I have this for my cargo dependencies. `cargo-vet` will block anything not approved, and then I have a skill that reviews every dependency before trusting that version.