Conversation
Document the scan-results branch structure, component classification, and link to Liquibase Security (security.liquibase.com) for interactive vulnerability reports, version comparison, and export capabilities. DAT-21268 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
Disabled knowledge base sources:
📝 WalkthroughWalkthroughDocumentation updates: README.md gains a new Vulnerability Scanning section; SECURITY.md adds detailed scan-data/docs and Q&A about scan results and upgrade guidance; Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Claude finished @jandroav's task in 51s —— View job PR Review: DAT-21268 - Vulnerability Scanning DocsTasks
LGTM - no significant issues found. The Minor note: The manifest.json example in |
There was a problem hiding this comment.
Pull request overview
This PR updates repository documentation to describe the automated container vulnerability scanning process and standardize links/terminology around Liquibase Security for viewing results.
Changes:
- Add a “Vulnerability Scanning” section to
README.md, including scan types and where to view results. - Expand
SECURITY.mdwith scan-results branch structure, manifest/schema examples, component classification, and new FAQs. - Update documentation links/terminology to use “Liquibase Security” and fix the scripts documentation link.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| README.md | Adds end-user documentation for scan coverage and how to view results in Liquibase Security and GitHub Actions. |
| SECURITY.md | Adds detailed guidance on persisted scan data layout/manifest and expands FAQs; fixes link to scripts/README.md. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@README.md`:
- Around line 281-282: The README currently claims "Every published" image is
scanned which is inaccurate; update the sentence to state that scans run
Monday–Friday at 10 AM UTC and cover only the most recent tags rather than all
published images, and reference the configuration that controls this
(max_tags_to_scan in .github/workflows/trivy-scan-published-images.yml) and the
trimming logic in scripts/generate-dockerhub-matrix.sh so readers know the scan
window is limited to recent tags.
In `@SECURITY.md`:
- Line 170: The "Vulnerability Scanning Scripts" link in SECURITY.md points to a
stale document (scripts/README.md); either update scripts/README.md to
accurately list the current scripts and their usage or change the link in
SECURITY.md to a maintained document; locate the reference "Vulnerability
Scanning Scripts" in SECURITY.md and then either edit scripts/README.md to
remove/replace outdated script entries and add current commands/examples, or
update the link target to the correct, up-to-date developer documentation.
- Around line 123-133: The fenced code block that shows the scan-results
directory tree triggers markdownlint MD040 because it lacks a language; update
the fenced block (the block containing "scan-results/ manifest.json ...
liquibase/liquibase-secure/<version>/") to use a language token like ```text (or
```plaintext) so the snippet becomes fenced as ```text ... ``` to satisfy the
linter.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 0e541d71-2d33-4cd7-8257-7a9ec750d59a
📒 Files selected for processing (2)
README.mdSECURITY.md
After vulnerability scans complete, a new persist-results job downloads all scan artifacts and commits them to a scan-results branch. This gives the Liquibase Security dashboard persistent access to historical scan data via GitHub Contents API, replacing the 7-day artifact retention. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Claude finished @jandroav's task in 1m 58s —— View job PR Review: DAT-21268 - Vulnerability Scanning DocsTasks
Issues Found
|
This reverts commit 64438ba.
|
Claude finished @jandroav's task in 1m 33s —— View job PR Review: DAT-21268 - Vulnerability Scanning DocsTasks
The documentation additions are clear and well-structured. Three issues found:
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| { | ||
| "lastUpdated": "2026-03-10T10:00:00Z", | ||
| "images": { | ||
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0", "..."], |
There was a problem hiding this comment.
The "..." placeholder is not valid JSON — parsers will reject this. Use a note below the block or a comment-style placeholder instead:
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0", "..."], | |
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0"], | |
| "liquibase/liquibase-secure": ["5.0.1", "5.0.0"] |
(Or add a prose note: "Additional versions are listed in chronological order.")
|
|
||
| The `scan-results` branch contains: | ||
|
|
||
| ``` |
There was a problem hiding this comment.
Missing language specifier on fenced code block (markdownlint MD040). Use ```text to fix:
| ``` | |
| ```text |
| { | ||
| "lastUpdated": "2026-03-10T10:00:00Z", | ||
| "images": { | ||
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0", "..."], |
There was a problem hiding this comment.
"..." is not valid JSON — it will break any tool that parses this example literally. Replace with a valid placeholder string or add a comment after the block noting the list is truncated.
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0", "..."], | |
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0"], |
| ## Related Documentation | ||
|
|
||
| - [Vulnerability Scanning Scripts](README.md) - Technical documentation for developers | ||
| - [Vulnerability Scanning Scripts](scripts/README.md) - Technical documentation for developers |
There was a problem hiding this comment.
scripts/README.md documents 7 scripts (extract-nested-deps.sh, analyze-scan-results.sh, convert-scan-results.sh, create-enhanced-report.sh, append-github-summary.sh, save-grype-results.sh, check-file-exists.sh) that do not exist in the scripts/ directory — only generate-dockerhub-matrix.sh is present. The linked document is stale and will mislead developers. Either remove scripts that no longer exist from scripts/README.md, or update this link to point to a maintained document. Fix this →
|
Claude finished @jandroav's task in 1m 44s —— View job PR Review: DAT-21268 - Vulnerability Scanning DocsTasks
SummaryCommitted and pushed three fixes to address reviewer feedback:
|
…te scripts README - Add 'text' language specifier to directory tree code block (markdownlint MD040) - Remove invalid '"..."' JSON placeholders from manifest.json example - Rewrite scripts/README.md to only document existing scripts (remove 7 non-existent script entries, keep only generate-dockerhub-matrix.sh) Co-authored-by: Alejandro Alvarez <undefined@users.noreply.github.com>
- Clarify scan coverage scope in README (recent tags, not all images) - Add language specifier to fenced code block in SECURITY.md (MD040) - Remove invalid JSON placeholder from manifest example - Rewrite scripts/README.md to document only existing scripts
|
Addressed all review feedback in 05de44f:
|
|
Claude finished @jandroav's task in 1m 3s —— View job PR Review: DAT-21268 - Vulnerability Scanning DocsTasks
LGTM — all previously raised issues are resolved in commit
No new issues found. PR is good to merge. |
Summary
security.liquibase.comURLsscripts/README.mdTest plan
security.liquibase.comuse correct paths🤖 Generated with Claude Code