fix: exclude vendored Lua 5.1.5 from Semgrep security scan

The Semgrep security scan was failing because vendored Lua 5.1.5 source
uses strcpy/strncpy which are flagged as insecure C functions. These are
false positives in frozen third-party code that we don't modify.

Added .semgrepignore to exclude all vendored extern/ directories
(lua-5.1.5, imgui, stb, vk-bootstrap, FidelityFX SDKs).

.semgrepignore

@@ -0,0 +1,8 @@
+# Vendored third-party code (frozen releases, not ours to modify)
+extern/lua-5.1.5/
+extern/imgui/
+extern/stb_image.h
+extern/stb_image_write.h
+extern/vk-bootstrap/
+extern/FidelityFX-FSR2/
+extern/FidelityFX-SDK/