SolaceDev · artyom-morozov · Mar 13, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/.github/workflows/hatch_ci.yml b/.github/workflows/hatch_ci.yml
@@ -338,170 +338,6 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
-
-  # ----------------------------------------------------
-  # WHITESOURCE SCANNING JOB (runs in parallel)
-  # ----------------------------------------------------
-  whitesource-scan:
-    name: WhiteSource Security Scan
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push' && !github.event.repository.fork && github.ref_name == github.event.repository.default_branch
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          fetch-depth: 0
-
-      - name: Checkout Workflows Repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          repository: SolaceDev/solace-public-workflows
-          path: workflows-repo
-
-      - name: Setup Python for Whitesource Scan
-        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
-        with:
-          python-version: ${{ inputs.max-python-version }}
-          cache: "pip"
-          cache-dependency-path: "pyproject.toml"
-
-      - name: Setup WhiteSource Project Name
-        id: setup-ws-project
-        shell: bash
-        run: |
-          WS_PROJECT_NAME="${{ inputs.whitesource_project_name }}"
-
-          if [ "${{ inputs.whitesource_project_name }}" = "" ]; then
-            WS_PROJECT_NAME="${{ github.event.repository.name }}"
-          fi
-          echo "ws_project_name=${WS_PROJECT_NAME}" >> $GITHUB_ENV
-
-      - name: Install Virtualenv for Whitesource Scan
-        run: |
-          python3 -m pip install --upgrade pip
-          python3 -m pip install virtualenv
-
-      - name: Generate Clean Requirements for WhiteSource
-        id: generate-requirements
-        uses: ./workflows-repo/.github/actions/generate-clean-requirements
-        with:
-          max-python-version: ${{ inputs.max-python-version }}
-          whitesource_config_file: ${{ inputs.whitesource_config_file }}
-          script-path: workflows-repo/.github/scripts/consolidate_requirements.py
-          output-dir: .
-
-      - name: List Generated Requirements Files
-        shell: bash
-        run: |
-          echo "📋 Generated requirements files:"
-          echo "Main requirements file: ${{ steps.generate-requirements.outputs.main-requirements-file }}"
-          echo "All requirements files: ${{ steps.generate-requirements.outputs.requirements-files }}"
-          echo ""
-          echo "📄 File contents preview:"
-          for file in ${{ steps.generate-requirements.outputs.requirements-files }}; do
-            if [ -f "$file" ]; then
-              echo "=== $file ==="
-              head -10 "$file"
-              echo "... (showing first 10 lines)"
-              echo ""
-            fi
-          done
-
-      - name: Show WhiteSource Configuration
-        if: inputs.whitesource_config_file != ''
-        shell: bash
-        run: |
-          echo "🔧 WhiteSource Configuration File:"
-          if [ -f "${{ inputs.whitesource_config_file }}" ]; then
-            echo "=== ${{ inputs.whitesource_config_file }} ==="
-            cat "${{ inputs.whitesource_config_file }}"
-          else
-            echo "❌ WhiteSource config file not found: ${{ inputs.whitesource_config_file }}"
-          fi
-
-      - name: Run Whitesource Scan
-        uses: ./workflows-repo/.github/actions/whitesource-scan
-        with:
-          whitesource_product_name: ${{ inputs.whitesource_product_name }}
