refactor(ci): simplify security scan PR comment using Argus

1blt · claude · 1blt · commit 4b95f57a79bd · 2026-04-09T12:15:02.000-04:00
Remove duplicate summary logic (shell script + 100-line JavaScript) and
let Argus security-summary action handle PR commenting directly with
post_pr_comment: true. Reduces summary job from ~180 lines to 12 lines.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/argus-security.yml b/.github/workflows/argus-security.yml
@@ -123,6 +123,7 @@ jobs:
       - uses: huntridge-labs/argus/.github/actions/scanner-gitleaks@0.6.8
         with:
           enable_code_security: true
+          post_pr_comment: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
@@ -133,6 +134,7 @@ jobs:
         with:
           languages: ${{ needs.detect.outputs.languages }}
           enable_code_security: true
+          post_pr_comment: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -141,6 +143,7 @@ jobs:
         if: needs.detect.outputs.languages != ''
         with:
           enable_code_security: true
+          post_pr_comment: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -149,6 +152,7 @@ jobs:
         if: contains(needs.detect.outputs.languages, 'python')
         with:
           enable_code_security: true
+          post_pr_comment: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -169,12 +173,14 @@ jobs:
         with:
           image_ref: scan-target:${{ github.sha }}
           enable_code_security: true
+          post_pr_comment: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: huntridge-labs/argus/.github/actions/scanner-syft@0.6.8
         with:
           image_ref: scan-target:${{ github.sha }}
+          post_pr_comment: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -189,12 +195,14 @@ jobs:
       - uses: huntridge-labs/argus/.github/actions/scanner-trivy-iac@0.6.8
         with:
           enable_code_security: true
+          post_pr_comment: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: huntridge-labs/argus/.github/actions/scanner-checkov@0.6.8
         with:
           enable_code_security: true
+          post_pr_comment: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -204,65 +212,8 @@ jobs:
     if: always()
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Generate scan summary
-        env:
-          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
-          DETECTED_LANGUAGES: ${{ needs.detect.outputs.languages }}
-          HAS_CONTAINER: ${{ needs.detect.outputs.has_container }}
-          CONTAINER_BUILDABLE: ${{ needs.detect.outputs.container_buildable }}
-          HAS_IAC: ${{ needs.detect.outputs.has_iac }}
-          SAST_RESULT: ${{ needs.sast.result }}
-          CONTAINER_RESULT: ${{ needs.container.result }}
-          INFRA_RESULT: ${{ needs.infrastructure.result }}
-        run: |
-          echo "## 🔒 Security Scan Summary" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**Commit:** [\`${GITHUB_SHA:0:7}\`]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/commit/$GITHUB_SHA)" >> $GITHUB_STEP_SUMMARY
-          echo "**Branch:** \`$BRANCH_NAME\`" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-
-          echo "### 🔍 Stack Detection" >> $GITHUB_STEP_SUMMARY
-          echo "| Component | Detected | Scanned |" >> $GITHUB_STEP_SUMMARY
-          echo "|-----------|----------|---------|" >> $GITHUB_STEP_SUMMARY
-
-          if [ -n "$DETECTED_LANGUAGES" ]; then
-            echo "| **Languages** | $DETECTED_LANGUAGES | ✅ SAST |" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "| **Languages** | None | ⏭️ Skipped |" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          if [ "$HAS_CONTAINER" = "true" ]; then
-            if [ "$CONTAINER_BUILDABLE" = "true" ]; then
-              echo "| **Container** | Dockerfile | ✅ Scanned |" >> $GITHUB_STEP_SUMMARY
-            else
-              echo "| **Container** | Dockerfile (private registry) | ⏭️ Skipped |" >> $GITHUB_STEP_SUMMARY
-            fi
-          else
-            echo "| **Container** | None | ⏭️ Skipped |" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          if [ "$HAS_IAC" = "true" ]; then
-            echo "| **Infrastructure** | Terraform/CloudFormation | ✅ Scanned |" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "| **Infrastructure** | None | ⏭️ Skipped |" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "### 📊 Job Results" >> $GITHUB_STEP_SUMMARY
-          echo "| Job | Status |" >> $GITHUB_STEP_SUMMARY
-          echo "|-----|--------|" >> $GITHUB_STEP_SUMMARY
-          echo "| SAST Scanning | $SAST_RESULT |" >> $GITHUB_STEP_SUMMARY
-          echo "| Container Scanning | $CONTAINER_RESULT |" >> $GITHUB_STEP_SUMMARY
-          echo "| Infrastructure Scanning | $INFRA_RESULT |" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "---" >> $GITHUB_STEP_SUMMARY
-          echo "_View detailed findings in the [Security tab]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/security/code-scanning)_" >> $GITHUB_STEP_SUMMARY
-
       - uses: huntridge-labs/argus/.github/actions/security-summary@0.6.8
         with:
           post_pr_comment: true
-          title: "🔒 Security Scan Results"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
