I believe this might be of interest to the Security WG - @kyrofa, @SidFaber, @ruffsl, @marguedas.
Note: at first glance, it looks like the scanning results are publicly available on the project repository which doesn’t play nice with our (ROS 2) Security Vulnerability Disclosure Policy. Am I mistaken?