fix(ci): configure OWASP Dependency-Check to output SARIF format

- Change format from JSON to SARIF for code scanning upload
- Set output directory to reports/
- Update upload path to match generated file location (reports/dependency-check-report.sarif)

Author: ZoneMix

.github/workflows/security.yml

@@ -178,7 +178,9 @@ jobs:
         with:
           project: 'budget-automation'
           path: '.'
-          format: 'JSON'
+          format: 'SARIF'
+          args: >
+            --out reports
 
       - name: Upload Dependency-Check results
         uses: github/codeql-action/upload-sarif@v4
@@ -188,7 +190,7 @@ jobs:
             github.event.pull_request.head.repo.full_name == github.repository
           )
         with:
-          sarif_file: 'dependency-check-report.sarif'
+          sarif_file: 'reports/dependency-check-report.sarif'
           category: 'dependency-check'
 
   license-check: