Hi @stevedennis,
Yes, we are aiming to implement a package approval workflow combined with vulnerability scanning.
Our problem is that for security reasons we are not allowed to expose our internal packages for scanning, hence the primary/public/external feed where scanning occurs separated from the connected secondary/private/internal feeds.
Apparently I have totally missed the Package Consumers functionality, seems to be just the right thing to help tracking vulnerabilities across multiple feeds and applications.
As I understand it though, to get full coverage the pgscan tool needs to be installed on every build server, and the pgscan publish...
command needs to be implemented in every build? That will take som effort to maintain, to be weighed in comparison to chasing vulnerable packages manually. I will bring up the subject with our developers.
Thanks for clarifying!
Regards
/Claes