Skip to content
Latchkey

Security Scan workflow (ErlichLiu/DeepClaude)

The Security Scan workflow from ErlichLiu/DeepClaude, explained and optimized by Latchkey.

B

CI health: B - good

Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: ErlichLiu/DeepClaude.github/workflows/security-scan.ymlLicense MITView source

What it does

This is the Security Scan workflow from the ErlichLiu/DeepClaude repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Security Scan

on:
  schedule:
    - cron: '0 0 * * 0'  # 每周运行一次
  workflow_dispatch:

jobs:
  check-repository:
    runs-on: ubuntu-latest
    outputs:
      is_original: ${{ steps.check.outputs.is_original }}
    steps:
      - id: check
        run: |
          if [ "${{ github.repository }}" = "ErlichLiu/DeepClaude" ]; then
            echo "is_original=true" >> $GITHUB_OUTPUT
          else
            echo "is_original=false" >> $GITHUB_OUTPUT
          fi

  scan:
    needs: check-repository
    if: needs.check-repository.outputs.is_original == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set lowercase variables
        run: |
          OWNER_LOWER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
          REPO_NAME_LOWER=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')
          echo "OWNER_LOWER=$OWNER_LOWER" >> $GITHUB_ENV
          echo "REPO_NAME_LOWER=$REPO_NAME_LOWER" >> $GITHUB_ENV

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ghcr.io/${{ env.OWNER_LOWER }}/${{ env.REPO_NAME_LOWER }}:latest
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITICAL'

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Security Scan
 
on:
  schedule:
    - cron: '0 0 * * 0'  # 每周运行一次
  workflow_dispatch:
 
jobs:
  check-repository:
    timeout-minutes: 30
    runs-on: latchkey-small
    outputs:
      is_original: ${{ steps.check.outputs.is_original }}
    steps:
      - id: check
        run: |
          if [ "${{ github.repository }}" = "ErlichLiu/DeepClaude" ]; then
            echo "is_original=true" >> $GITHUB_OUTPUT
          else
            echo "is_original=false" >> $GITHUB_OUTPUT
          fi
 
  scan:
    timeout-minutes: 30
    needs: check-repository
    if: needs.check-repository.outputs.is_original == 'true'
    runs-on: latchkey-small
    steps:
      - uses: actions/checkout@v4
 
      - name: Set lowercase variables
        run: |
          OWNER_LOWER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
          REPO_NAME_LOWER=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')
          echo "OWNER_LOWER=$OWNER_LOWER" >> $GITHUB_ENV
          echo "REPO_NAME_LOWER=$REPO_NAME_LOWER" >> $GITHUB_ENV
 
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ghcr.io/${{ env.OWNER_LOWER }}/${{ env.REPO_NAME_LOWER }}:latest
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITICAL'

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow