Context
PR #161 added the security scanners workflow and has been approved/merged. These are minor follow-up items identified during review.
Items
1. Fix concurrency group description in admin guide
docs/ADMINISTRATIVE_GUIDE.md — the Security Scanners Workflow reference table says the concurrency group is {workflow}-{ref}, but the actual workflow uses {workflow}-{event_name}-{ref} (the event_name was added in 0a2da23 to prevent push events from cancelling scheduled scans). The doc should match the implementation.
2. Consider more frequent ClamAV image digest updates
The ClamAV image is pinned to a sha256 digest for supply-chain safety, but this also freezes the malware signature database. A quarterly update cadence (as proposed for other tools) may be too infrequent for a malware scanner — monthly or weekly would better serve the purpose. This should be documented in the "Updating Pinned Versions" section once it's fleshed out.
3. Add comment for sudo rm -f workaround in ClamAV job
The ClamAV job includes sudo rm -f /var/lib/man-db/auto-update without explanation. A brief inline comment (e.g., # Prevent man-db auto-update from blocking apt-get) would help future maintainers.
Reference
Context
PR #161 added the security scanners workflow and has been approved/merged. These are minor follow-up items identified during review.
Items
1. Fix concurrency group description in admin guide
docs/ADMINISTRATIVE_GUIDE.md— the Security Scanners Workflow reference table says the concurrency group is{workflow}-{ref}, but the actual workflow uses{workflow}-{event_name}-{ref}(theevent_namewas added in0a2da23to prevent push events from cancelling scheduled scans). The doc should match the implementation.2. Consider more frequent ClamAV image digest updates
The ClamAV image is pinned to a
sha256digest for supply-chain safety, but this also freezes the malware signature database. A quarterly update cadence (as proposed for other tools) may be too infrequent for a malware scanner — monthly or weekly would better serve the purpose. This should be documented in the "Updating Pinned Versions" section once it's fleshed out.3. Add comment for
sudo rm -fworkaround in ClamAV jobThe ClamAV job includes
sudo rm -f /var/lib/man-db/auto-updatewithout explanation. A brief inline comment (e.g.,# Prevent man-db auto-update from blocking apt-get) would help future maintainers.Reference