From 2083638a0a3ac0dd0bf68017ca6f405987bfb2e4 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 00:26:47 +0900
Subject: [PATCH 01/47] Add Sysdig CLI scan workflow

---
 .github/workflows/scan.yml | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .github/workflows/scan.yml

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 0000000000..1becba2bb0
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1 @@
+404: Not Found
\ No newline at end of file

From ea50a2a7da215677cc3d53fe5c0300b3b6512ec1 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 00:31:59 +0900
Subject: [PATCH 02/47] Fix: corrected scan.yml quoting for GitHub Actions

---
 .github/workflows/scan.yml | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 1becba2bb0..0fcc1cedac 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -1 +1,35 @@
-404: Not Found
\ No newline at end of file
+name: Sysdig Image Scan
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  image-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build Docker images
+        run: |
+          docker build -t voting-app ./voting-app
+          docker build -t worker ./worker
+          docker build -t result ./result
+
+      - name: Download Sysdig CLI Scanner
+        run: |
+          curl -sL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/linux/sysdig-cli-scanner -o scanner
+          chmod +x scanner
+
+      - name: Run Sysdig Scan on voting-app
+        run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image voting-app
+
+      - name: Run Sysdig Scan on worker
+        run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image worker
+
+      - name: Run Sysdig Scan on result
+        run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image result

From 6d6c40a2d41354a7df0ba4b195d9eba7f6795601 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 00:42:50 +0900
Subject: [PATCH 03/47] fix: correct voting-app Docker path to ./vote

---
 .github/workflows/scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 0fcc1cedac..2acc033de1 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -16,7 +16,7 @@ jobs:
 
       - name: Build Docker images
         run: |
-          docker build -t voting-app ./voting-app
+          docker build -t voting-app ./vote
           docker build -t worker ./worker
           docker build -t result ./result
 

From c1b03dfe0b435907d2d4f2747f43bbe1084fc32a Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 00:47:21 +0900
Subject: [PATCH 04/47] fix: correct CLI scanner download URL

---
 .github/workflows/scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 2acc033de1..cda8091330 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -22,7 +22,7 @@ jobs:
 
       - name: Download Sysdig CLI Scanner
         run: |
-          curl -sL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/linux/sysdig-cli-scanner -o scanner
+          curl -sLo scanner https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64
           chmod +x scanner
 
       - name: Run Sysdig Scan on voting-app

From d15504ce05f5c583142a83c7919905f87e068389 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 00:56:37 +0900
Subject: [PATCH 05/47] trigger scan

---
 .github/workflows/scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index cda8091330..5a74d142b3 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -22,7 +22,7 @@ jobs:
 
       - name: Download Sysdig CLI Scanner
         run: |
-          curl -sLo scanner https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64
+          curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64 -o scanner
           chmod +x scanner
 
       - name: Run Sysdig Scan on voting-app

From e2f6459b51d04a5230a1a435257d1421743e56f7 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:02:34 +0900
Subject: [PATCH 06/47] correct scan.yml

---
 .github/workflows/scan.yml | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 5a74d142b3..b56bdbec81 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -2,8 +2,7 @@ name: Sysdig Image Scan
 
 on:
   push:
-    branches:
-      - main
+    branches: [main]
   workflow_dispatch:
 
 jobs:
@@ -11,8 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v3
 
       - name: Build Docker images
         run: |
@@ -22,14 +20,15 @@ jobs:
 
       - name: Download Sysdig CLI Scanner
         run: |
-          curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64 -o scanner
+          curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" -o scanner
           chmod +x scanner
 
-      - name: Run Sysdig Scan on voting-app
-        run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image voting-app
-
-      - name: Run Sysdig Scan on worker
-        run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image worker
+      - name: Run Sysdig Scan
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
+        run: |
+          ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://voting-app
+          ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://worker
+          ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://result
 
-      - name: Run Sysdig Scan on result
-        run: ./scanner --token ${{ secrets.SYSDIG_SECURE_TOKEN }} --image result

From bc413297fb4fc7df5a62edde64b6efac98fcad3f Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:06:08 +0900
Subject: [PATCH 07/47] correctCLIversion  scan.yml

---
 .github/workflows/scan.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index b56bdbec81..e2230a5e2e 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -28,7 +28,7 @@ jobs:
           SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
           SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
         run: |
-          ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://voting-app
-          ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://worker
-          ./scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://result
+          ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://voting-app
+          ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://worker
+          ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://result
 

From ad83a35153a2eac2d24275b7c2b92374602443d6 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:23:19 +0900
Subject: [PATCH 08/47] Add Sysdig image scan workflow

---
 .github/workflows/scan.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index e2230a5e2e..0f5b65cea0 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -10,7 +10,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout source
+        uses: actions/checkout@v3
 
       - name: Build Docker images
         run: |
@@ -20,10 +21,10 @@ jobs:
 
       - name: Download Sysdig CLI Scanner
         run: |
-          curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" -o scanner
+          curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" -o scanner
           chmod +x scanner
 
-      - name: Run Sysdig Scan
+      - name: Run Sysdig Image Scan
         env:
           SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
           SYS_DIG_SECURE_URL: https://app.au1.sysdig.com

From 3729c8d3d90b4ef23f031a0240422bf62848bf8b Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:27:31 +0900
Subject: [PATCH 09/47] Add Sysdig image scan workflow

---
 .github/workflows/scan.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 0f5b65cea0..0b84536ed2 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -21,9 +21,10 @@ jobs:
 
       - name: Download Sysdig CLI Scanner
         run: |
-          curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" -o scanner
-          chmod +x scanner
-
+          LATEST_VERSION=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
+          curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner
+          chmod +x sysdig-cli-scanner
+          ./sysdig-cli-scanner version
       - name: Run Sysdig Image Scan
         env:
           SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}

From 291018b90b45136909e1f39f2a6226ec7571a1c2 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:32:14 +0900
Subject: [PATCH 10/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 0b84536ed2..e754d92dc5 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -20,11 +20,12 @@ jobs:
           docker build -t result ./result
 
       - name: Download Sysdig CLI Scanner
-        run: |
-          LATEST_VERSION=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
-          curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner
-          chmod +x sysdig-cli-scanner
-          ./sysdig-cli-scanner version
+        run: | 
+　　　　　version=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
+    　　　echo "Latest version is $version"
+    　　　curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${version}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner
+    　　　chmod +x sysdig-cli-scanner
+    　　　./sysdig-cli-scanner --version
       - name: Run Sysdig Image Scan
         env:
           SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}

