[plan] Enable stdout output in security scan workflow #7615
Description
Objective
Add -stdout flag to the gosec command in the GitHub Actions workflow so security scan results are visible in workflow logs without downloading the SARIF file.
Context
Currently, the security scan workflow only outputs results to the SARIF file, requiring developers to:
- Download the SARIF artifact
- Upload to GitHub Code Scanning UI
- Or use a SARIF viewer
Adding stdout output provides immediate visibility in the workflow logs, making it easier to review results during development and debugging.
The Makefile already uses -stdout, so this aligns the workflow with local development practice.
Files to Modify
.github/workflows/security-scan.yml- Add stdout flag to gosec command
Implementation
# .github/workflows/security-scan.yml (around line 30)
- gosec -fmt sarif -out gosec-results.sarif -exclude-generated -track-suppressions ./...
+ gosec -fmt sarif -out gosec-results.sarif -stdout -exclude-generated -track-suppressions ./...Note: This change should be made after adding the -track-suppressions flag (see related sub-issue).
Acceptance Criteria
- Workflow includes
-stdoutflag - Security scan results visible in workflow logs
- SARIF file still generated correctly
- GitHub Code Scanning upload still works
- No breaking changes to existing workflow
Testing
- Trigger security-scan workflow manually
- Check workflow logs contain gosec output
- Verify SARIF file is still uploaded successfully
- Confirm Code Scanning results appear in Security tab
Time Estimate
2-3 minutes
Related to #7612
AI generated by Plan Command for discussion #7599