Add gha-shield code-scanning starter

[Fabridev444]

Adds a starter workflow for gha-shield — a code-scanning Action that scans .github/workflows/*.yml for 13 categorized security rules.

Why this might be useful for the catalog

The existing code-scanning catalog focuses on application code (SAST for JS/Python/Java/Ruby/Go, container scanning, dependency scanning). gha-shield fills a different gap: scanning the workflow YAMLs themselves. Most repos accumulate workflow vulnerabilities (unpinned actions, command injection via `${{ github.event.* }}`, missing `permissions:`, hardcoded keys in `env:`, etc.) that no SAST tool covers.

The 13 rules at a glance

Rule	Severity	What it catches
`unpinned-action`	HIGH	third-party action not pinned to a 40-char SHA
`prtarget-checkout-prref`	CRIT	`pull_request_target` + checkout of attacker-controlled ref
`cmd-injection`	CRIT	tainted `${{ … }}` interpolated into `run:` (with `SAFE_LEAF_FIELDS` allowlist)
`no-permissions`	MED	external trigger without explicit `permissions:`
`continue-on-error-auth`	HIGH	`continue-on-error: true` on auth/test/audit steps
`secret-in-if`	MED	`secrets.*` inside `if:` (debug-log leak)
`curl-pipe-bash`	HIGH	remote scripts piped straight to a shell
`untrusted-download`	MED	gist/raw/paste download without checksum
`scheduled-broad-perms`	MED	`schedule:` + missing/loose token scope
`workflow-run-untrusted-checkout`	CRIT	`workflow_run` + checkout of triggering workflow's ref
`hardcoded-secret`	CRIT	provider-prefixed key (sk-, ghp_, AKIA…) in `env:`
`third-party-action-token`	HIGH/MED	untrusted-owner action receiving `GITHUB_TOKEN` / `secrets.*`
`no-timeout-minutes`	LOW	externally-triggered jobs without `timeout-minutes`

Compliance with the contributing guidelines

• Simple as needed — single job, one Action invocation, three inputs (all with defaults).
• No 3rd-party services — the Action runs entirely in the runner, no telemetry, no logs.
• Not dependent on a paid service — V1 is free forever; the optional Pro tier ships separately and is not required.
• SHA-pinning for non-`actions` org — the starter uses `Fabridev444/gha-shield@v1.0.1` (a published tag); happy to switch to the SHA `` if that's preferred, just say the word.

Receipts

• 48 unit tests pass (`node --test`)
• Real-world scan results published: REAL-WORLD-AUDITS.md covers `vercel/next.js` (87 findings), `oven-sh/bun` (59), `astral-sh/uv` (12), and `archestra-ai/archestra` (15)
• Browser companion at https://fabridev444.github.io/gha-shield/ for ad-hoc paste-and-scan
• Source: https://github.com/Fabridev444/gha-shield · License: MIT-pending (after V2 paid features ship)

Happy to iterate on the starter content, the properties JSON, or the icon — let me know what fits best.