Hi Attila, Thanks for your message!
Regarding the first point, the new workflow checks vulnerabilities against the NVD, which is more comprehensive than the current scanning that only uses GitHub Advisory data. The NVD offers a broader and more up-to-date set of vulnerabilities. As for visibility, I tested it and found that only committers can trigger the workflow. However, GitHub doesn't currently support restricting visibility of workflow results[1]. If we want only the current project committers to see the results, we might need to store them elsewhere. Do you have any suggestions on where to put them? [1] https://github.com/OneSizeFitsQuorum/ratis/commit/a5feb8a780ab42550cdb8e81024cc9e6bc584840 Best ------------- Xinyu Tan On 2025/12/14 13:07:53 Attila Doroszlai wrote: > > The goal of this change is to introduce a lightweight, periodic CVE scan > > (similar to IoTDB’s approach) so that we can continuously monitor > > dependency vulnerabilities and better manage our SBOM-related security risk. > > Thanks Xinyu for the proposal. Ratis already has security scanning > [1] enabled. I think results are visible only to committers. Others > can see any published security advisories. > > - Does the new workflow provide additional benefits? > - Is it possible to restrict visibility of results to committers? > > -Attila > > [1] https://github.com/apache/ratis/security >