From ffecc38b1055ef4bdf15d4f808b65f39eac00587 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:34:27 +0900
Subject: [PATCH 11/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index e754d92dc5..35085b7439 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout source
+      - name: Checkout code
         uses: actions/checkout@v3
 
       - name: Build Docker images
@@ -20,18 +20,20 @@ jobs:
           docker build -t result ./result
 
       - name: Download Sysdig CLI Scanner
-        run: | 
-　　　　　version=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
-    　　　echo "Latest version is $version"
-    　　　curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${version}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner
-    　　　chmod +x sysdig-cli-scanner
-    　　　./sysdig-cli-scanner --version
-      - name: Run Sysdig Image Scan
+        run: |
+          echo "Fetching latest scanner version..."
+          VERSION=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
+          echo "Latest version: $VERSION"
+          curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${VERSION}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner
+          chmod +x sysdig-cli-scanner
+          ./sysdig-cli-scanner --version
+
+      - name: Run Sysdig Scan
         env:
           SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
           SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
         run: |
-          ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://voting-app
-          ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://worker
-          ./scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://result
+          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://voting-app
+          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://worker
+          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://result
 

From 33dd48344b319a35da619e60ad5f333cafd4f3a9 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:38:44 +0900
Subject: [PATCH 12/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 35085b7439..f8849627d0 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout code
+      - name: Checkout source
         uses: actions/checkout@v3
 
       - name: Build Docker images
@@ -21,19 +21,18 @@ jobs:
 
       - name: Download Sysdig CLI Scanner
         run: |
-          echo "Fetching latest scanner version..."
           VERSION=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
           echo "Latest version: $VERSION"
           curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${VERSION}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner
           chmod +x sysdig-cli-scanner
           ./sysdig-cli-scanner --version
 
-      - name: Run Sysdig Scan
+      - name: Run Sysdig CLI Scanner
         env:
           SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
           SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
         run: |
-          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://voting-app
-          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://worker
-          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --auth-token $SECURE_API_TOKEN docker://result
+          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://voting-app
+          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://worker
+          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://result
 

From 35949369af0f35175470a1b6e7d62f22d732eea4 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:46:36 +0900
Subject: [PATCH 13/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 40 +++++++++++++++++++++++---------------
 1 file changed, 24 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index f8849627d0..fdb7c52d30 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -1,4 +1,4 @@
-name: Sysdig Image Scan
+name: Sysdig Container Scanner (Stable)
 
 on:
   push:
@@ -6,11 +6,11 @@ on:
   workflow_dispatch:
 
 jobs:
-  image-scan:
+  scan:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout source
+      - name: Checkout
         uses: actions/checkout@v3
 
       - name: Build Docker images
@@ -19,20 +19,28 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Download Sysdig CLI Scanner
-        run: |
-          VERSION=$(curl -sSL https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
-          echo "Latest version: $VERSION"
-          curl -sSL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${VERSION}/linux/amd64/sysdig-cli-scanner" -o sysdig-cli-scanner
-          chmod +x sysdig-cli-scanner
-          ./sysdig-cli-scanner --version
-
-      - name: Run Sysdig CLI Scanner
+      - name: Run Sysdig CLI Scanner (Dockerized)
         env:
           SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
-          SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
         run: |
-          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://voting-app
-          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://worker
-          ./sysdig-cli-scanner --apiurl $SYS_DIG_SECURE_URL --token $SECURE_API_TOKEN docker://result
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            quay.io/sysdig/sysdig-cli-scanner:latest \
+              --apiurl https://app.au1.sysdig.com \
+              --token $SECURE_API_TOKEN \
+              docker://voting-app
+
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            quay.io/sysdig/sysdig-cli-scanner:latest \
+              --apiurl https://app.au1.sysdig.com \
+              --token $SECURE_API_TOKEN \
+              docker://worker
+
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            quay.io/sysdig/sysdig-cli-scanner:latest \
+              --apiurl https://app.au1.sysdig.com \
+              --token $SECURE_API_TOKEN \
+              docker://result
 

From 591531824ad6e10cf4e66cc3211c585d08e5fea9 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:49:22 +0900
Subject: [PATCH 14/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index fdb7c52d30..32b191a7e9 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -1,4 +1,4 @@
-name: Sysdig Container Scanner (Stable)
+name: Sysdig Image Scan
 
 on:
   push:
@@ -21,26 +21,27 @@ jobs:
 
       - name: Run Sysdig CLI Scanner (Dockerized)
         env:
-          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          SYSDIG_API_URL: https://app.au1.sysdig.com
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            quay.io/sysdig/sysdig-cli-scanner:latest \
-              --apiurl https://app.au1.sysdig.com \
-              --token $SECURE_API_TOKEN \
+            -e SYSDIG_API_TOKEN \
+            -e SYSDIG_API_URL \
+            quay.io/sysdig/sysdig-cli-scanner \
               docker://voting-app
 
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            quay.io/sysdig/sysdig-cli-scanner:latest \
-              --apiurl https://app.au1.sysdig.com \
-              --token $SECURE_API_TOKEN \
+            -e SYSDIG_API_TOKEN \
+            -e SYSDIG_API_URL \
+            quay.io/sysdig/sysdig-cli-scanner \
               docker://worker
 
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            quay.io/sysdig/sysdig-cli-scanner:latest \
-              --apiurl https://app.au1.sysdig.com \
-              --token $SECURE_API_TOKEN \
+            -e SYSDIG_API_TOKEN \
+            -e SYSDIG_API_URL \
+            quay.io/sysdig/sysdig-cli-scanner \
               docker://result
 

From a0453311300df6189267d376b6a052d1ef5ce497 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:52:00 +0900
Subject: [PATCH 15/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 32b191a7e9..a9dc4a134f 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout
+      - name: Checkout code
         uses: actions/checkout@v3
 
       - name: Build Docker images
@@ -19,29 +19,28 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Run Sysdig CLI Scanner (Dockerized)
+      - name: Run Sysdig CLI Scanner (with CLI flags)
         env:
-          SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
-          SYSDIG_API_URL: https://app.au1.sysdig.com
+          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SYSDIG_API_TOKEN \
-            -e SYSDIG_API_URL \
-            quay.io/sysdig/sysdig-cli-scanner \
+            quay.io/sysdig/sysdig-cli-scanner:latest \
+              --apiurl https://app.au1.sysdig.com \
+              --client-token $SECURE_API_TOKEN \
               docker://voting-app
 
