Grype Full-Repo Scan Creates Deadlock, Blocking All Dependabot Security Updates

A critical flaw in a security scanning workflow has created a systemic deadlock, preventing the automated merging of vital dependency patches. The `security-scan.yml` workflow, which runs the Grype vulnerability scanner against an entire code repository on every pull request, is failing all automated Dependabot updates. The scanner detects every pre-existing high-severity vulnerability in the codebase, not just new ones introduced by a given change. This means no single Dependabot PR can pass, as it only fixes one vulnerability while the scan continues to flag all others.

This failure mode has completely halted the security update pipeline. Six open Dependabot pull requests (#301–#306) are uniformly blocked, failing exclusively on the Grype security scan check while all other continuous integration tests pass. The core issue is a mismatch in scanning scope: Grype is configured with `dir:.` to scan the full repository, while Dependabot operates on a per-package update model. The repository already uses GitHub's `dependency-review-action` in its `pr-validation.yml` workflow, which performs a delta-aware scan correctly, but the broader Grype check overrides it.

The deadlock presents a severe operational risk, forcing developers into a manual, all-or-nothing merge strategy that defeats the purpose of automated dependency management. To clear the backlog, all fixes must be combined into a single, massive PR—a process that is error-prone and negates the granular safety and audit trail of individual updates. This configuration error highlights a common pitfall in DevSecOps: layering security tools without ensuring their scopes and failure conditions are aligned, ultimately creating a barrier to security itself.