@clouless based on this announcement and subsequent thread of 44 comments (Upcoming changes to Data Center App Approval), the DC approval will be based on the output of mvn dependency:tree, which will be sanity checked by a proprietary Atlassian scanner which is an adjusted version of Snyk but which filters out the provided dependencies.
Unfortunately, Atlassian will not be making this sanity check scanner available to the Ecosystem, but instead wants us to run the full in-depth analysis from Snyk. Per the DC approval requirements, any upstream vulnerabilities coming from Atlassian can be ignored. This includes all provided dependencies.
The result of this decision by Atlassian basically means that all vendors that participate in the DC approval program will now be hacking together their own alternative security scanner and add support for an ignore list. Otherwise, it will be very hard to run the scanner in CI/CD because it will always fail.