fix: remove incorrect 'source' argument from osv-scanner command

The osv-scanner was failing with "lstat source: no such file or directory"
because it was interpreting "source" as a directory name to scan.

The correct syntax is:
  osv-scanner scan -r .

NOT:
  osv-scanner scan source -r .

The word "source" is not part of the osv-scanner CLI syntax for
direct invocation. It only appears in pre-commit hook configurations
with the --recursive flag.

This fix completes the resolution of the security scanning issues:
- govulncheck: ✅ Working (PATH fix)
- gosec: ✅ Working (PATH fix)
- osv-scanner: ✅ Should now work (PATH + syntax fix)

References:
- https://google.github.io/osv-scanner/usage/

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

Author: richardwooding

.github/workflows/security.yml

@@ -52,7 +52,7 @@ jobs:
         run: go install github.com/google/osv-scanner/cmd/osv-scanner@latest
 
       - name: Run OSV Scanner
-        run: $(go env GOPATH)/bin/osv-scanner scan source -r .
+        run: $(go env GOPATH)/bin/osv-scanner scan -r .
 
   gosec:
     name: Go Security Analysis