We currently have dependabot scanning enabled on the whole repo due to Intel policy, and I manually mark anything in test/ as invalid since we're not installing or using that code, those are just lock files and other component lists used to test the vulnerability scanner.
When we complete our move to a new github org, we shouldn't need to keep doing this and should be able to reconfigure dependabot so it's no longer scanning anything in test/ but especially not anything in the language test files.
So this is just a reminder that we should do that after the move is complete. We could also disable dependabot scanning entirely (since we have our own scans) but I'd rather not do that, I just want it to only target stuff that actually matters.
We currently have dependabot scanning enabled on the whole repo due to Intel policy, and I manually mark anything in test/ as invalid since we're not installing or using that code, those are just lock files and other component lists used to test the vulnerability scanner.
When we complete our move to a new github org, we shouldn't need to keep doing this and should be able to reconfigure dependabot so it's no longer scanning anything in
test/but especially not anything in the language test files.So this is just a reminder that we should do that after the move is complete. We could also disable dependabot scanning entirely (since we have our own scans) but I'd rather not do that, I just want it to only target stuff that actually matters.