The Policy as Code engine vendors / stores its dependencies into the repository itself. This is to prevent issues with in restricted environments that that restricted access to Pypi.
Examples:
- Require Proxies that aren't configured
- Restricted internet access
The directory contains code from dependencies and isn't directly modified by the GitHub Field team.
These dependencies are vendored in using the ./update.sh script.
If security issues are present in a Dependencies, this is handled by Dependabot and updated using the ./update.sh script.
If security alert are present / found by a Static Code Analysis tool (CodeQL for example) in this vendor folder, this is not subject the security policy and should be reported to the dependency itself if applicable.