Add semgrep security scan for command injection in Windows files

[KlwntSingh]

Summary

Adds custom semgrep rules to detect potential command injection vulnerabilities (CWE-78) in Windows-specific code paths during PRs.

Implementation details

Two custom semgrep rules:

1. command-injection-exec-variable — Flags execCommand/exec.Command/exec.CommandContext calls with variable (non-literal) arguments
2. unsanitized-powershell-interpolation — Flags fmt.Sprintf with PowerShell-related format strings where variables are interpolated

Behavior

• Triggers on pull_request only
• Only scans files with _windows in the filename
• Diff-aware: only reports findings in new/changed code
• Auto-detects base branch
• Posts warning annotations inline on PR files
• Posts a summary comment on the PR if findings exist
• Does not block merge (informational only)

Testing

Validated on fork (KlwntSingh/amazon-ecs-agent2):

Test	PR	Expected	Result
Windows file with execCommand(var, ...)	PR #9	Flagged	✅
Linux file with same vulnerable pattern	PR #10	Not flagged	✅
Windows file with string interpolation only (no execution)	PR #11	Not flagged	✅
Windows file with env vars fix applied (args passed as variable)	PR #12	Flagged (false positive)	✅

Note on PR #12: Rule 1 flags execCommand("powershell.exe", args...) because args is a variable, even though it's built from string literals. Semgrep cannot track that a variable was constructed from safe values. This is an acceptable false positive — it errs on the side of caution and prompts the developer to verify the code is safe.

New tests cover the changes: no

Description for the changelog

security: add semgrep scan for command injection in Windows files

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.