docs(security): clarify Scorecard findings surface as code scanning alerts

CodeRabbit flagged that Scorecard appeared in the scanning-tools list
but wasn't covered explicitly by any dismissal-flow section. In our
setup, Scorecard publishes SARIF that surfaces as code scanning alerts
in GitHub's UI (that's the channel by which alert #565 — Scorecard
DangerousWorkflowID — was dismissed via the two-person flow). Adds an
intro sentence making this coverage explicit so an auditor reading the
doc doesn't have to infer it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: anandray

SECURITY.md

@@ -42,7 +42,7 @@ We take security vulnerabilities seriously. If you discover a security issue, pl
 
 ## Vulnerability & Alert Triage
 
-This project uses GitHub-native scanning on the `develop` branch — CodeQL (Default Setup), Secret Scanning with Push Protection, Scorecard, and Dependabot. All findings are triaged against the SLAs in [What to Expect](#what-to-expect).
+This project uses GitHub-native scanning on the `develop` branch — CodeQL (Default Setup), Secret Scanning with Push Protection, Scorecard, and Dependabot. CodeQL and Scorecard findings both surface as code scanning alerts in the same GitHub UI and share the dismissal workflow described below. All findings are triaged against the SLAs in [What to Expect](#what-to-expect).
 
 ### Two-Person Control on Code Scanning Alert Dismissals