Two changes for noise reduction and per-repo control:
1. New optional input `semgrep-exclude-rules` (comma-separated rule
IDs). Lets a consumer skip rules that are context-specific false
positives (e.g. SQLi rules in a local-only plugin with SqlParameter-
bound values).
2. Semgrep now only fails the build on ERROR-severity findings.
WARNING-level rules still run for visibility but do not block.
Keeps the noise floor low while still surfacing concerns.
Both are opt-in for consumers, default behaviour stays scan-everything.
JonKazama-Hellion
c0d2b12b4f