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SYSDIG_API_TOKEN \
-            -e SYSDIG_API_URL \
-            quay.io/sysdig/sysdig-cli-scanner \
+            quay.io/sysdig/sysdig-cli-scanner:latest \
+              --apiurl https://app.au1.sysdig.com \
+              --client-token $SECURE_API_TOKEN \
               docker://worker
 
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SYSDIG_API_TOKEN \
-            -e SYSDIG_API_URL \
-            quay.io/sysdig/sysdig-cli-scanner \
+            quay.io/sysdig/sysdig-cli-scanner:latest \
+              --apiurl https://app.au1.sysdig.com \
+              --client-token $SECURE_API_TOKEN \
               docker://result
 

From b94af43c4405945278875f14c142c1832e35b098 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:55:05 +0900
Subject: [PATCH 16/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index a9dc4a134f..5201e9337e 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -19,7 +19,7 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Run Sysdig CLI Scanner (with CLI flags)
+      - name: Run Sysdig CLI Scanner (Dockerized)
         env:
           SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
         run: |
@@ -27,20 +27,20 @@ jobs:
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:latest \
               --apiurl https://app.au1.sysdig.com \
-              --client-token $SECURE_API_TOKEN \
+              --token $SECURE_API_TOKEN \
               docker://voting-app
 
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:latest \
               --apiurl https://app.au1.sysdig.com \
-              --client-token $SECURE_API_TOKEN \
+              --token $SECURE_API_TOKEN \
               docker://worker
 
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:latest \
               --apiurl https://app.au1.sysdig.com \
-              --client-token $SECURE_API_TOKEN \
+              --token $SECURE_API_TOKEN \
               docker://result
 

From 8fb5b7858e9ae134d4f17379afda48aa353a993c Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 01:58:05 +0900
Subject: [PATCH 17/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 36 +++++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 5201e9337e..78d8834ee8 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -2,13 +2,17 @@ name: Sysdig Image Scan
 
 on:
   push:
-    branches: [main]
+    branches:
+      - main
   workflow_dispatch:
 
+env:
+  SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+  SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
+
 jobs:
-  scan:
+  image-scan:
     runs-on: ubuntu-latest
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -19,28 +23,30 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Run Sysdig CLI Scanner (Dockerized)
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+      - name: Run Sysdig Scan on voting-app
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:latest \
-              --apiurl https://app.au1.sysdig.com \
-              --token $SECURE_API_TOKEN \
-              docker://voting-app
+            scan docker://voting-app \
+            --apiurl $SYS_DIG_SECURE_URL \
+            --client-token $SECURE_API_TOKEN
 
+      - name: Run Sysdig Scan on worker
+        run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:latest \
-              --apiurl https://app.au1.sysdig.com \
-              --token $SECURE_API_TOKEN \
-              docker://worker
+            scan docker://worker \
+            --apiurl $SYS_DIG_SECURE_URL \
+            --client-token $SECURE_API_TOKEN
 
+      - name: Run Sysdig Scan on result
+        run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:latest \
-              --apiurl https://app.au1.sysdig.com \
-              --token $SECURE_API_TOKEN \
-              docker://result
+            scan docker://result \
+            --apiurl $SYS_DIG_SECURE_URL \
+            --client-token $SECURE_API_TOKEN
 

From ea473d12851cbdecfedc4aa19e734a5cf7842ceb Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 02:03:57 +0900
Subject: [PATCH 18/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 78d8834ee8..9a3b30ca2b 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -13,6 +13,7 @@ env:
 jobs:
   image-scan:
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -30,7 +31,7 @@ jobs:
             quay.io/sysdig/sysdig-cli-scanner:latest \
             scan docker://voting-app \
             --apiurl $SYS_DIG_SECURE_URL \
-            --client-token $SECURE_API_TOKEN
+            --token $SECURE_API_TOKEN
 
       - name: Run Sysdig Scan on worker
         run: |
@@ -39,7 +40,7 @@ jobs:
             quay.io/sysdig/sysdig-cli-scanner:latest \
             scan docker://worker \
             --apiurl $SYS_DIG_SECURE_URL \
-            --client-token $SECURE_API_TOKEN
+            --token $SECURE_API_TOKEN
 
       - name: Run Sysdig Scan on result
         run: |
@@ -48,5 +49,5 @@ jobs:
             quay.io/sysdig/sysdig-cli-scanner:latest \
             scan docker://result \
             --apiurl $SYS_DIG_SECURE_URL \
-            --client-token $SECURE_API_TOKEN
+            --token $SECURE_API_TOKEN
 

From 8896a06386a538c1af144dba7b0e7a6c147d0df9 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 02:08:10 +0900
Subject: [PATCH 19/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 9a3b30ca2b..2b9d45b590 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -1,9 +1,8 @@
-name: Sysdig Image Scan
+name: Sysdig Docker Image Scan
 
 on:
   push:
-    branches:
-      - main
+    branches: [main]
   workflow_dispatch:
 
 env:
@@ -15,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout code
+      - name: Checkout
         uses: actions/checkout@v3
 
       - name: Build Docker images
@@ -24,30 +23,30 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Run Sysdig Scan on voting-app
+      - name: Scan voting-app
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:latest \
             scan docker://voting-app \
-            --apiurl $SYS_DIG_SECURE_URL \
-            --token $SECURE_API_TOKEN
+              --apiurl "$SYS_DIG_SECURE_URL" \
+              --token "$SECURE_API_TOKEN"
 
-      - name: Run Sysdig Scan on worker
+      - name: Scan worker
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:latest \
             scan docker://worker \
-            --apiurl $SYS_DIG_SECURE_URL \
-            --token $SECURE_API_TOKEN
+              --apiurl "$SYS_DIG_SECURE_URL" \
+              --token "$SECURE_API_TOKEN"
 
-      - name: Run Sysdig Scan on result
+      - name: Scan result
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:latest \
             scan docker://result \
-            --apiurl $SYS_DIG_SECURE_URL \
-            --token $SECURE_API_TOKEN
+              --apiurl "$SYS_DIG_SECURE_URL" \
+              --token "$SECURE_API_TOKEN"
 

