fix: accept GitHub API rate limits in GHSA health check

- Rate limits (403) are now accepted as healthy
- Rate limiting is expected without a GitHub token
- Only real errors (network failures, 500s) fail the health check
- Prevents health check failures due to unauthenticated API usage

Related: GHSA scanner health checks

pkg/scanner/ghsa/ghsa.go

@@ -107,11 +107,17 @@ func (s *Scanner) Health(ctx context.Context) error {
 	}
 	defer resp.Body.Close() // #nosec G104 -- Cleanup, error not critical
 
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("github api returned status: %d", resp.StatusCode)
+	// Accept any 2xx or 403 (rate limit) as healthy
+	// Rate limits are expected without a GitHub token and shouldn't fail health checks
+	if resp.StatusCode >= 200 && resp.StatusCode < 300 {
+		return nil
+	}
+	if resp.StatusCode == http.StatusForbidden {
+		log.Debug().Msg("GitHub API rate limited (expected without token)")
+		return nil
 	}
 
-	return nil
+	return fmt.Errorf("github api returned status: %d", resp.StatusCode)
 }
 
 // mapRegistryToEcosystem maps our registry names to GitHub ecosystem names