docs: [#251] document Security tab viewing behavior

josecelano · josecelano · commit 40dd234c8fe9 · 2025-12-23T20:31:22.000Z
- Add comment in workflow explaining filter behavior
- Add section in ADR explaining how to view results by branch/PR
- Add PR comment with direct links to view scan results

The default Security tab filters by 'is:open branch:main' which
hides PR branch results. Users must use specific PR/branch filters
to see results before merging to main.
diff --git a/.github/workflows/docker-security-scan.yml b/.github/workflows/docker-security-scan.yml
@@ -162,6 +162,13 @@ jobs:
       # Upload each SARIF file with CodeQL Action using unique categories.
       # The category parameter enables proper alert tracking per image.
       # Must use CodeQL Action (not gh API) - API doesn't support category field.
+      #
+      # VIEWING RESULTS:
+      # - For pull requests: /security/code-scanning?query=pr:NUMBER+is:open
+      # - For branches: /security/code-scanning?query=is:open+branch:BRANCH-NAME
+      # - For main branch: /security/code-scanning?query=is:open+branch:main (default view)
+      # The default Security tab filters by "is:open branch:main" which only shows
+      # alerts from the main branch, not from PR branches.
       - name: Upload project provisioned-instance SARIF
         if: always()
         uses: github/codeql-action/upload-sarif@v4
diff --git a/docs/decisions/docker-security-scan-exit-code-zero.md b/docs/decisions/docker-security-scan-exit-code-zero.md
@@ -113,6 +113,16 @@ This philosophy is summarized as: **"Trivy detects, GitHub Security decides, CI
 - Results in "multiple SARIF runs with same category" error
 - Cannot distinguish alerts between different images
 
+## Viewing Security Results
+
+Security scan results are uploaded to GitHub's Security tab, but the default view filters by `is:open branch:main`. This means:
+
+- **Pull Request Results**: Must use filter `pr:NUMBER is:open` (e.g., `/security/code-scanning?query=pr:256+is:open`)
+- **Branch Results**: Must use filter `is:open branch:BRANCH-NAME` for non-main branches
+- **Main Branch Results**: Visible in default view after merging to main
+
+Results uploaded from PR branches are not visible in the default Security tab view because the default filter excludes them. This is GitHub's standard behavior for code scanning across all analysis tools.
+
 ## Related Decisions
 
 - [GitHub Actions Workflow Structure](https://github.com/torrust/torrust-tracker-deployer/pull/256) - How the three-job structure enables this philosophy