From b230cc5e7d9a91da9c4b65c059b1d12796569653 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 09:50:06 +0900
Subject: [PATCH 20/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 36 ++++++++++++++++--------------------
 1 file changed, 16 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 2b9d45b590..72936770e6 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -6,15 +6,15 @@ on:
   workflow_dispatch:
 
 env:
-  SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
   SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
+  SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
 jobs:
-  image-scan:
+  scan:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout
+      - name: Checkout source
         uses: actions/checkout@v3
 
       - name: Build Docker images
@@ -23,30 +23,26 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Scan voting-app
+      - name: Run Sysdig CLI Scanner via Docker
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            quay.io/sysdig/sysdig-cli-scanner:latest \
-            scan docker://voting-app \
-              --apiurl "$SYS_DIG_SECURE_URL" \
-              --token "$SECURE_API_TOKEN"
+            quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
+              --apiurl $SYS_DIG_SECURE_URL \
+              --token $SECURE_API_TOKEN \
+              docker://voting-app
 
-      - name: Scan worker
-        run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            quay.io/sysdig/sysdig-cli-scanner:latest \
-            scan docker://worker \
-              --apiurl "$SYS_DIG_SECURE_URL" \
-              --token "$SECURE_API_TOKEN"
+            quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
+              --apiurl $SYS_DIG_SECURE_URL \
+              --token $SECURE_API_TOKEN \
+              docker://worker
 
-      - name: Scan result
-        run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            quay.io/sysdig/sysdig-cli-scanner:latest \
-            scan docker://result \
-              --apiurl "$SYS_DIG_SECURE_URL" \
-              --token "$SECURE_API_TOKEN"
+            quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
+              --apiurl $SYS_DIG_SECURE_URL \
+              --token $SECURE_API_TOKEN \
+              docker://result
 

From d2502e5dff273825b36976df1a997f4223815c5c Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 09:52:04 +0900
Subject: [PATCH 21/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 72936770e6..6a37fa7171 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -1,4 +1,4 @@
-name: Sysdig Docker Image Scan
+name: Sysdig Image Scan
 
 on:
   push:
@@ -6,8 +6,8 @@ on:
   workflow_dispatch:
 
 env:
-  SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
-  SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+  SYSDIG_SECURE_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+  SYSDIG_SECURE_URL: https://app.au1.sysdig.com
 
 jobs:
   scan:
@@ -23,26 +23,29 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Run Sysdig CLI Scanner via Docker
+      - name: Run Sysdig Scan via Docker image (scan subcommand)
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
+            -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              --apiurl $SYS_DIG_SECURE_URL \
-              --token $SECURE_API_TOKEN \
+              scan \
+              --apiurl $SYSDIG_SECURE_URL \
               docker://voting-app
 
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
+            -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              --apiurl $SYS_DIG_SECURE_URL \
-              --token $SECURE_API_TOKEN \
+              scan \
+              --apiurl $SYSDIG_SECURE_URL \
               docker://worker
 
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
+            -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              --apiurl $SYS_DIG_SECURE_URL \
-              --token $SECURE_API_TOKEN \
+              scan \
+              --apiurl $SYSDIG_SECURE_URL \
               docker://result
 

From 4ee922ea78fe0db5b5fdc9d956635d26a6a4324c Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 09:54:30 +0900
Subject: [PATCH 22/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 32 +++++++++++++++-----------------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 6a37fa7171..3f41f5ada1 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -2,19 +2,19 @@ name: Sysdig Image Scan
 
 on:
   push:
-    branches: [main]
+    branches:
+      - main
   workflow_dispatch:
 
 env:
-  SYSDIG_SECURE_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
   SYSDIG_SECURE_URL: https://app.au1.sysdig.com
 
 jobs:
-  scan:
+  image-scan:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout source
+      - name: Checkout code
         uses: actions/checkout@v3
 
       - name: Build Docker images
@@ -23,29 +23,27 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Run Sysdig Scan via Docker image (scan subcommand)
+      - name: Run Sysdig Scan on voting-app
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \
+            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan \
-              --apiurl $SYSDIG_SECURE_URL \
-              docker://voting-app
+              scan --apiurl $SYSDIG_SECURE_URL docker://voting-app
 
+      - name: Run Sysdig Scan on worker
+        run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \
+            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan \
-              --apiurl $SYSDIG_SECURE_URL \
-              docker://worker
+              scan --apiurl $SYSDIG_SECURE_URL docker://worker
 
+      - name: Run Sysdig Scan on result
+        run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SYSDIG_SECURE_TOKEN=$SYSDIG_SECURE_TOKEN \
+            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan \
-              --apiurl $SYSDIG_SECURE_URL \
-              docker://result
+              scan --apiurl $SYSDIG_SECURE_URL docker://result
 

From c10289db5343e68e06e219979a98114f60f47d77 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 09:57:16 +0900
Subject: [PATCH 23/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 3f41f5ada1..e3d8981d31 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -6,13 +6,13 @@ on:
       - main
   workflow_dispatch:
 
-env:
-  SYSDIG_SECURE_URL: https://app.au1.sysdig.com
-
 jobs:
   image-scan:
     runs-on: ubuntu-latest
 
+    env:
+      SYSDIG_SECURE_URL: https://app.au1.sysdig.com
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -23,27 +23,27 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Run Sysdig Scan on voting-app
+      - name: Scan voting-app image with Sysdig CLI
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan --apiurl $SYSDIG_SECURE_URL docker://voting-app
+            scan --apiurl "${SYSDIG_SECURE_URL}" docker://voting-app
 
-      - name: Run Sysdig Scan on worker
+      - name: Scan worker image with Sysdig CLI
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan --apiurl $SYSDIG_SECURE_URL docker://worker
+            scan --apiurl "${SYSDIG_SECURE_URL}" docker://worker
 
-      - name: Run Sysdig Scan on result
+      - name: Scan result image with Sysdig CLI
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan --apiurl $SYSDIG_SECURE_URL docker://result
+            scan --apiurl "${SYSDIG_SECURE_URL}" docker://result
 

From 76e40d5be9ea6ccb1d2e1d4e5fe5e38ada7fab01 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 10:36:44 +0900
Subject: [PATCH 24/47] correct Sysdig image scan workflow

---
 .github/workflows/scan.yml | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index e3d8981d31..b26439d19f 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -10,40 +10,48 @@ jobs:
   image-scan:
     runs-on: ubuntu-latest
 
+    # 🧪 環境変数の注入（ここが非常に重要）
     env:
-      SYSDIG_SECURE_URL: https://app.au1.sysdig.com
+      SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+      SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
 
     steps:
-      - name: Checkout code
+      - name: 🛎️ Checkout code
         uses: actions/checkout@v3
 
