How to trigger dependabot scan on developer pull requests

Question

I'm not sure if my use case is one dependabot is suited for, so hoping someone can tell me if it is or is not, and if it is, point me to some documentation on how to do what I'm describing:

I want to create workflow that:

1. runs dependabot scan on each developer pull request
2. dependabot only reports on newly introduced or updated dependencies
3. pull request is blocked by any new dependencies with vulnerabilities of medium or higher
4. dependabot does not create PR as a result of a PR scan

Is this possible?

Answer 1

This is possible with the dependency review action: https://github.com/actions/dependency-review-action