Snyk (security / dependency signal)

Role in Ship: optional security/dependency signal — findings feed evidence for risk decisions and PR hygiene; it is not a replacement for human review or QA gates.

• Treat Snyk (or similar) output as inputs to tickets and PR comments, not silent auto-merge triggers unless policy explicitly allows.
• Keep severity policy in repo docs so agents do not invent CVSS drama where your org prefers calm triage.

• Delivery, quality & release — where security evidence meets release gates.
• Tools — capability map — “security/dependency signal” row.