-      - name: Build Docker images
+      - name: 🏗️ Build Docker images
         run: |
           docker build -t voting-app ./vote
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Scan voting-app image with Sysdig CLI
+      - name: 🔍 Run Sysdig Scan (voting-app)
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-            scan --apiurl "${SYSDIG_SECURE_URL}" docker://voting-app
+              scan \
+              --apiurl $SYS_DIG_SECURE_URL \
+              --token $SECURE_API_TOKEN \
+              docker://voting-app
 
-      - name: Scan worker image with Sysdig CLI
+      - name: 🔍 Run Sysdig Scan (worker)
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-            scan --apiurl "${SYSDIG_SECURE_URL}" docker://worker
+              scan \
+              --apiurl $SYS_DIG_SECURE_URL \
+              --token $SECURE_API_TOKEN \
+              docker://worker
 
-      - name: Scan result image with Sysdig CLI
+      - name: 🔍 Run Sysdig Scan (result)
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-            scan --apiurl "${SYSDIG_SECURE_URL}" docker://result
+              scan \
+              --apiurl $SYS_DIG_SECURE_URL \
+              --token $SECURE_API_TOKEN \
+              docker://result
 

From 6348a8db5b50f5cf0b3b77c253a8972b38c86fa0 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 10:40:52 +0900
Subject: [PATCH 25/47] final Sysdig image scan workflow

---
 .github/workflows/scan.yml | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index b26439d19f..e2559251ed 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -10,7 +10,7 @@ jobs:
   image-scan:
     runs-on: ubuntu-latest
 
-    # 🧪 環境変数の注入（ここが非常に重要）
+    # 🧪 環境変数の注入（Secretsから取得）
     env:
       SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
       SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
@@ -30,28 +30,28 @@ jobs:
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan \
-              --apiurl $SYS_DIG_SECURE_URL \
-              --token $SECURE_API_TOKEN \
-              docker://voting-app
+            scan \
+            --apiurl $SYS_DIG_SECURE_URL \
+            --token $SECURE_API_TOKEN \
+            docker://voting-app
 
       - name: 🔍 Run Sysdig Scan (worker)
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan \
-              --apiurl $SYS_DIG_SECURE_URL \
-              --token $SECURE_API_TOKEN \
-              docker://worker
+            scan \
+            --apiurl $SYS_DIG_SECURE_URL \
+            --token $SECURE_API_TOKEN \
+            docker://worker
 
       - name: 🔍 Run Sysdig Scan (result)
         run: |
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan \
-              --apiurl $SYS_DIG_SECURE_URL \
-              --token $SECURE_API_TOKEN \
-              docker://result
+            scan \
+            --apiurl $SYS_DIG_SECURE_URL \
+            --token $SECURE_API_TOKEN \
+            docker://result
 

From 72af093d353bf584983995826c087c205bc1b37a Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 12:13:46 +0900
Subject: [PATCH 26/47] final Sysdig image scan

---
 .github/workflows/scan.yml | 47 +++++++++++++++++++++++---------------
 1 file changed, 29 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index e2559251ed..f5ce48b24b 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -1,16 +1,15 @@
 name: Sysdig Image Scan
 
 on:
+  workflow_dispatch:
   push:
     branches:
       - main
-  workflow_dispatch:
 
 jobs:
   image-scan:
     runs-on: ubuntu-latest
 
-    # 🧪 環境変数の注入（Secretsから取得）
     env:
       SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
       SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
@@ -19,39 +18,51 @@ jobs:
       - name: 🛎️ Checkout code
         uses: actions/checkout@v3
 
-      - name: 🏗️ Build Docker images
+      - name: 🧱 Build Docker images
         run: |
           docker build -t voting-app ./vote
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: 🔍 Run Sysdig Scan (voting-app)
+      - name: 🔍 Scan voting-app with Sysdig
         run: |
           docker run --rm \
+            --platform linux/amd64 \
+            --user 0 \
+            -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \
             -v /var/run/docker.sock:/var/run/docker.sock \
+            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-            scan \
-            --apiurl $SYS_DIG_SECURE_URL \
-            --token $SECURE_API_TOKEN \
-            docker://voting-app
+              --apiurl $SYS_DIG_SECURE_URL \
+              --loglevel debug \
+              --skiptlsverify \
+              docker://voting-app
 
-      - name: 🔍 Run Sysdig Scan (worker)
+      - name: 🔍 Scan worker with Sysdig
         run: |
           docker run --rm \
+            --platform linux/amd64 \
+            --user 0 \
+            -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \
             -v /var/run/docker.sock:/var/run/docker.sock \
+            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-            scan \
-            --apiurl $SYS_DIG_SECURE_URL \
-            --token $SECURE_API_TOKEN \
-            docker://worker
+              --apiurl $SYS_DIG_SECURE_URL \
+              --loglevel debug \
+              --skiptlsverify \
+              docker://worker
 
-      - name: 🔍 Run Sysdig Scan (result)
+      - name: 🔍 Scan result with Sysdig
         run: |
           docker run --rm \
+            --platform linux/amd64 \
+            --user 0 \
+            -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \
             -v /var/run/docker.sock:/var/run/docker.sock \
+            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-            scan \
-            --apiurl $SYS_DIG_SECURE_URL \
-            --token $SECURE_API_TOKEN \
-            docker://result
+              --apiurl $SYS_DIG_SECURE_URL \
+              --loglevel debug \
+              --skiptlsverify \
+              docker://result
 

From 49364867c816a952eecc35d8eadff5c62c9b6ab7 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 12:20:06 +0900
Subject: [PATCH 27/47] final Sysdig image scan

---
 .github/workflows/scan.yml | 39 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index f5ce48b24b..712cbe41da 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -1,19 +1,15 @@
 name: Sysdig Image Scan
 
 on:
-  workflow_dispatch:
   push:
     branches:
       - main
+  workflow_dispatch:
 
 jobs:
   image-scan:
     runs-on: ubuntu-latest
 
-    env:
-      SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
-      SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
-
     steps:
       - name: 🛎️ Checkout code
         uses: actions/checkout@v3
@@ -24,45 +20,48 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: 🔍 Scan voting-app with Sysdig
+      - name: 🛡️ Scan voting-app with Sysdig
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
-            -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
+            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              --apiurl $SYS_DIG_SECURE_URL \
-              --loglevel debug \
+              --apiurl https://app.au1.sysdig.com \
+              --loglevel info \
               --skiptlsverify \
               docker://voting-app
 
