📖 docs: expand SAST check description to list all detected tools

[venkatapgummadi]

The SAST check (checks/raw/sast.go) detects CodeQL, SonarCloud/SonarQube, Snyk, Pysa, and Qodana, but the description in checks.yaml only mentions CodeQL and SonarCloud. The description also notes LGTM is awaiting its "forthcoming shutdown," but LGTM was sunset in December 2022. This commit updates the description to enumerate all five currently-detected SAST tools with their specific detection mechanisms (workflow action names or GitHub app slugs), corrects the LGTM status, and adds a remediation alternative for projects that cannot use CodeQL. Both checks.yaml and the auto-generated docs/checks.md are updated together per CONTRIBUTING.md.

What kind of change does this PR introduce?

Documentation update — no code changes.

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

The SAST check description in docs/checks/internal/checks.yaml mentions only CodeQL and SonarCloud as detected SAST tools, even though checks/raw/sast.go also detects Snyk (snyk/actions/*), Pysa (facebook/pysa-action), and Qodana (JetBrains/qodana-action). The description also states LGTM is "awaiting its forthcoming shutdown," but LGTM was sunset in December 2022 — that wording has been stale for over three years.

What is the new behavior (if this is a feature change)?

The description now enumerates all five SAST tools the check detects, each with its specific detection mechanism:

Tool	Detection mechanism in code
CodeQL	Workflow uses github/codeql-action/analyze; github-code-scanning GitHub app on recent PRs
SonarCloud / SonarQube	<sonar.host.url> in pom.xml; sonarcloud / sonarqubecloud GitHub apps
Snyk	Workflow uses any action matching snyk/actions/*
Pysa	Workflow uses facebook/pysa-action
Qodana	Workflow uses JetBrains/qodana-action
LGTM	lgtm-com GitHub app (sunset Dec 2022, no usable signal)

The LGTM language is corrected to reflect that the service is sunset. A remediation alternative is added listing the other four detected SAST integrations as fallback options for projects where CodeQL is not suitable.

• Tests for the changes have been added (for bug fixes/features)

(Documentation-only change — no test additions required.)

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

• Docs-only change. No modifications to checks/raw/sast.go or any other Go source. This PR aligns the user-facing documentation with what the existing detection logic already does.
• Both docs/checks/internal/checks.yaml and the auto-generated docs/checks.md were updated together, per the guidance in CONTRIBUTING.md.
• Adding detection for new SAST tools (e.g., Semgrep) is intentionally out of scope; that would require Go changes and is a candidate for a follow-up PR.
• DCO sign-off included on the commit (-s flag).

Does this PR introduce a user-facing change?

Yes — readers of docs/checks.md and the website-rendered checks page will see updated SAST documentation. No changes to scoring or check behavior; only documentation.

SAST check description updated to enumerate all five tools the check detects (CodeQL, SonarCloud/SonarQube, Snyk, Pysa, Qodana) with their detection mechanisms; corrected the stale LGTM "forthcoming shutdown" wording.

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity