Closed — won't-fix (alt path chosen 2026-05-15)
Operator decision: GitHub Advanced Security / Code Scanning is a paid feature. The repo deliberately uses google/osv-scanner-action as its dependency-vuln gate instead, configured via .github/workflows/osv-scanner.yml.
Coverage comparison
| Capability |
GitHub Code Scanning |
OSV-Scanner (chosen) |
| Runs on every PR |
✅ |
✅ (scan-pr job) |
| Runs on push + weekly |
✅ |
✅ (scan-main job + cron) |
| Fail-on-vuln gates merges |
✅ |
✅ (exit code) |
| SARIF Security-tab UI |
✅ |
❌ (skipped — paid feature) |
| Cost |
$$ |
free |
The gate behavior is unchanged; only the visualization differs. upload-sarif: false in the workflow YAML is now intentional and documented (see PR #105).
Updates landing alongside
.github/workflows/osv-scanner.yml — comment rewritten to reflect the deliberate choicedocs/unblock-sequence.md — Phase 0.2 marked deliberately-skipped
Closed by PR #105.
Closed — won't-fix (alt path chosen 2026-05-15)
Operator decision: GitHub Advanced Security / Code Scanning is a paid feature. The repo deliberately uses
google/osv-scanner-actionas its dependency-vuln gate instead, configured via.github/workflows/osv-scanner.yml.Coverage comparison
scan-prjob)scan-mainjob + cron)The gate behavior is unchanged; only the visualization differs.
upload-sarif: falsein the workflow YAML is now intentional and documented (see PR #105).Updates landing alongside
.github/workflows/osv-scanner.yml— comment rewritten to reflect the deliberate choicedocs/unblock-sequence.md— Phase 0.2 marked deliberately-skippedClosed by PR #105.