The actions aquasecurity/trivy-action@master and dependency-check/dependency-check_action@main are not allowed in cm-jones/thales because all actions must be from a repository owned by cm-jones or created by GitHub.