Conversation
Document the scan-results branch structure, component classification, and link to Liquibase Security (security.liquibase.com) for interactive vulnerability reports, version comparison, and export capabilities. DAT-21268 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
📝 WalkthroughWalkthroughDocumentation updates to README.md and SECURITY.md expand security-related guidance. README.md duplicates the vulnerability scanning section, while SECURITY.md adds comprehensive content covering data structures, workflow schedules, version comparisons, and upgrade recommendations. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Claude finished @jandroav's task in 51s —— View job PR Review: DAT-21268 - Vulnerability Scanning DocsTasks
LGTM - no significant issues found. The Minor note: The manifest.json example in |
There was a problem hiding this comment.
Pull request overview
This PR updates repository documentation to describe the automated container vulnerability scanning process and standardize links/terminology around Liquibase Security for viewing results.
Changes:
- Add a “Vulnerability Scanning” section to
README.md, including scan types and where to view results. - Expand
SECURITY.mdwith scan-results branch structure, manifest/schema examples, component classification, and new FAQs. - Update documentation links/terminology to use “Liquibase Security” and fix the scripts documentation link.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| README.md | Adds end-user documentation for scan coverage and how to view results in Liquibase Security and GitHub Actions. |
| SECURITY.md | Adds detailed guidance on persisted scan data layout/manifest and expands FAQs; fixes link to scripts/README.md. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@README.md`:
- Around line 281-282: The README currently claims "Every published" image is
scanned which is inaccurate; update the sentence to state that scans run
Monday–Friday at 10 AM UTC and cover only the most recent tags rather than all
published images, and reference the configuration that controls this
(max_tags_to_scan in .github/workflows/trivy-scan-published-images.yml) and the
trimming logic in scripts/generate-dockerhub-matrix.sh so readers know the scan
window is limited to recent tags.
In `@SECURITY.md`:
- Line 170: The "Vulnerability Scanning Scripts" link in SECURITY.md points to a
stale document (scripts/README.md); either update scripts/README.md to
accurately list the current scripts and their usage or change the link in
SECURITY.md to a maintained document; locate the reference "Vulnerability
Scanning Scripts" in SECURITY.md and then either edit scripts/README.md to
remove/replace outdated script entries and add current commands/examples, or
update the link target to the correct, up-to-date developer documentation.
- Around line 123-133: The fenced code block that shows the scan-results
directory tree triggers markdownlint MD040 because it lacks a language; update
the fenced block (the block containing "scan-results/ manifest.json ...
liquibase/liquibase-secure/<version>/") to use a language token like ```text (or
```plaintext) so the snippet becomes fenced as ```text ... ``` to satisfy the
linter.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 0e541d71-2d33-4cd7-8257-7a9ec750d59a
📒 Files selected for processing (2)
README.mdSECURITY.md
| Every published Liquibase Docker image (Community and Secure) is automatically scanned for known vulnerabilities using multiple security scanners. Scans run Monday through Friday at 10 AM UTC and cover the most recent tags of each image. | ||
|
|
There was a problem hiding this comment.
Avoid overstating scan coverage.
This opening sentence says every published image is scanned, but the workflow only processes the newest tag set. That will mislead readers looking for older releases that fall outside the scan window. .github/workflows/trivy-scan-published-images.yml:9-20 exposes max_tags_to_scan, and scripts/generate-dockerhub-matrix.sh:29-100 trims the list to the most recent tags.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@README.md` around lines 281 - 282, The README currently claims "Every
published" image is scanned which is inaccurate; update the sentence to state
that scans run Monday–Friday at 10 AM UTC and cover only the most recent tags
rather than all published images, and reference the configuration that controls
this (max_tags_to_scan in .github/workflows/trivy-scan-published-images.yml) and
the trimming logic in scripts/generate-dockerhub-matrix.sh so readers know the
scan window is limited to recent tags.
| ``` | ||
| scan-results/ | ||
| manifest.json # Index of all scanned images and versions | ||
| liquibase/liquibase/<version>/ | ||
| trivy-surface.json # OS and top-level library scan (Trivy) | ||
| trivy-deep.json # Nested JAR dependency scan (Trivy) | ||
| grype-results.json # SBOM-based scan (Grype) | ||
| metadata.json # Scan timestamp, image digest, workflow run ID | ||
| liquibase/liquibase-secure/<version>/ | ||
| ... | ||
| ``` |
There was a problem hiding this comment.
Add a language to this fenced block.
This directory-tree block currently trips markdownlint MD040. Use text/plaintext so the docs stay lint-clean.
