I wanted to understand which branch of a repository is used to create the Vulnerability alerts. Is it the branch which is designated as “default” branch.
I need to understand this because of the below use cases
At my company, we have had developers who updated the vulnerable libraries and also checked in that code into github, but they were utilizing a branch other than designated default branch on Github. Github still shows some alerts even after the upgrades were pushed .
Some repositories have multiple active branches and so we want to find out if Github scans all branches of a repository to report vulnerability alerts or only 1 of them.