Calculate risk based on score of the check

[varunsh-coder]

Is your feature request related to a problem? Please describe. In the future the Token-Permissions check will give different scores depending on how well the best practices has been followed. But even if one gets a score of 9, they will still get a High risk issue in the SARIF file. This score then gets shown in the Code scanning alerts dashboard when the Scorecards GitHub action is used in a repository.

Describe the solution you'd like The risk of the issue that is emitted in the SARIF file should be based on the score of the check. If the score is high, the risk should be lower.

Describe alternatives you've considered An alternative could be for each repository owner to have a policy file to set threshold of risk.

Additional context This is related to discussion at https://github.com/ossf/scorecard/issues/1128