feat: add Checkov CI workflow and SAST blog post

[alismx]

Summary

Adds Checkov CI workflow, updates gitleaks job name, and publishes checkov SAST blog post.

Changes

• .github/workflows/checkov.yml: New workflow — runs Checkov with github_failed_only output on PRs
• .github/workflows/gitleaks.yml: Renamed job from scan → gitleaks
• .checkov.yaml: New checkov config file with skip-check and compact settings
• docs/blog/posts/2026/06/sast-iac-checkov.md: New blog post (181 lines) on using Checkov for IaC scanning, added sast tag and comprehensive tags for all IaC types covered
• docs/blog/posts/2026/06/sast-git-secrets-gitleaks.md: Added tags for tools/concepts: detect, allowlist, rule, redact
• docs/blog/posts/2026/06/sast-python-bandit.md: Added tags: sarif, precommit, baseline, yaml, toml, nossec, rule, severity, confidence
• docs/blog/posts/2026/06/util-terraform-tfenv.md: Added tags: pin, shell, semver
• site/: Regenerated site with new blog posts and assets

Why

• Automated IaC security scanning in CI
• Blog content for Checkov guide
• Better post discoverability via comprehensive tags

Testing

• CI passes

Related

• PR chore: regenerate site and update generated files #15