Add exclude option to skip gems by name during audit

[mlarraz]

Description

Adds an exclude configuration option (and --exclude / -e CLI flag) that skips entire gems by name during scanning, so they never hit the advisory database at all.

This is semantically different from ignore (which skips specific advisory IDs after lookup): exclude is a scoping decision — "this gem isn't part of my application" — while ignore is a risk acceptance — "I know about this CVE and accept it."

Useful for Rails apps that bundle gems they don't actually use (e.g. activestorage, actiontext, actionmailbox) where every new CVE triggers a false audit failure. Currently the only workaround is adding each CVE ID to the ignore list, which is tedious and never-ending.

Usage

Config file (.bundler-audit.yml):

---
ignore:
  - CVE-2024-1234
exclude:
  - activestorage
  - actiontext

CLI:

bundle-audit check --exclude activestorage actiontext

Changes

• Configuration: new attr_reader :exclude (returns Set<String>), YAML validation mirroring ignore
• Scanner#scan_specs: resolves exclude from options or config, skips gem before advisory lookup via next if exclude.include?(gem.name)
• CLI#check: new --exclude / -e array option, passed through to scanner.report
• Tests: validation specs, initializer specs, scanner specs (option-based and config-file-based), new fixtures

Test plan

• New configuration validation tests (not an array, contains non-string)
• New #initialize tests (default empty Set, given :exclude list)
• Scanner test: :exclude option filters gems from results
• Scanner test: exclude from .bundler-audit.yml config file works
• All existing tests continue to pass