-          whitesource_project_name: ${{ inputs.whitesource_project_name || github.event.repository.name }}
-          whitesource_api_key: ${{ secrets.WHITESOURCE_API_KEY }}
-          whitesource_config_file: ${{ inputs.whitesource_config_file }}
-
-  # ----------------------------------------------------
-  # WHITESOURCE POLICY AND VULNERABILITY GATES
-  # ----------------------------------------------------
-  whitesource-gates:
-    name: WhiteSource Policy and Vulnerability Gates
-    runs-on: ubuntu-latest
-    needs: [whitesource-scan]
-    if: github.event_name == 'push' && !github.event.repository.fork && github.ref_name == github.event.repository.default_branch
-    steps:
-      - name: Setup WhiteSource Project Name
-        id: setup-ws-project-gates
-        shell: bash
-        run: |
-          WS_PROJECT_NAME="${{ inputs.whitesource_project_name }}"
-
-          if [ "${{ inputs.whitesource_project_name }}" = "" ]; then
-            WS_PROJECT_NAME="${{ github.event.repository.name }}"
-          fi
-
-          echo "ws_project_name=${WS_PROJECT_NAME}" >> $GITHUB_ENV
-
-      - name: Run WhiteSource Policy Gate
-        id: whitesource-policy-gate
-        uses: docker://ghcr.io/solacedev/maas-build-actions:latest
-        continue-on-error: true
-        env:
-          WS_API_KEY: ${{ secrets.WHITESOURCE_API_KEY }}
-          WS_PRODUCT_NAME: ${{ inputs.whitesource_product_name }}
-          WS_PROJECT_NAME: ${{ env.ws_project_name }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.MANIFEST_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.MANIFEST_AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.MANIFEST_AWS_REGION }}
-          WS_BLOCKING_POLICY_VIOLATION_LEVELS: "Major,Minor"
-          FAIL_IF_POLICY_VIOLATIONS_FOUND: "True"
-          STATUS_CHECK: "True"
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_ORG: ${{ github.repository_owner }}
-          GH_REPO: ${{ github.event.repository.name }}
-          GITHUB_SHA: ${{ github.sha }}
-        with:
-          entrypoint: /bin/sh
-          args: >
-            -c "
-            . $VIRTUAL_ENV/bin/activate &&
-            cd $ACTIONS_PATH/whitesource-policy-violation-checker &&
-            python whitesource_policy_violation_checker.py
-            "
-
-      - name: Run WhiteSource Vulnerability Gate
-        id: whitesource-vulnerability-gate
-        uses: docker://ghcr.io/solacedev/maas-build-actions:latest
-        continue-on-error: true
-        env:
-          WS_API_KEY: ${{ secrets.WHITESOURCE_API_KEY }}
-          WS_PRODUCT_NAME: ${{ inputs.whitesource_product_name }}
-          WS_PROJECT_NAME: ${{ env.ws_project_name }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.MANIFEST_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.MANIFEST_AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.MANIFEST_AWS_REGION }}
-          WS_JIRA_CHECK: "True"
-          JIRA_ONLY: "True"
-          STATUS_CHECK: "True"
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_ORG: ${{ github.repository_owner }}
-          GH_REPO: ${{ github.event.repository.name }}
-          GITHUB_SHA: ${{ github.sha }}
-        with:
-          entrypoint: /bin/sh
-          args: >
-            -c ". $VIRTUAL_ENV/bin/activate &&
-            cd $ACTIONS_PATH/whitesource-vulnerability-checker &&
-            python whitesource_vulnerability_checker.py
-            "
-
   # ----------------------------------------------------
   # FOSSA SCANNING JOB (runs in parallel)
   # ----------------------------------------------------

