Improve Dependency Scanning behavior when project doesn't have a lockfile
Release notes
Problem to solve
Our Dependency Scanning feature behaviour is ambiguous when running on a project that doesn't have a lockfile, aleas the package manager is able to provide one.
This mainly happens when the project is hosting a library's source code instead of an application.
As a result, some analyzers (like gemnasium) are not triggered whereas some others are (Retire.JS).
Intended users
User experience goal
Proposal
A first step to address this issue is to update the documentation which is covered by #332506 (closed).
Then the next improvement we could make is to trigger the analyzer CI job when we find a Dependency Manifest file (e.g. Gemfile) but raise a warning if we can't find a corresponding lockfile (e.g. Gemfile.lock).
Further details
To achieve this we should amend the CI job rules to trigger the job in these cases.
Then we need to update the analyzer to react to such a situation and raise the proper warnings.
Permissions and Security
Documentation
We should certainly revisit our Dependency Scanning documentation.