Add dependency override governance gates

[Dolpme]

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources (not blogs or AI output)
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with at least one AI coding agent (which one: Codex)
• No prohibited patterns per SECURITY.md
• index.yaml updated with new skill entry (if adding a skill; not applicable, existing skill only)

What This PR Does

Addresses #1649.

This improves skills/appsec/dependency-scanning/SKILL.md by adding dependency override and replacement governance gates. The update distinguishes governed fixed-version overrides from risky dependency graph rewrites that redirect builds to unreviewed forks, local paths, mutable branches, or vulnerable downgrades.

Summary:

• Adds a dedicated override/replacement governance section covering npm, Yarn, pnpm, Go, Cargo, Maven/Gradle, and Python constraints.
• Adds evidence gates for trusted replacement source, lockfile reflection, downgrade impact, owner approval, expiry/review trigger, local path use, immutable git references, and scanner/SBOM coverage of the resolved artifact.
• Adds DEP-OVERRIDE-* finding IDs.
• Extends the output template with a dependency override/replacement review table.
• Updates the procedure so override governance is checked before the broader SLSA supply chain assessment.

Framework References

• SLSA v1.0 build integrity and provenance posture, already referenced by the skill.
• CycloneDX / SPDX SBOM output expectations, already referenced by the skill.
• Official ecosystem documentation for npm overrides, Yarn resolutions, pnpm overrides, Go replace, and Cargo [patch].

Testing

• git diff --check: passed; only existing Windows line-ending warnings were reported.
• PowerShell equivalent of lint-skills.yml frontmatter check: passed for all skills/ and roles/ SKILL.md files.
• PowerShell equivalent of validate-index.yml: all files listed by index.yaml exist.
• PowerShell equivalent of injection-scan.yml: no prompt injection patterns detected.
• Markdown fence-balance check: passed for the edited file.
• Targeted issue coverage check: confirmed override/replacement governance section, npm/Yarn/pnpm/Go/Rust mechanisms, trusted source, lockfile reflection, downgrade prevention, owner rationale, local path production exclusion, immutable git commits, all DEP-OVERRIDE-* IDs, and output review table are present.
• Official reference availability checked with HTTP 200 for npm overrides, Yarn manifest resolutions, pnpm overrides, Go replace, and Cargo patch documentation.