diff --git a/.github/workflows/hatch_release_security_checks.yml b/.github/workflows/hatch_release_security_checks.yml
@@ -3,16 +3,6 @@ name: Release Security Checks
 on:
   workflow_call:
     inputs:
-      whitesource_product_name:
-        type: string
-        required: false
-        default: ""
-        description: "Whitesource product name"
-      whitesource_project_name:
-        type: string
-        required: false
-        default: ""
-        description: "Whitesource project name"
       prisma_check:
         type: boolean
         required: false
@@ -29,9 +19,6 @@ on:
         default: false
         description: "Run FOSSA Check"
     secrets:
-      WHITESOURCE_API_KEY:
-        description: "Whitesource API key"
-        required: false
       MANIFEST_AWS_REGION:
         description: "AWS region for the manifest"
         required: false
@@ -108,59 +95,6 @@ jobs:
           fossa_mode: BLOCK
           block_on: critical,high
 
-      - name: Run WhiteSource Policy Gate
-        if: ${{ inputs.whitesource_product_name != '' && inputs.whitesource_project_name != '' }}
-        uses: docker://ghcr.io/solacedev/maas-build-actions:latest
-        env:
-          WS_API_KEY: ${{ secrets.WHITESOURCE_API_KEY }}
-          WS_PRODUCT_NAME: ${{ inputs.whitesource_product_name }}
-          WS_PROJECT_NAME: ${{ inputs.whitesource_project_name }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.MANIFEST_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.MANIFEST_AWS_SECRET_ACCESS_KEY }}
-          WS_BLOCKING_POLICY_VIOLATION_LEVELS: "Major,Minor"
-          FAIL_IF_POLICY_VIOLATIONS_FOUND: "True"
-          AWS_REGION: ${{ secrets.MANIFEST_AWS_REGION }}
-          STATUS_CHECK: "True"
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_ORG: ${{ github.repository_owner }}
-          GH_REPO: ${{ github.event.repository.name }}
-          GITHUB_SHA: ${{ github.sha }}
-        with:
-          entrypoint: /bin/sh
-          args: >
-            -c "
-            . $VIRTUAL_ENV/bin/activate &&
-            cd $ACTIONS_PATH/whitesource-policy-violation-checker &&
-            python whitesource_policy_violation_checker.py
-            "
-
-      - name: Run WhiteSource Vulnerability Gate
-        if: ${{ inputs.whitesource_product_name != '' && inputs.whitesource_project_name != '' }}
-        uses: docker://ghcr.io/solacedev/maas-build-actions:latest
-        env:
-          WS_API_KEY: ${{ secrets.WHITESOURCE_API_KEY }}
-          WS_PRODUCT_NAME: ${{ inputs.whitesource_product_name }}
-          WS_PROJECT_NAME: ${{ inputs.whitesource_project_name }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.MANIFEST_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.MANIFEST_AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.MANIFEST_AWS_REGION }}
-          WS_JIRA_CHECK: "True"
-          JIRA_ONLY: "True"
-          STATUS_CHECK: "True"
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_ORG: ${{ github.repository_owner }}
-          GH_REPO: ${{ github.event.repository.name }}
-          GITHUB_SHA: ${{ github.sha }}
-        with:
-          entrypoint: /bin/sh
-          args: >
-            -c ". $VIRTUAL_ENV/bin/activate &&
-            cd $ACTIONS_PATH/whitesource-vulnerability-checker &&
-            python whitesource_vulnerability_checker.py
-            "
-
       - name: Run Prisma Check
         if: ${{ fromJson(inputs.prisma_check) }}
         uses: docker://ghcr.io/solacedev/maas-build-actions:latest

diff --git a/prisma-cloud-scan/README.md b/prisma-cloud-scan/README.md
@@ -5,10 +5,14 @@ A composite GitHub Action that scans Docker container images using Prisma Cloud'
 ## Features
 
 - Downloads and uses `twistcli` directly from Prisma Cloud Console
+- Handles both AMD64 and ARM64 runners when downloading `twistcli`
 - Pulls Docker images from any registry
 - Scans images for vulnerabilities and compliance issues
 - Blocks releases on critical or high severity findings
 - Provides detailed scan results as outputs
+- Posts a GitHub Check Run (`Prisma Image Scan (<OS>/<ARCH>)`) linked to Prisma Cloud scan results
+- Uploads `pcc_scan_results.json` and `pcc_scan_output.txt` as artifacts
+- Hides detailed vulnerability/compliance logs by default for public repositories
 - Helpful error messages for authentication issues
 - Automatically publishes results to Prisma Cloud Console (configurable)
 
@@ -25,6 +29,9 @@ on:
 
 jobs:
   scan:
+    permissions:
+      contents: read
+      checks: write
     runs-on: ubuntu-latest
     steps:
       - name: Scan Docker Image
@@ -112,15 +119,19 @@ jobs:
 
