Improve dependency scanning supply chain risk checks

[shapris]

Closes #1536

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: dependency-scanning
Skill path: skills/appsec/dependency-scanning/

What Was Wrong

The dependency-scanning skill already covered transitive dependency depth, typosquatting, and SLSA/SBOM provenance at a high level, but its review output could still over-flag benign deep dependency trees and under-specify several supply-chain checks requested in #1536:

• lockfile presence was not separated from lockfile integrity, version history, and incident bisectability;
• direct dependency provenance could be treated as sufficient even when trust degrades through transitive dependencies;
• dependency confusion flags did not require registry-routing evidence before escalation;
• supply-chain risk signals were not consolidated into a structured score independent of name-similarity findings.

What This PR Fixes

This PR updates dependency-scanning to add:

• lockfile integrity and bisectability assessment;
• provenance chain propagation through direct and transitive dependencies;
• contextual supply-chain risk scoring;
• dependency-confusion routing-evidence checks;
• a new examples file with vulnerable and benign cases for reviewers.

Evidence

Before (skill could over-flag this):

dependency_tree:
  max_depth: 11
observed:
  all_transitive_deps_are_pinned_in_lockfile: true
  all_transitive_deps_are_from_verified_publishers: true
  artifact_binds_to_lockfile_digest: true

After (now correctly handled):

lockfile:
  bisectability_score: strong
provenance_chain:
  provenance_chain_status: intact
supply_chain_risk_score:
  risk: low
  rationale: deep tree is pinned, auditable, and provenance-backed

Before (confusion pattern without routing context):

dependencies:
  - name: "@internal/core"
review_finding: dependency_confusion_possible

After (routing evidence can downgrade the finding):

dependency_confusion_context:
  package: "@internal/core"
  registry_routing_evidence: ".npmrc scope mapping + lockfile resolved host"
  risk: mitigated

Test Cases Added/Updated

• Added vulnerable examples in supply-chain-risk-examples.md
• Added benign examples in supply-chain-risk-examples.md
• Existing markdown structure validated locally

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Crypto or PayPal, to be provided privately after acceptance

Validation

• git diff --check passed locally.
• Markdown fence balance checked locally.
• Required markers checked locally: lockfile bisectability, provenance chain propagation, contextual risk scoring, dependency confusion context, bisectability_score, and provenance_chain_status.