allstar: enable SARIF upload for scorecard policy

[justaugustus]

Summary

• Enable SARIF upload in the Allstar Scorecard policy config

Context

Testing the evidence upload feature from ossf/allstar#796. This adds upload: {sarif: true} to the existing Scorecard policy config so that scan results are uploaded to each repo's Security > Code Scanning tab.

Test plan

• Run self-hosted Allstar with -once flag against this org
• Verify SARIF appears in repo Security tabs
• Revert after testing is complete

🤖 Generated with Claude Code

[kusari-inspector]

⚠️ Workspace Mapping Required

Hello! We noticed that your GitHub organization is not yet mapped to a Kusari workspace. Kusari Inspector now requires installations to be associated with a Kusari workspace.

⚠️ NOTE: Only the admin who installed the Kusari GitHub App can complete these steps. If the admin is unable to complete these steps, please contact support@kusari.dev

To complete the setup:

1. Visit https://console.us.kusari.cloud/auth/github and log in via github
2. If you have only one workspace, it will be automatically selected for you
3. Once the mapping is complete, return here and create a new comment with: @kusari-inspector re-run

This will trigger the analysis to run again.

For more information, or if you need help, visit https://github.com/kusaridev/community/discussions