fix(daily-scan): point Trivy at published artifact dependencies

[thpierce]

What

Point Trivy at the published artifact dependency tree (scan-target/) instead of scanning the full repo source at HEAD.

Why

Trivy was scanning scan-ref: '.', which:

• Picked up 42 devDependencies from the root package-lock.json (mocha, sinon, eslint, fastify, koa, aws-sdk v2, typescript, etc.)
• Found CVEs in fastify and koa — dev deps that customers never install
• Scanned source at HEAD, not the released version

How

Changed scan-ref from '.' to 'scan-target/', which already contains package-lock.json from npm install aws-xray-sdk. Only runtime deps.

Local validation

• Trivy: Parses package-lock.json, 0 vulns (clean — fastify/koa/ajv CVEs correctly excluded)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.31%. Comparing base (68405ff) to head (d73f9e1).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #751   +/-   ##
=======================================
  Coverage   84.31%   84.31%           
=======================================
  Files          36       36           
  Lines        1817     1817           
=======================================
  Hits         1532     1532           
  Misses        285      285           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.