> The goal of this change is to introduce a lightweight, periodic CVE scan > (similar to IoTDB’s approach) so that we can continuously monitor dependency > vulnerabilities and better manage our SBOM-related security risk.
Thanks Xinyu for the proposal. Ratis already has security scanning [1] enabled. I think results are visible only to committers. Others can see any published security advisories. - Does the new workflow provide additional benefits? - Is it possible to restrict visibility of results to committers? -Attila [1] https://github.com/apache/ratis/security
