Cheap Scans - Placeholder Dependency Scanning
Release notes
Problem to solve
for effieiency and speed and reduction of risk we want to allow many ways to be alerted to new findings, not just when pipelines run
also want to prevent in an MR items which were not introduced within the MR to be brought up and possibly halt the developer
Proposal
After SBOM is complete - use the SBOM and run a check (triggered job) when vuln db updates to check for new vulns in existing dependencies and alert users
should be used in conjunction with scheduled pipeline scans (to be done) and normal pipeline scans
Metrics
Cross-Stage
Must work with Category:Vulnerability Management and ~"Category:Vulnerability Database" closely as we need to know when updates, what updated, as well as how to inject/insert for smoothlness so they count against/in the same way as pipeline runs