Federico Builes

Hi @davidmally-at! I don't think we have anything in place to support the use case you're proposing, a PR would be extremely welcome! 🙇

@jeffpaul The Action currently only supports config file inside the same repo. I expect support for org-wide config files to land soon.

@jcasner Thanks for the report. This is something originally reported in https://github.com/actions/dependency-review-action/pull/131 that's actively being worked on using `spdx-satisfies` to evaluate these expressions. I'll update this issue once there are...

@Snailedlt is the organization where you're running this part of GitHub Advanced Security? I think that's the only requirement we have for private repos.

@Snailedlt Advanced Security is a paid product, if you're not sure you can talk to the organization/enterprise owner. Another way to find out if Advanced Security is enabled for the...

@Snailedlt thanks for the extra details. I think we can use @tspascoal's code snippet from above to fix the, but we need to confirm if 403s can also come from...

The latest release of the action (`v3`) allows users to specify if they want to allow/disallow a specific check (vulns, licenses) in their runs. I know this is not exactly...

@AgustinBettati Thank you for reporting this issue. After spending a bit of time trying to find out how vulnerabilities work in pinned SHAs, I don't think Dependency Review Action has...

A bit more triage info: ``` $ gh api repos/future-funk/congenial-chainsaw/dependency-graph/compare/main...febuiles-patch-2 [ { "change_type": "added", "manifest": ".github/workflows/updates.yml", "ecosystem": "actions", "name": "tj-actions/verify-changed-files", "version": "5ef175f2fd84957530d0fdd1384a541069e403f2", "package_url": "pkg:githubactions/tj-actions/verify-changed-files@5ef175f2fd84957530d0fdd1384a541069e403f2", "license": null, "source_repository_url": "https://github.com/tj-actions/verify-changed-files", "scope": "runtime",...

@AgustinBettati Sorry for the confusion. There's nothing wrong with the `verify-changed-files` Action, the issue here is with the [GitHub Dependency Review API](https://docs.github.com/en/rest/dependency-graph/dependency-review) not being able to infer the proper ordering...