Only check changed dependencies

[RyanMeulenkamp]

Is your feature request related to a problem? Please describe.

For our CI we would like to split checking the dependencies over two periods:

• Changed dependencies before merging the PR
• Existing dependencies at an interval (e.g. daily)

That way we don't block every open PR when a security issue pops up, but we still prevent a PR from merging if it introduces a bad dependency.

I can see a few different approaches to this problem. I'm totally open to suggestions here. I can´t imagine this CI strategy is unique to us so maybe someone has already implemented something like this.

Describe the solution you'd like
The nicest solution from the user's perspective would be to simply have an argument, say --changed-since, to which you can pass a git reference, and it only takes those dependencies into account.

Describe alternatives you've considered
Two other possible solutions I can see:

• (this might be possible already): allow passing a list to the CLI of what dependencies to consider. Takes some additional interpretation work from the user's side to list all the dependencies, from the Cargo.toml's that were changed since a certain point in time.
• Add this feature to the Github Action.