The binary doubles as its own healthcheck client via the SDK's
-healthcheck flag, so the probe works in the scratch image
(no shell, no curl, no wget).
Skipped tests that are not problematic should be UNKNOWN rather
than INFO; the affected rules cannot evaluate without their input,
so they are non-evaluations, not findings.
