rules:
  unpinned-uses:
    config:
      policies:
        # anchore/workflows is an internal repository; using @main is acceptable
        anchore/*: any
  dangerous-triggers:
    ignore:
      # Safe use of pull_request_target - only runs trusted scripts from base repo,
      # never checks out PR code, needs secrets for labeling PRs from forks
      - detect-schema-changes.yaml