ci: The Security scanners should not pull artifacts

The SAST security scanner should not use/scan any built artifacts from
the pipeline. They also have no dependancies so can run early in the
pipline

Signed-off-by: Drew Reed <Drew.Reed@arm.com>