fix: address security scanners follow-up items (awslabs#180) (awslabs#199)

scottschreckengaust · Copilot · web-flow · commit a756b71acf0a · 2026-04-21T19:35:10.000Z
* fix: address security scanners follow-up items from PR awslabs#161 - Fix concurrency group descriptions in admin guide to match actual {workflow}-{event_name}-{ref} pattern - Update ClamAV image digest to current latest (linux/amd64) - Add inline comment explaining sudo rm -f man-db workaround - Replace TODO in Updating Pinned Versions with real instructions including monthly ClamAV cadence, GitHub Actions SHA lookup, scanner version sources, and verification steps Closes awslabs#180 * docs: revert Updating Pinned Versions to original TODO Dependabot (PR awslabs#200) will handle automated version updates, making manual update instructions unnecessary. * docs: add agent pre-commit checklist to ADMINISTRATIVE_GUIDE.md Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(docs): auto-fix markdown lint (MD012/MD032) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/.github/workflows/security-scanners.yml b/.github/workflows/security-scanners.yml
@@ -304,7 +304,7 @@ jobs:
     runs-on: ubuntu-latest
     services:
       clamav:
-        image: clamav/clamav@sha256:bf876a415b7ff77b9305b1de087e6d16833d170931581b01404e8761cb0dc87c
+        image: clamav/clamav@sha256:60ef5fee072ff46f91ca63ba09f36597e41693977600902d21df9d0d97f640e4
         ports:
           - 127.0.0.1:3310:3310
         options: >-
@@ -319,7 +319,7 @@ jobs:
       - name: Install clamdscan client
         run: |
           sudo apt-get update || true
-          sudo rm -f /var/lib/man-db/auto-update
+          sudo rm -f /var/lib/man-db/auto-update  # prevent man-db auto-update from blocking apt-get
           sudo apt-get install -y --no-install-recommends clamdscan
           sudo mkdir -p /etc/clamav
           cat << EOF | sudo tee /etc/clamav/clamd.conf
diff --git a/docs/ADMINISTRATIVE_GUIDE.md b/docs/ADMINISTRATIVE_GUIDE.md
@@ -246,7 +246,7 @@ flowchart TD
 | **Triggers**    | `push` to `main`, `push` tags `v*`, `pull_request` to `main` (label-gated, path-filtered), `workflow_dispatch` (dispatched by `tag-on-merge.yml` or manual — select a tag in the UI to trigger a release build) |
 | **Environment** | `codebuild` (protected, manual approval)                                                                                                                                                                        |
 | **Runner**      | `ubuntu-latest`                                                                                                                                                                                                 |
-| **Concurrency** | Groups by `{workflow}-{ref}`, cancels in-progress                                                                                                                                                               |
+| **Concurrency** | Groups by `{workflow}-{event_name}-{ref}`, cancels in-progress                                                                                                                                                  |
 
 **Purpose:** Runs an AWS CodeBuild project, downloads primary and secondary artifacts from S3, caches them in GitHub Actions cache, uploads them as workflow artifacts, and (when triggered from a `v*` tag) attaches them to the GitHub Release.
 
@@ -351,7 +351,7 @@ This job runs when the `rules` label is applied, immediately removing the remind
 | **Triggers**    | `pull_request_target` to `main` (edited, labeled, opened, ready_for_review, reopened, synchronize, unlabeled); `merge_group` (checks_requested) |
 | **Environment** | *(none)*                                                                                                                                        |
 | **Runner**      | `ubuntu-latest`                                                                                                                                 |
-| **Concurrency** | Groups by `{workflow}-{ref}`, cancels in-progress                                                                                               |
+| **Concurrency** | Groups by `{workflow}-{event_name}-{ref}`, cancels in-progress                                                                                  |
 
 **Purpose:** Validates pull requests before merge. Enforces conventional commit PR titles, the contributor acknowledgment statement, merge-halt controls, and a do-not-merge label gate. Also runs as a merge queue check.
 
@@ -422,7 +422,7 @@ Only runs for `pull_request` and `pull_request_target` events. Skipped for bot a
 | **Triggers**    | `push` to `main`, `pull_request` to `main`, `schedule` (daily 03:47 UTC), `workflow_dispatch`  |
 | **Environment** | *(none)*                                                                                       |
 | **Runner**      | `ubuntu-latest`                                                                                |
-| **Concurrency** | Groups by `{workflow}-{ref}`, cancels in-progress                                              |
+| **Concurrency** | Groups by `{workflow}-{event_name}-{ref}`, cancels in-progress                                 |
 
 **Purpose:** Runs six independent security scanners in parallel to detect secrets, vulnerabilities, misconfigurations, and malware. All HIGH and CRITICAL findings must be remediated or have a documented risk acceptance before merge (see [Security Finding Requirements](#security-finding-requirements)).
 
@@ -675,3 +675,11 @@ Pinned versions should be reviewed and updated **at least quarterly**.
   - How to handle breaking changes in scanner tool upgrades
   - Consider automating this with Dependabot or Renovate
 -->
+
+Agent pre-commit checklist (recommended):
+
+- npx markdownlint-cli2 --fix "**/*.md"  # auto-fix markdown lint issues
+- npx markdownlint-cli2 "**/*.md"    # verify no lint errors
+- uv run pytest                            # run tests via uv wrapper
+
+Agents must run the checklist above and ensure all checks pass before committing and pushing changes.