-      - name: 🔍 Scan worker with Sysdig
+      - name: 🛡️ Scan worker with Sysdig
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
-            -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
+            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              --apiurl $SYS_DIG_SECURE_URL \
-              --loglevel debug \
+              --apiurl https://app.au1.sysdig.com \
+              --loglevel info \
               --skiptlsverify \
               docker://worker
 
-      - name: 🔍 Scan result with Sysdig
+      - name: 🛡️ Scan result with Sysdig
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
-            -v "${{ github.workspace }}/scan-logs:/home/nonroot/scan-logs" \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
+            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              --apiurl $SYS_DIG_SECURE_URL \
-              --loglevel debug \
+              --apiurl https://app.au1.sysdig.com \
+              --loglevel info \
               --skiptlsverify \
               docker://result
 

From ff0ff1472ad646f5026fb6a30b2f7cb40a1d9bc5 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 12:22:04 +0900
Subject: [PATCH 28/47] final Sysdig image scan

---
 .github/workflows/scan.yml | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 712cbe41da..9bc5d3a42d 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -20,45 +20,39 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: 🛡️ Scan voting-app with Sysdig
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+      - name: 🔍 Scan with Sysdig (voting-app)
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
+            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
               --apiurl https://app.au1.sysdig.com \
               --loglevel info \
               --skiptlsverify \
               docker://voting-app
 
-      - name: 🛡️ Scan worker with Sysdig
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+      - name: 🔍 Scan with Sysdig (worker)
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
+            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
               --apiurl https://app.au1.sysdig.com \
               --loglevel info \
               --skiptlsverify \
               docker://worker
 
-      - name: 🛡️ Scan result with Sysdig
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+      - name: 🔍 Scan with Sysdig (result)
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
+            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
               --apiurl https://app.au1.sysdig.com \
               --loglevel info \

From d68086c94ca6f26381ab3fdeb5bf001c19665d6e Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 12:27:37 +0900
Subject: [PATCH 29/47] final Sysdig image scan

---
 .github/workflows/scan.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 9bc5d3a42d..99768f4c7c 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -11,48 +11,48 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: 🛎️ Checkout code
+      - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: 🧱 Build Docker images
+      - name: Build Docker images
         run: |
           docker build -t voting-app ./vote
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: 🔍 Scan with Sysdig (voting-app)
+      - name: Run Sysdig Scan (voting-app)
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
+            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
               --apiurl https://app.au1.sysdig.com \
               --loglevel info \
               --skiptlsverify \
               docker://voting-app
 
-      - name: 🔍 Scan with Sysdig (worker)
+      - name: Run Sysdig Scan (worker)
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
+            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
               --apiurl https://app.au1.sysdig.com \
               --loglevel info \
               --skiptlsverify \
               docker://worker
 
-      - name: 🔍 Scan with Sysdig (result)
+      - name: Run Sysdig Scan (result)
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
+            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
               --apiurl https://app.au1.sysdig.com \
               --loglevel info \

From 698337e6fc2975594d0bef20b945102d74b1e862 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 12:32:07 +0900
Subject: [PATCH 30/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 99768f4c7c..0883371c60 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -11,51 +11,57 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout code
+      - name: 🛎️ Checkout code
         uses: actions/checkout@v3
 
-      - name: Build Docker images
+      - name: 🏗️ Build Docker images
         run: |
           docker build -t voting-app ./vote
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Run Sysdig Scan (voting-app)
+      - name: 🔍 Run Sysdig Scan (voting-app)
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
-            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
+            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
+              scan \
               --apiurl https://app.au1.sysdig.com \
-              --loglevel info \
               --skiptlsverify \
               docker://voting-app
 
-      - name: Run Sysdig Scan (worker)
+      - name: 🔍 Run Sysdig Scan (worker)
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
-            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
+            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
+              scan \
               --apiurl https://app.au1.sysdig.com \
-              --loglevel info \
               --skiptlsverify \
               docker://worker
 
-      - name: Run Sysdig Scan (result)
+      - name: 🔍 Run Sysdig Scan (result)
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
-            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
+            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
             -v /var/run/docker.sock:/var/run/docker.sock \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
+              scan \
               --apiurl https://app.au1.sysdig.com \
-              --loglevel info \
               --skiptlsverify \
               docker://result
 

From 0c0c1742dde8ded27bbaca93c00e4edf4bfed755 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 12:35:41 +0900
Subject: [PATCH 31/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 40 ++++++++++++++++++++++++--------------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 0883371c60..8898ba80f6 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -10,58 +10,68 @@ jobs:
   image-scan:
     runs-on: ubuntu-latest
 
+    env:
+      SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
+
     steps:
       - name: 🛎️ Checkout code
         uses: actions/checkout@v3
 
-      - name: 🏗️ Build Docker images
+      - name: 🐳 Build Docker images
         run: |
           docker build -t voting-app ./vote
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: 🔍 Run Sysdig Scan (voting-app)
+      - name: 🔍 DEBUG: Check if SECURE_API_TOKEN is available
+        run: |
+          echo "🔍 Token Length: ${#SECURE_API_TOKEN}"
+          echo "🔍 Token Head: ${SECURE_API_TOKEN::5}"
+          if [ -z "$SECURE_API_TOKEN" ]; then
+            echo "❌ SECURE_API_TOKEN is NOT set!"
+            exit 1
+          else
+            echo "✅ SECURE_API_TOKEN is available."
+          fi
         env:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+
+      - name: 🔍 Run Sysdig Scan (voting-app)
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
-            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
             -v /var/run/docker.sock:/var/run/docker.sock \
+            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan \
-              --apiurl https://app.au1.sysdig.com \
+              --apiurl $SYS_DIG_SECURE_URL \
               --skiptlsverify \
+              --loglevel debug \
               docker://voting-app
 
       - name: 🔍 Run Sysdig Scan (worker)
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
-            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
             -v /var/run/docker.sock:/var/run/docker.sock \
+            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan \
-              --apiurl https://app.au1.sysdig.com \
+              --apiurl $SYS_DIG_SECURE_URL \
               --skiptlsverify \
+              --loglevel debug \
               docker://worker
 
