fix(build): more reliably ignore node_modules in secret scanner

[ndhoule]

If there's no .gitignore present or if base resolves to a path that isn't the root of the project, we'll scan node_modules for secrets. Looking at the notes on the current implementation, I think the intention here is really to only scan node_modules directories that are vendored into the repository by the user.

This change updates the scanner to only scan node_modules only if we're positive that that the user has vendored their node_modules directory (or director_ies_, I guess).

Other little problems I noticed with the current implementation that this fixes:

• We currently ignore any path that has node_modules in its name, even if it's just a substring or if it's not a directory
• We ignore node_modules if the substring node_modules is found in the user's .gitignore, even if it's a substring or targets a different node_modules
• We ignore nested .gitignore files, so we may be matching against an incomplete .gitignore list
• If base does not resolve to the repository root, we won't locate a .gitignore. (I don't know if this is actually happening currently--I'd need to confirm with a repro.)

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 45ce754f-d42e-46b4-bf20-427196723c81

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/more-reliably-ignore-node-modules-secret-scanning

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}