feat(scanner-tuning): add suppression lifecycle model and drift evidence gates (#2724)

[zeroknowledge0x]

Summary

Adds a suppression lifecycle model and drift evidence gates to the scanner-tuning skill. The current skill correctly warns against blind suppressions but lacks a positive model for safe suppressions and automated gates to catch when safe suppressions become dangerous after environment drift.

Business impact: Without lifecycle governance, suppressions silently accumulate as blind spots. A suppression that was safe in 2024 (narrow scope, evidence-backed) becomes a hidden true positive in 2026 when the service moves to internet-facing or the scanner plugin is updated. This PR prevents that class of silent risk accumulation.

Changes

Suppression Lifecycle Model (Step 2)

• Suppression Risk Tiers: Safe → Moderate → Risky → Dangerous classification based on scope, evidence, owner, expiry, and re-open triggers
• Safe Suppression Requirements: Mandatory record format with 12 fields including named owner, expiry date (never null), evidence sources, and auto-reopen triggers
• Critical disposition enforcement: "Confirmed false positive" and "compensated risk" are explicitly distinct — a WAF-blocked RCE is NOT a false positive

Drift Evidence Gates (Step 2)

Six automated gates that force re-evaluation when the environment drifts:

1. Suppression age gate — flag expired and orphaned suppressions
2. Plugin update gate — re-evaluate when scanner detection logic changes
3. Asset exposure gate — re-evaluate on zone migration / public IP change
4. Package change gate — re-evaluate on version or installation change
5. Compensating control gate — reopen immediately if control is removed
6. Quarterly review gate — mandatory re-review cycle for all suppressions

Output Format additions

• Suppression Inventory table with tier classification, orphan/expiry/misclassification counts
• Drift Gate Audit table with per-suppression verdict (Keep/Re-evaluate/Reopen)

Updated sections

• FP Validation Workflow: disposition field now requires lifecycle compliance
• Common Pitfalls: added intel: devsecops/compliance social updates 2026-03-25 #6 (indefinite suppressions) and intel: appsec community updates 2026-03-29 #7 (compensated risk as FP)
• Prompt Injection Safety Notice: added suppression lifecycle constraints

Closes #2724

[github-actions]

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).