docs: expand proactive SCA section — Trivy prerequisite and setup paths#2690
Conversation
… and deep-link anchor Replaces the single-line Trivy note with a full explanation of how proactive SCA nightly scans work, what's required (Trivy tool + vulnerability patterns), both setup paths (coding standard / per-repo), and the silent failure case when only the tool is enabled. Adds a new H4 subsection with anchor #proactive-sca-requirements so Phase 2 CTAs (Dependency Explorer empty state OD-143, partial coverage banner OD-144) can deep-link directly to the prerequisite content. Closes OD-139 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Up to standards ✅🟢 Issues
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the documentation regarding how Codacy manages findings detected during Software Composition Analysis (SCA). It clarifies the behavior of proactive SCA nightly scans, outlines the specific Trivy requirements needed for these scans to run successfully, and provides instructions on enabling Trivy either via coding standards or per repository. The feedback suggests a minor grammatical improvement to hyphenate 'Business-tier' when used as a compound modifier.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
Overall readability score: 54.23 (🟢 +0)
View detailed metrics🟢 - Shows an increase in readability
Averages:
View metric targets
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
The documentation expansion for Proactive SCA accurately captures the mandatory Trivy prerequisites and setup paths, meeting Codacy quality standards. However, a significant discrepancy exists between the implementation and the technical requirements: the identifier for low-severity vulnerabilities is incorrectly documented as 'minor', which is not a valid pattern ID. Additionally, several internal and external links, along with the deep-linking anchor, require manual verification to ensure navigational integrity. These issues should be addressed to prevent configuration failures for users following these instructions.
Test suggestions
- Verify the '#proactive-sca-requirements' anchor is present and correctly formatted for deep-linking.\n- [ ] Verify relative links to 'using-coding-standards.md' and repository code patterns documentation resolve correctly.\n- [ ] Verify internal page links to '#dependencies-list' and '#item-list' resolve to valid sections within the same document.\n- [ ] Verify the external support chat link is valid and points to the correct destination.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify the '#proactive-sca-requirements' anchor is present and correctly formatted for deep-linking.\n- [ ] Verify relative links to 'using-coding-standards.md' and repository code patterns documentation resolve correctly.\n- [ ] Verify internal page links to '#dependencies-list' and '#item-list' resolve to valid sections within the same document.\n- [ ] Verify the external support chat link is valid and points to the correct destination.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…cies cross-link - Lead with what SCA findings are (dependency vulnerabilities) before explaining the daily re-scan feature - Use "daily re-scans" (matches pricing page "Daily SCA and Malicious Package re-scans") and drop "nightly" / "every evening" inconsistency - Remove inaccurate closing sentence — nightly scans always run for SCA-enabled orgs; enabling Trivy makes them produce results, not start - Add cross-reference in the Dependencies section pointing to #proactive-sca-requirements so there's a path in both directions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… of file) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Removes the orange Important admonition that was breaking the reading flow. The business-tier note is now a single inline sentence at the end of the daily re-scans paragraph. Pattern IDs moved to sub-bullets for readability. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…indings subsection SCA findings behave identically to other git findings — no separate lifecycle documentation needed. The unique part (daily re-scans + Trivy requirements) belongs with Dependencies, where an admin with an empty tab will look for help. - SCA findings subsection: collapsed to 2 sentences + link to #proactive-sca-requirements - Trivy requirements block: moved from H4 under Findings to H3 under Dependencies, anchor preserved for Phase 2 CTA deep-links (OD-143, OD-144) - Dependencies upgrade CTA: updated to use Knock link for consistency Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
claudiacodacy
deleted the
docs-update-proactive-sca-setup-documentation-od-139
branch
2 participants
Summary
#proactive-sca-requirementsso Phase 2 in-product CTAs (OD-143, OD-144) can deep-link directly to the prerequisite contentContext
Part of the Enable Trivy when enabling proactive SCA project. This is the Phase 1 prerequisite — every in-product CTA planned for Phase 2 links here.
Linear: OD-139 | Jira: ODIN-106
Analysis doc: Proactive SCA & Trivy Enablement — Problem Analysis & Options
Test plan
#proactive-sca-requirementsanchor resolves correctly on the rendered page#dependencies-listand#item-listanchor links work within the pageusing-coding-standards.mdand../repositories-configure/configuring-code-patterns.mdresolvestart-chat.com/slack/codacy/rmbTzb) opens the chat correctly🤖 Generated with Claude Code