Skip to content

Remove scheduled security audit scan#512

Merged
mvanwyk merged 1 commit into
mainfrom
claude/osv-agent-failure-t00b3v
Jun 22, 2026
Merged

Remove scheduled security audit scan#512
mvanwyk merged 1 commit into
mainfrom
claude/osv-agent-failure-t00b3v

Conversation

@murray-ds

Copy link
Copy Markdown
Contributor

Summary

Removes the scheduled weekly security audit workflow in favor of relying on Dependabot for continuous vulnerability detection. This simplifies the CI/CD pipeline by eliminating redundant scanning.

Changes

  • Removed the schedule trigger (Monday 06:00 UTC cron job) from the security-audit workflow
  • Updated workflow documentation to clarify that:
    • Pull requests run scans only when dependencies or the workflow itself changes (advisory)
    • Pushes to main refresh code-scanning state
    • Manual dispatches and release calls remain hard gates
    • Dependabot alerts and security updates handle detection of newly-disclosed CVEs against pinned dependencies

Rationale

The scheduled scan was redundant because Dependabot already provides continuous monitoring for newly-disclosed CVEs against pinned dependencies. By removing the scheduled trigger, we reduce unnecessary CI runs while maintaining security coverage through Dependabot's automated alerts and security updates. The workflow still runs on relevant changes (dependencies, workflow file) and serves as a hard gate for releases and manual triggers.

https://claude.ai/code/session_01L6duQyAidZHdk7qHv9KTzA

The weekly scheduled scan only re-detected newly-disclosed CVEs against
already-pinned dependencies with no repo change — exactly what Dependabot
alerts and security updates (now enabled) already cover. Its sole added
effect was turning main red and firing Slack during Dependabot's cooldown
window, where the fix PR is intentionally withheld.

Keep the triggers that Dependabot cannot replace: the PR check (catch a
vuln before it merges), push-to-main (refresh code-scanning state), and the
workflow_call release gate (block shipping a known-vulnerable release).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01L6duQyAidZHdk7qHv9KTzA
@claude

claude Bot commented Jun 22, 2026

Copy link
Copy Markdown

Claude finished @murray-ds's task in 49s —— View job


PR Review: Remove Scheduled Security Audit Scan

  • Gather context and read changed files
  • Analyze the diff and workflow behavior
  • Post review feedback

Summary

This is a clean, minimal change — two lines removed from the on: block and four comment lines updated to match. The implementation is correct and the rationale is well-documented.

What Changes

Before: The workflow ran on schedule every Monday at 06:00 UTC, plus PR/push (path-filtered), manual dispatch, and release calls.

After: The workflow runs only on PR/push (path-filtered), manual dispatch, and release calls. Newly-disclosed CVEs against already-pinned dependencies are delegated to Dependabot.


Observations

The change is sound for this project's risk profile. Dependabot monitors OSV and GitHub Advisory Database continuously and will alert when a new CVE is disclosed against a pinned dep — that's the exact scenario the scheduled scan was catching. Eliminating the redundant weekly CI run is a net simplification with no meaningful coverage gap.

One nuance worth keeping in mind: The original workflow comment (lines 6–8) distinguished between a code-scanning alert (SARIF-based, surfaces in the Security tab as a failing check) and a passive Dependabot alert. The scheduled scan ensured that SARIF state on the default branch was refreshed even when no dependency files changed. After this PR, if no files matching the push path filter are merged for an extended period, the code-scanning SARIF state will go stale — it won't reflect newly-disclosed CVEs until the next dependency bump. This is an acceptable trade-off, but it's worth being explicit that post-disclosure coverage is now Dependabot-alert-only rather than also appearing as a code-scanning finding.

The push trigger retains a path filter (lines 28–34), meaning a push to main that touches only application code won't refresh SARIF. Combined with removing the schedule, this means a window exists where the Security tab could be behind. That's fine if the team's process is: "Dependabot opens a PR → OSV scan runs on that PR → merge → push scan refreshes SARIF."

The updated header comment (lines 12–18) accurately describes the new behavior. No issues there.


Verdict

No bugs, no correctness issues, no security concerns introduced by the change itself. The trade-off (stale SARIF between dependency updates, passive Dependabot alerts instead of hard-gate scanning for between-update CVEs) is explicitly acknowledged in the updated comment and is reasonable for this project.

Approved from a code-quality perspective. The change achieves its stated goal cleanly.


@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@mvanwyk mvanwyk merged commit 28f4679 into main Jun 22, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants