Add scanner asset identity freshness gates

[Errordog2]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: scanner-tuning
Skill path: skills/vuln-management/scanner-tuning/

What Was Wrong

The scanner tuning skill had good false-positive taxonomy, authenticated scan guidance, severity override rules, and cross-scanner correlation, but it assumed that an affected asset remains stable once named by IP, hostname, or image tag.

In elastic cloud, container, and Kubernetes environments, that can misclassify stale findings:

• a recycled IP/hostname can now point to a new cloud instance;
• a mutable image tag can now point to a patched digest;
• a Kubernetes workload or node can be recreated with a new UID;
• a scanner asset record can split/merge or become stale;
• a suppression keyed to IP/tag can hide a new vulnerable workload.

Related review issue: #2007

What This PR Fixes

• Bumps scanner-tuning to 1.0.1.
• Adds asset identity sources to the required context.
• Extends false-positive and severity override records with stable asset identity and inventory timestamp fields.
• Adds a dedicated Asset Identity Freshness Gate before true-positive, false-positive, suppression, or severity override decisions.
• Requires stable identity evidence for VM/cloud instances, container images, Kubernetes workloads, and external endpoints/load balancers.
• Adds stale compute and container tag-drift examples.
• Requires suppression invalidation or revalidation when instance IDs, image digests, AMIs, Kubernetes UIDs, scanner UUIDs, or cloud resource IDs change.
• Adds an Asset Identity Freshness output table.
• Updates tuning classification and common pitfalls for IP/hostname/tag-only asset keys.

Evidence

Before: Scanner findings could be suppressed, escalated, or downgraded using IP/hostname/tag evidence even if the underlying workload had been replaced.

After: Reviewers must prove the scanner finding maps to the current stable asset identity, or mark the result stale / Not Evaluable / requiring revalidation.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing checks still pass

This existing skill stores examples in Markdown guidance files; the change keeps scope to SKILL.md.

Validation

• git diff --check
• Frontmatter required-field check matching .github/workflows/lint-skills.yml
• index.yaml file-existence check matching .github/workflows/validate-index.yml
• Markdown code fence balance check for changed file
• Workflow-equivalent prompt-injection scan over skills/ and roles/
• Marker check for version 1.0.1, Asset Identity Freshness, stable asset IDs, inventory timestamp, scanner asset UUID, image digest, Kubernetes UID, stale scan handling, and Not Evaluable handling

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Payment details can be provided privately after maintainer acceptance

Fixes #2007