From 417b5c5935452448104264c3b4f3081b1bffd6b1 Mon Sep 17 00:00:00 2001
From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com>
Date: Thu, 5 Mar 2026 15:02:15 +0000
Subject: [PATCH 1/3] Always run valid trivy scans even if a previous scan
 failed, so that all vulnerabilities are identified at once. Shorten feedback
 cycle for vulnerabilities across multiple scans.

---
 .github/workflows/quality-checks.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
index 7dfdf63..3611ac0 100644
--- a/.github/workflows/quality-checks.yml
+++ b/.github/workflows/quality-checks.yml
@@ -263,7 +263,7 @@ jobs:
           path: sbom.cdx.json
 
       - name: Check python vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }}
+        if: ${{ steps.check_languages.outputs.uses_poetry == 'true' && failure()}}
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
         with:
           scan-type: "fs"
@@ -276,7 +276,7 @@ jobs:
           exit-code: "1"
           trivy-config: trivy.yaml
       - name: Check node vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_node == 'true' }}
+        if: ${{ steps.check_languages.outputs.uses_node == 'true' && failure() }}
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
         with:
           scan-type: "fs"
@@ -289,7 +289,7 @@ jobs:
           exit-code: "1"
           trivy-config: trivy.yaml
       - name: Check go vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_go == 'true' }}
+        if: ${{ steps.check_languages.outputs.uses_go == 'true' && failure()}}
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
         with:
           scan-type: "fs"
@@ -301,7 +301,7 @@ jobs:
           output: "dependency_results_go.txt"
           exit-code: "1"
       - name: Check java vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_java == 'true' }}
+        if: ${{ steps.check_languages.outputs.uses_java == 'true' && failure()}}
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
         with:
           scan-type: "fs"

From 0e15f69af8296b329b477f9e25503d9302b12f49 Mon Sep 17 00:00:00 2001
From: Connor Avery <connor.avery2@nhs.net>
Date: Thu, 5 Mar 2026 15:54:17 +0000
Subject: [PATCH 2/3] Apply suggestion from @tstephen-nhs

Co-authored-by: tstephen-nhs <231503406+tstephen-nhs@users.noreply.github.com>
---
 .github/workflows/quality-checks.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
index 3611ac0..bc64478 100644
--- a/.github/workflows/quality-checks.yml
+++ b/.github/workflows/quality-checks.yml
@@ -263,7 +263,7 @@ jobs:
           path: sbom.cdx.json
 
       - name: Check python vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_poetry == 'true' && failure()}}
+        if: ${{always() && steps.check_languages.outputs.uses_poetry == 'true'}}
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
         with:
           scan-type: "fs"

From c7930db00448340fca6019766507558cee8084c1 Mon Sep 17 00:00:00 2001
From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com>
Date: Thu, 5 Mar 2026 15:55:54 +0000
Subject: [PATCH 3/3] Switch to always

Signed-off-by: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com>
---
 .github/workflows/quality-checks.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
index bc64478..2231483 100644
--- a/.github/workflows/quality-checks.yml
+++ b/.github/workflows/quality-checks.yml
@@ -263,7 +263,7 @@ jobs:
           path: sbom.cdx.json
 
       - name: Check python vulnerabilities
-        if: ${{always() && steps.check_languages.outputs.uses_poetry == 'true'}}
+        if: ${{ always() && steps.check_languages.outputs.uses_poetry == 'true'}}
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
         with:
           scan-type: "fs"
@@ -276,7 +276,7 @@ jobs:
           exit-code: "1"
           trivy-config: trivy.yaml
       - name: Check node vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_node == 'true' && failure() }}
+        if: ${{ always() && steps.check_languages.outputs.uses_node == 'true' }}
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
         with:
           scan-type: "fs"
@@ -289,7 +289,7 @@ jobs:
           exit-code: "1"
           trivy-config: trivy.yaml
       - name: Check go vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_go == 'true' && failure()}}
+        if: ${{ always() && steps.check_languages.outputs.uses_go == 'true' }}
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
         with:
           scan-type: "fs"
@@ -301,7 +301,7 @@ jobs:
           output: "dependency_results_go.txt"
           exit-code: "1"
       - name: Check java vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_java == 'true' && failure()}}
+        if: ${{ always() && steps.check_languages.outputs.uses_java == 'true' }}
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
         with:
           scan-type: "fs"