       - name: 🔍 Run Sysdig Scan (result)
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
-            -e SECURE_API_TOKEN=$SECURE_API_TOKEN \
             -v /var/run/docker.sock:/var/run/docker.sock \
+            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              scan \
-              --apiurl https://app.au1.sysdig.com \
+              --apiurl $SYS_DIG_SECURE_URL \
               --skiptlsverify \
+              --loglevel debug \
               docker://result
 

From bdf3d297a89ece60b4817480b5b53e9bd566b168 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 12:37:51 +0900
Subject: [PATCH 32/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 31 +++----------------------------
 1 file changed, 3 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 8898ba80f6..289cefc793 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -17,7 +17,7 @@ jobs:
       - name: 🛎️ Checkout code
         uses: actions/checkout@v3
 
-      - name: 🐳 Build Docker images
+      - name: 🏗️ Build Docker images
         run: |
           docker build -t voting-app ./vote
           docker build -t worker ./worker
@@ -41,37 +41,12 @@ jobs:
           docker run --rm \
             --platform linux/amd64 \
             --user 0 \
+            -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \
             -v /var/run/docker.sock:/var/run/docker.sock \
             -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
               --apiurl $SYS_DIG_SECURE_URL \
-              --skiptlsverify \
-              --loglevel debug \
-              docker://voting-app
-
-      - name: 🔍 Run Sysdig Scan (worker)
-        run: |
-          docker run --rm \
-            --platform linux/amd64 \
-            --user 0 \
-            -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
-            quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              --apiurl $SYS_DIG_SECURE_URL \
-              --skiptlsverify \
               --loglevel debug \
-              docker://worker
-
-      - name: 🔍 Run Sysdig Scan (result)
-        run: |
-          docker run --rm \
-            --platform linux/amd64 \
-            --user 0 \
-            -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
-            quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              --apiurl $SYS_DIG_SECURE_URL \
               --skiptlsverify \
-              --loglevel debug \
-              docker://result
+              docker://voting-app
 

From 097f1d71bf0461f8d66aa2ea629b7888ecca7137 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 12:39:13 +0900
Subject: [PATCH 33/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 289cefc793..d79a4ffd04 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -24,6 +24,8 @@ jobs:
           docker build -t result ./result
 
       - name: 🔍 DEBUG: Check if SECURE_API_TOKEN is available
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
           echo "🔍 Token Length: ${#SECURE_API_TOKEN}"
           echo "🔍 Token Head: ${SECURE_API_TOKEN::5}"
@@ -33,8 +35,6 @@ jobs:
           else
             echo "✅ SECURE_API_TOKEN is available."
           fi
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
       - name: 🔍 Run Sysdig Scan (voting-app)
         run: |

From c22d653f6947257be642cbaf480ddd31887c1a30 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 12:41:10 +0900
Subject: [PATCH 34/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index d79a4ffd04..b4437d4b12 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -49,4 +49,3 @@ jobs:
               --loglevel debug \
               --skiptlsverify \
               docker://voting-app
-

From 143bf3b656c9e29b08189768cac70a4d4b1c34ce Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 12:43:33 +0900
Subject: [PATCH 35/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index b4437d4b12..d2f00dace3 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -28,7 +28,7 @@ jobs:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
           echo "🔍 Token Length: ${#SECURE_API_TOKEN}"
-          echo "🔍 Token Head: ${SECURE_API_TOKEN::5}"
+          echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}"
           if [ -z "$SECURE_API_TOKEN" ]; then
             echo "❌ SECURE_API_TOKEN is NOT set!"
             exit 1

From a6eac462f4da4256c8689e132fd62c74bee81285 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 13:15:50 +0900
Subject: [PATCH 36/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index d2f00dace3..3274a20c30 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -14,29 +14,29 @@ jobs:
       SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
 
     steps:
-      - name: 🛎️ Checkout code
+      - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: 🏗️ Build Docker images
+      - name: Build Docker images
         run: |
           docker build -t voting-app ./vote
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: 🔍 DEBUG: Check if SECURE_API_TOKEN is available
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+      - name: Debug: Check if SECURE_API_TOKEN is available
         run: |
-          echo "🔍 Token Length: ${#SECURE_API_TOKEN}"
-          echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}"
+          echo "Token Length: ${#SECURE_API_TOKEN}"
+          echo "Token Head: ${SECURE_API_TOKEN:0:5}"
           if [ -z "$SECURE_API_TOKEN" ]; then
-            echo "❌ SECURE_API_TOKEN is NOT set!"
+            echo "SECURE_API_TOKEN is NOT set!"
             exit 1
           else
-            echo "✅ SECURE_API_TOKEN is available."
+            echo "SECURE_API_TOKEN is available."
           fi
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
-      - name: 🔍 Run Sysdig Scan (voting-app)
+      - name: Run Sysdig Scan (voting-app)
         run: |
           docker run --rm \
             --platform linux/amd64 \

From f0a0b2918248c7c6809f5259e3f0271e9cf00e15 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 13:35:20 +0900
Subject: [PATCH 37/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 3274a20c30..e5bb81f002 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -23,18 +23,17 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Debug: Check if SECURE_API_TOKEN is available
+      - name: Set SECURE_API_TOKEN env and debug
         run: |
-          echo "Token Length: ${#SECURE_API_TOKEN}"
-          echo "Token Head: ${SECURE_API_TOKEN:0:5}"
+          export SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}"
+          echo "🔍 Token Length: ${#SECURE_API_TOKEN}"
+          echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}"
           if [ -z "$SECURE_API_TOKEN" ]; then
-            echo "SECURE_API_TOKEN is NOT set!"
+            echo "❌ SECURE_API_TOKEN is NOT set!"
             exit 1
           else
-            echo "SECURE_API_TOKEN is available."
+            echo "✅ SECURE_API_TOKEN is available."
           fi
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
       - name: Run Sysdig Scan (voting-app)
         run: |
@@ -43,9 +42,10 @@ jobs:
             --user 0 \
             -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} \
+            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              --apiurl $SYS_DIG_SECURE_URL \
+              --apiurl "$SYS_DIG_SECURE_URL" \
               --loglevel debug \
               --skiptlsverify \
               docker://voting-app
+