Suggested fix
-```
+```text
scan-results/
manifest.json # Index of all scanned images and versions
liquibase/liquibase/<version>/
trivy-surface.json # OS and top-level library scan (Trivy)
trivy-deep.json # Nested JAR dependency scan (Trivy)
grype-results.json # SBOM-based scan (Grype)
metadata.json # Scan timestamp, image digest, workflow run ID
liquibase/liquibase-secure/<version>/
...</details>
<details>
<summary>🧰 Tools</summary>
<details>
<summary>🪛 markdownlint-cli2 (0.21.0)</summary>
[warning] 123-123: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
</details>
</details>
<details>
<summary>🤖 Prompt for AI Agents</summary>
Verify each finding against the current code and only fix it if needed.
In @SECURITY.md around lines 123 - 133, The fenced code block that shows the
scan-results directory tree triggers markdownlint MD040 because it lacks a
language; update the fenced block (the block containing "scan-results/
manifest.json ... liquibase/liquibase-secure//") to use a language
token like text (or plaintext) so the snippet becomes fenced as text ... to satisfy the linter.
</details>
<!-- fingerprinting:phantom:triton:grasshopper -->
<!-- This is an auto-generated comment by CodeRabbit -->
| ## Related Documentation | ||
|
|
||
| - [Vulnerability Scanning Scripts](README.md) - Technical documentation for developers | ||
| - [Vulnerability Scanning Scripts](scripts/README.md) - Technical documentation for developers |
There was a problem hiding this comment.
This related-docs link points at stale technical docs.
scripts/README.md:1-15 still describes several scripts that are not present in the scripts directory, so linking it here as the developer reference is likely to send readers to inaccurate documentation. Please update that README in the same PR or keep this section pointed at a maintained document.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@SECURITY.md` at line 170, The "Vulnerability Scanning Scripts" link in
SECURITY.md points to a stale document (scripts/README.md); either update
scripts/README.md to accurately list the current scripts and their usage or
change the link in SECURITY.md to a maintained document; locate the reference
"Vulnerability Scanning Scripts" in SECURITY.md and then either edit
scripts/README.md to remove/replace outdated script entries and add current
commands/examples, or update the link target to the correct, up-to-date
developer documentation.
After vulnerability scans complete, a new persist-results job downloads all scan artifacts and commits them to a scan-results branch. This gives the Liquibase Security dashboard persistent access to historical scan data via GitHub Contents API, replacing the 7-day artifact retention. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Claude finished @jandroav's task in 1m 58s —— View job PR Review: DAT-21268 - Vulnerability Scanning DocsTasks
Issues Found
|
This reverts commit 64438ba.
|
Claude finished @jandroav's task in 1m 33s —— View job PR Review: DAT-21268 - Vulnerability Scanning DocsTasks
The documentation additions are clear and well-structured. Three issues found:
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| { | ||
| "lastUpdated": "2026-03-10T10:00:00Z", | ||
| "images": { | ||
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0", "..."], |
There was a problem hiding this comment.
The "..." placeholder is not valid JSON — parsers will reject this. Use a note below the block or a comment-style placeholder instead:
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0", "..."], | |
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0"], | |
| "liquibase/liquibase-secure": ["5.0.1", "5.0.0"] |
(Or add a prose note: "Additional versions are listed in chronological order.")
|
|
||
| The `scan-results` branch contains: | ||
|
|
||
| ``` |
There was a problem hiding this comment.
Missing language specifier on fenced code block (markdownlint MD040). Use ```text to fix:
| ``` | |
| ```text |
| { | ||
| "lastUpdated": "2026-03-10T10:00:00Z", | ||
| "images": { | ||
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0", "..."], |
There was a problem hiding this comment.
"..." is not valid JSON — it will break any tool that parses this example literally. Replace with a valid placeholder string or add a comment after the block noting the list is truncated.
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0", "..."], | |
| "liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0"], |
| ## Related Documentation | ||
|
|
||
| - [Vulnerability Scanning Scripts](README.md) - Technical documentation for developers | ||
| - [Vulnerability Scanning Scripts](scripts/README.md) - Technical documentation for developers |
There was a problem hiding this comment.
scripts/README.md documents 7 scripts (extract-nested-deps.sh, analyze-scan-results.sh, convert-scan-results.sh, create-enhanced-report.sh, append-github-summary.sh, save-grype-results.sh, check-file-exists.sh) that do not exist in the scripts/ directory — only generate-dockerhub-matrix.sh is present. The linked document is stale and will mislead developers. Either remove scripts that no longer exist from scripts/README.md, or update this link to point to a maintained document. Fix this →
Summary
security.liquibase.comURLsscripts/README.mdTest plan
security.liquibase.comuse correct paths🤖 Generated with Claude Code