 ## Inputs
 
-| Name               | Required | Default          | Description                                                                    |
-| ------------------ | -------- | ---------------- | ------------------------------------------------------------------------------ |
-| `image_registry`   | Yes      | -                | Docker image registry (e.g., `868978040651.dkr.ecr.us-east-1.amazonaws.com`)   |
-| `image_repo`       | No       | GitHub repo name | Docker image repository name. If not provided, uses the GitHub repository name |
-| `image_tag`        | Yes      | -                | Docker image tag to scan                                                       |
-| `pcc_console_url`  | Yes      | -                | Prisma Cloud Console URL (e.g., `https://console.prisma.cloud`)                |
-| `pcc_user`         | Yes      | -                | Prisma Cloud Access Key ID                                                     |
-| `pcc_pass`         | Yes      | -                | Prisma Cloud Secret Access Key                                                 |
-| `twistcli_publish` | No       | `true`           | Whether to publish scan results to Prisma Cloud Console (`true` or `false`)    |
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `image_registry` | Yes | - | Docker image registry (e.g., `868978040651.dkr.ecr.us-east-1.amazonaws.com`) |
+| `image_repo` | No | GitHub repo name | Docker image repository name. If not provided, uses the GitHub repository name |
+| `image_tag` | Yes | - | Docker image tag to scan |
+| `pcc_console_url` | Yes | - | Prisma Cloud Console URL (e.g., `https://console.prisma.cloud`) |
+| `pcc_user` | Yes | - | Prisma Cloud Access Key ID |
+| `pcc_pass` | Yes | - | Prisma Cloud Secret Access Key |
+| `twistcli_publish` | No | `true` | Whether to publish scan results to Prisma Cloud Console (`true`/`false`) |
+| `block_on_compliance` | No | `false` | Block on high/critical compliance findings (`true`/`false`) |
+| `vulnerability_grace_period_days` | No | `7` | Grace period for new vulnerabilities before they become blocking |
+| `skip_image_pull` | No | `false` | Skip Docker pull and scan image already present locally |
+| `show_detailed_logs` | No | auto | Force detailed logs (`true`/`false`). Auto mode = hidden for public repos, shown otherwise |
 
 ## Outputs
 
@@ -131,6 +142,7 @@ jobs:
 | `vuln_high`     | Number of high severity vulnerabilities found                                         |
 | `vuln_medium`   | Number of medium severity vulnerabilities found                                       |
 | `vuln_low`      | Number of low severity vulnerabilities found                                          |
+| `console_link`  | Deep link to Prisma Cloud Console results (when available)                           |
 
 ## Blocking Behavior
 
@@ -199,6 +211,24 @@ If your image is in a private registry, you must authenticate **before** calling
 4. **Parses results**: Extracts vulnerability and compliance counts from the scan results JSON
 5. **Blocks on issues**: Fails the action if critical or high severity issues are found
 6. **Outputs results**: Provides detailed counts as action outputs for downstream jobs
+7. **Publishes check run details**: Adds a rich check run overview with severity totals, blocking counts, and Prisma Console link
+
+### Check Run Details
+
+The action publishes a check run named `Prisma Image Scan (<OS>/<ARCH>)` when runner system info is available.
+The scan analysis and check run payload are generated by Python scripts for easier maintenance:
+
+- `scripts/analyze_scan_results.py`
+- `scripts/post_prisma_check_run.py`
+
+- Always includes:
+  - PASS/FAIL result
+  - Severity totals for vulnerabilities and compliance
+  - Blocking issue totals
+  - Direct link to Prisma Cloud results
+- Includes issue-level markdown tables (vulnerabilities + compliance) only when:
+  - effective detailed mode is enabled (`show_detailed_logs: "true"`), and
+  - repository visibility is not public
 
 ## Troubleshooting
 
@@ -218,6 +248,7 @@ If the scan itself fails:
 1. **Invalid Prisma Cloud credentials** - Verify `pcc_user` and `pcc_pass` are correct
 2. **Wrong Console URL** - Verify `pcc_console_url` is correct and accessible
 3. **Network connectivity** - Ensure the runner can reach the Prisma Cloud Console
+4. **Exec format error** - Usually means architecture mismatch. This action now tries ARM64 and default endpoints automatically, but ensure your Console supports ARM64 `twistcli` for ARM runners.
 
 ### Result Parsing Issues