Add a SAST configuration option to disable comment-based finding suppression

Background

Some scanners offer the ability to suppress findings based on comments on the same line. For example, Semgrep supports nosemgrep comments. Flawfinder has a similar option, so we already support passing --neverignore to Flawfinder.

Proposal

Introduce a single CI/CD variable that controls whether comment-based suppression of scan findings is allowed.

This variable would control the setting for any analyzer that the capability to suppress results based on a comment.

The specific behavior would need to be defined for each analyzer. For example, based on #428933 (comment 1710630995) it seems that an implementation of this in the Semgrep-based analyzer would need to do more than provide the --disable-nosem CLI flag to the analyzer.

Coordination with Secret Detection

We could use a single variable that affects both Secret Detection and SAST. However, this seems like it could be confusing, because most variables are scoped to a single scan type today. The pattern we use today is to have similar variables, but prefix them differently, for example SAST_RULESET_GIT_REFERENCE and SECRET_DETECTION_RULESET_GIT_REFERENCE. If this approach works well for SAST we should open a new issue and implement it for Secret Detection as well. (Gitleaks supports a similar comment.)