Add scanner coverage freshness gates

[malb200710-dev]

Bounty type

Skill Improvement bounty

Modified skill

skills/vuln-management/scanner-tuning/SKILL.md

Issue

Fixes #1528

What was missing

Scanner tuning assumed scan results were fresh and authenticated enough to support suppressions, false-positive classification, and severity overrides. Maintenance blackouts, no-expiry exclusions, broken credentials, and fast container rebuilds can make tuned results misleading.

What changed

• Bumped scanner-tuning to v1.0.1.
• Added Coverage Freshness Gate before false-positive and override work.
• Added SCAN-COV evidence gates for max scan age, exclusion expiry, blackout debt, authenticated scan success rate, and container scan/deployed digest overlap.
• Added freshness prerequisite to false-positive workflow and severity override rules.
• Added maintenance blackout, recurring operational tag, credential failure, geo-fenced, blue/green, OT/ICS, and fast container rebuild handling.
• Added Coverage Freshness output section.
• Added pitfalls for tuning stale results, ignoring blackout debt, and trusting auth scan enablement without success rate.

Validation

• Confirmed v1.0.1 version bump in frontmatter and output template.
• Confirmed Coverage Freshness Gate and SCAN-COV-01 are present.
• Confirmed maintenance blackout handling is present.
• Confirmed authenticated scan success and container overlap fields are present.
• Confirmed Markdown fence balance.
• Confirmed no non-ASCII characters were introduced.

Bounty request

Requesting consideration for the SecuritySkills improver bounty if accepted/merged. Payment details can be provided privately after acceptance.