Description
> We have two open dependabot items-- shouldn't we be failing on the [dependency-review-action](https://github.com/actions/dependency-review-action) step?
Turns out I misunderstood what the security half of this does. It only looks for security issues in new or updated dependencies introduced by a PR commit.
Still very useful, but for vulnerabilities found before introducing it (such as the two pending dependabot alerts) and for new vulnerabilities disclosed that are unrelated to a PR (like a package previously thought safe is found not to be) it will not block the PR.
I don't find anything at the action level (other than explicitly running a code scanning tool) that behaves like how I thought this was going to. A quick web search says there might be a way to do it with GitHub's CodeQL and branch protection rules, but I've never messed around with the former.
Also for the licensing half of it, it operates in either whitelist or blacklist mode, so if we want to gain functionality from that we'd have to specify a list of licenses we are either explicitly okay with or explicitly not okay with. I don't think it attempts to automagically guess license compatibility.
Originally posted by @danswann in #3 (comment)
We have a license check scanner, but we need to configure it so we don't take on license risk.