Remove scheduled security audit scan#512
Conversation
The weekly scheduled scan only re-detected newly-disclosed CVEs against already-pinned dependencies with no repo change — exactly what Dependabot alerts and security updates (now enabled) already cover. Its sole added effect was turning main red and firing Slack during Dependabot's cooldown window, where the fix PR is intentionally withheld. Keep the triggers that Dependabot cannot replace: the PR check (catch a vuln before it merges), push-to-main (refresh code-scanning state), and the workflow_call release gate (block shipping a known-vulnerable release). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01L6duQyAidZHdk7qHv9KTzA
|
Claude finished @murray-ds's task in 49s —— View job PR Review: Remove Scheduled Security Audit Scan
SummaryThis is a clean, minimal change — two lines removed from the What ChangesBefore: The workflow ran on schedule every Monday at 06:00 UTC, plus PR/push (path-filtered), manual dispatch, and release calls. After: The workflow runs only on PR/push (path-filtered), manual dispatch, and release calls. Newly-disclosed CVEs against already-pinned dependencies are delegated to Dependabot. ObservationsThe change is sound for this project's risk profile. Dependabot monitors OSV and GitHub Advisory Database continuously and will alert when a new CVE is disclosed against a pinned dep — that's the exact scenario the scheduled scan was catching. Eliminating the redundant weekly CI run is a net simplification with no meaningful coverage gap. One nuance worth keeping in mind: The original workflow comment (lines 6–8) distinguished between a code-scanning alert (SARIF-based, surfaces in the Security tab as a failing check) and a passive Dependabot alert. The scheduled scan ensured that SARIF state on the default branch was refreshed even when no dependency files changed. After this PR, if no files matching the push path filter are merged for an extended period, the code-scanning SARIF state will go stale — it won't reflect newly-disclosed CVEs until the next dependency bump. This is an acceptable trade-off, but it's worth being explicit that post-disclosure coverage is now Dependabot-alert-only rather than also appearing as a code-scanning finding. The push trigger retains a path filter (lines 28–34), meaning a push to The updated header comment (lines 12–18) accurately describes the new behavior. No issues there. VerdictNo bugs, no correctness issues, no security concerns introduced by the change itself. The trade-off (stale SARIF between dependency updates, passive Dependabot alerts instead of hard-gate scanning for between-update CVEs) is explicitly acknowledged in the updated comment and is reasonable for this project. Approved from a code-quality perspective. The change achieves its stated goal cleanly. |
Codecov Report✅ All modified and coverable lines are covered by tests. 🚀 New features to boost your workflow:
|
Summary
Removes the scheduled weekly security audit workflow in favor of relying on Dependabot for continuous vulnerability detection. This simplifies the CI/CD pipeline by eliminating redundant scanning.
Changes
scheduletrigger (Monday 06:00 UTC cron job) from the security-audit workflowRationale
The scheduled scan was redundant because Dependabot already provides continuous monitoring for newly-disclosed CVEs against pinned dependencies. By removing the scheduled trigger, we reduce unnecessary CI runs while maintaining security coverage through Dependabot's automated alerts and security updates. The workflow still runs on relevant changes (dependencies, workflow file) and serves as a hard gate for releases and manual triggers.
https://claude.ai/code/session_01L6duQyAidZHdk7qHv9KTzA