> Regarding the first point, the new workflow checks vulnerabilities against > the NVD, which is more comprehensive than the current scanning that only uses > GitHub Advisory data. The NVD offers a broader and more up-to-date set of > vulnerabilities.
Nice. > As for visibility, I tested it and found that only committers can trigger the > workflow. However, GitHub doesn't currently support restricting visibility of > workflow results[1]. On second thought that's OK. Visibility is important for security issues within the project itself. I guess anyone can perform this dependency scan locally, so hiding the results does not make much difference. I'll check the PR. -Attila
