sanitize_target helper, _escape_workflow_command_value and emit_annotation to write safe GitHub Actions annotations, and flow to run checks across discovered indicators with JSON and SARIF output support.
• Update action.yml and README.md to expose optional scan-path, sarif-file, and output-file inputs and make target optional when scan mode is used, and wire inputs into the Docker action args.
• Adjust workflows: tighten permissions in ci.yaml, stop committing coverage/pre-commit changes from CI and instead upload the coverage badge as an artifact, and enhance run-reputation-check.yaml with scan-path/sarif-file inputs and SARIF upload step.

Testing

• Ran unit tests with poetry run pytest, including updated tests/test_cli.py and new tests/test_scanner_and_sarif.py, and all tests succeeded.
• Test suite included CLI behavior checks (scan mode, target sanitization, workflow-escaping) and scanner/SARIF validations (indicator discovery, filtering, level classification, and payload serialization).

---

Codex Task