Hi Nigel, dependency scanning works by looking for the different types of manifests (pom.xml, go.mod, build.gradle, etc) that declare dependencies and processes those files. You can try configuring ignoreFiles in your lift toml to ignore those findings. I haven’t tested it myself and have some doubts since dependency scanning works slightly different than static code analysis. Or hopefully its just a short term issue. Either way I’ll make sure we take a look at this and come up with a better solution for the future.