Raising of GitHub Security events for vulnerable packages

[mcavey-arch]

I have setup FrogBot for the repository scan as per the documentation - I have successfully setup FrogBot for PR scanning, which is working well.

My question is - in a repository that I know has package vulnerabilities (Identified by FrogBot in the PR workflow with JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"), when the repo scan action runs I am expecting GitHub Security Events to be produced for the vulnerable packages - but this doesn't occur.

09:53:30 [Info] Running SCA scan for nuget vulnerable dependencies in /tmp/jfrog.cli.temp.-1718272409-1318956605/src directory...
09:53:30 [Info] Calculating NuGet dependencies...
09:53:30 [Info] Dependencies sources were not detected nor 'install' command provided. Running 'restore' command
09:53:53 [Info] Scanning 211 nuget dependencies...
09:53:54 [Info] Waiting for scan to complete on JFrog Xray...
09:54:05 [Info] Xray scan completed
09:54:05 [Warn] upload code scanning for main branch failed with: POST https://api.github.com/repos/archinsurance/aeis-x3-sonar-exporter/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning. []
09:54:06 [Info] Frogbot "scan-repository" command finished successfully

When there are no vulnerable packages, there is a log message stating there are none - but the logs don't contain any such statement but the action completes.

So:

• Is my understanding of the expected behavior wrong?
• Are repository scans and raising of GitHub Security Events a feature that requires JFrog Advanced security?
• Is there further configuration I need to do?