Improve dependency lockfile integrity gates

[shensz2017]

Summary

Closes #384.

Adds lockfile artifact integrity and registry provenance evidence gates to dependency-scanning so reviewers can distinguish normal lockfile metadata from non-CVE supply-chain risks such as missing integrity evidence, unexpected artifact hosts, mutable source refs, install-script execution, signature/provenance gaps, and SBOM/lockfile drift.

What changed

• Bumped dependency-scanning to 1.0.1.
• Added Lockfile Artifact Integrity and Registry Provenance guidance before CVE/license triage.
• Added DEP-LOCK-01 through DEP-LOCK-08 finding triggers covering:
  • missing deterministic lockfiles
  • missing integrity/checksum evidence
  • unexpected registry, source host, or plain HTTP artifact sources
  • mutable git/VCS refs
  • manifest/lockfile/SBOM/registry metadata mismatches
  • install-script evidence without allowlist or isolated/script-disabled install controls
  • missing or failing registry signature/provenance verification where expected
  • local, linked, vendored, patch, and external tarball dependency replacement paths
• Added false-positive guidance for normal npm resolved metadata, registry.npmjs.org, legitimate install scripts, unsupported signature/provenance evidence, and local workspace links.
• Added a lockfile artifact integrity output table to the report template.
• Added vulnerable and benign fixtures under skills/appsec/dependency-scanning/tests/.

Validation

• git diff --cached --check
• Frontmatter required-field check matching .github/workflows/lint-skills.yml
• index.yaml file-existence check matching .github/workflows/validate-index.yml
• Markdown code fence balance check for changed Markdown files
• ASCII-only check for changed files
• Prompt-injection scan matching .github/workflows/injection-scan.yml
• Dependency lockfile marker check for DEP-LOCK-*, package-lock.json, npm-shrinkwrap.json, resolved, integrity, hasInstallScript, npm audit signatures, signature/provenance output, and metadata mismatch coverage
• Fixture marker check for vulnerable DEP-LOCK-* expectations and benign verified artifact-source evidence

Note: YAML parser validation was attempted, but a local YAML parser was not available (yaml Node module unavailable; Ruby and PyYAML also unavailable in this environment).

References

• npm package-lock.json format: https://docs.npmjs.com/cli/v11/configuring-npm/package-lock-json/
• npm audit signatures: https://docs.npmjs.com/cli/v11/commands/npm-audit/#audit-signatures

Bounty

Requesting Improver - Moderate ($100). Preferred payment method: GitHub Sponsors if accepted, otherwise private payment details can be provided after acceptance.