From 8d4fd5a9a54b5ad7af478c1ea7bfa8b8671a1094 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 13:38:22 +0900
Subject: [PATCH 38/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index e5bb81f002..71a48955ab 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -23,9 +23,11 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Set SECURE_API_TOKEN env and debug
+      - 
+        name: Debug: Check if SECURE_API_TOKEN is available
+        env:
+          SECURE_API_TOKEN: "${{ secrets.SECURE_API_TOKEN }}"
         run: |
-          export SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}"
           echo "🔍 Token Length: ${#SECURE_API_TOKEN}"
           echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}"
           if [ -z "$SECURE_API_TOKEN" ]; then
@@ -37,15 +39,5 @@ jobs:
 
       - name: Run Sysdig Scan (voting-app)
         run: |
-          docker run --rm \
-            --platform linux/amd64 \
-            --user 0 \
-            -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \
-            -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
-            quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              --apiurl "$SYS_DIG_SECURE_URL" \
-              --loglevel debug \
-              --skiptlsverify \
-              docker://voting-app
+          docker run --rm             --platform linux/amd64             --user 0             -v "$(pwd)/scan-logs:/home/nonroot/scan-logs"             -v /var/run/docker.sock:/var/run/docker.sock             -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}"             quay.io/sysdig/sysdig-cli-scanner:1.22.4               --apiurl "$SYS_DIG_SECURE_URL"               --loglevel debug               --skiptlsverify               docker://voting-app
 

From 6612d2c8deb1e0f2fd0dfc1baa4e17579af885c1 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 16:57:32 +0900
Subject: [PATCH 39/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 71a48955ab..264381be06 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -23,8 +23,7 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - 
-        name: Debug: Check if SECURE_API_TOKEN is available
+      - name: Debug
         env:
           SECURE_API_TOKEN: "${{ secrets.SECURE_API_TOKEN }}"
         run: |
@@ -35,9 +34,18 @@ jobs:
             exit 1
           else
             echo "✅ SECURE_API_TOKEN is available."
-          fi
 
       - name: Run Sysdig Scan (voting-app)
         run: |
-          docker run --rm             --platform linux/amd64             --user 0             -v "$(pwd)/scan-logs:/home/nonroot/scan-logs"             -v /var/run/docker.sock:/var/run/docker.sock             -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}"             quay.io/sysdig/sysdig-cli-scanner:1.22.4               --apiurl "$SYS_DIG_SECURE_URL"               --loglevel debug               --skiptlsverify               docker://voting-app
+          docker run --rm \
+            --platform linux/amd64 \
+            --user 0 \
+            -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
+            quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
+              --apiurl "$SYS_DIG_SECURE_URL" \
+              --loglevel debug \
+              --skiptlsverify \
+              docker://voting-app
 

From 621e2e7675806f27b9cd3149e9b6e44aad62a533 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 17:02:39 +0900
Subject: [PATCH 40/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 264381be06..729f01a6dd 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -23,9 +23,9 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Debug
+      - name: Debug: Check if SECURE_API_TOKEN is available
         env:
-          SECURE_API_TOKEN: "${{ secrets.SECURE_API_TOKEN }}"
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
           echo "🔍 Token Length: ${#SECURE_API_TOKEN}"
           echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}"
@@ -34,6 +34,7 @@ jobs:
             exit 1
           else
             echo "✅ SECURE_API_TOKEN is available."
+          fi
 
       - name: Run Sysdig Scan (voting-app)
         run: |

From 487ae85f27ec16c2a69295583a9e198876a251d3 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 17:13:55 +0900
Subject: [PATCH 41/47] Fix: Ensure SECURE_API_TOKEN is injected properly

---
 .github/workflows/scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 729f01a6dd..fd883020ed 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -23,7 +23,7 @@ jobs:
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Debug: Check if SECURE_API_TOKEN is available
+      - name: Debug
         env:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |

From 75f811c3b8d64cf76f1515a1b4ab435c66b80695 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 17:17:44 +0900
Subject: [PATCH 42/47] Fix: Ensure SECURE_TOKEN is injected properly

---
 .github/workflows/scan.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index fd883020ed..dcc8d7c3e8 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -25,15 +25,15 @@ jobs:
 
       - name: Debug
         env:
-          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+          SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
         run: |
-          echo "🔍 Token Length: ${#SECURE_API_TOKEN}"
-          echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}"
-          if [ -z "$SECURE_API_TOKEN" ]; then
-            echo "❌ SECURE_API_TOKEN is NOT set!"
+          echo "🔍 Token Length: ${#SYSDIG_SECURE_TOKEN}"
+          echo "🔍 Token Head: ${SYSDIG_SECURE_TOKEN:0:5}"
+          if [ -z "$SYSDIG_SECURE_TOKEN" ]; then
+            echo "❌ SYSDIG_SECURE_TOKEN is NOT set!"
             exit 1
           else
-            echo "✅ SECURE_API_TOKEN is available."
+            echo "✅ SYSDIG_SECURE_TOKEN is available."
           fi
 
       - name: Run Sysdig Scan (voting-app)
@@ -43,7 +43,7 @@ jobs:
             --user 0 \
             -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
+            -e SYSDIG_SECURE_TOKEN="${{ secrets.SYSDIG_SECURE_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
               --apiurl "$SYS_DIG_SECURE_URL" \
               --loglevel debug \

From 40634cad25b01abb67770615405235ea2555f6a9 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 17:24:20 +0900
Subject: [PATCH 43/47] Fix: Ensure SECURE_TOKEN is injected properly

---
 .github/workflows/scan.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index dcc8d7c3e8..fd883020ed 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -25,15 +25,15 @@ jobs:
 
       - name: Debug
         env:
-          SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
-          echo "🔍 Token Length: ${#SYSDIG_SECURE_TOKEN}"
-          echo "🔍 Token Head: ${SYSDIG_SECURE_TOKEN:0:5}"
-          if [ -z "$SYSDIG_SECURE_TOKEN" ]; then
-            echo "❌ SYSDIG_SECURE_TOKEN is NOT set!"
+          echo "🔍 Token Length: ${#SECURE_API_TOKEN}"
+          echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}"
+          if [ -z "$SECURE_API_TOKEN" ]; then
+            echo "❌ SECURE_API_TOKEN is NOT set!"
             exit 1
           else
-            echo "✅ SYSDIG_SECURE_TOKEN is available."
+            echo "✅ SECURE_API_TOKEN is available."
           fi
 
       - name: Run Sysdig Scan (voting-app)
@@ -43,7 +43,7 @@ jobs:
             --user 0 \
             -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SYSDIG_SECURE_TOKEN="${{ secrets.SYSDIG_SECURE_TOKEN }}" \
+            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
               --apiurl "$SYS_DIG_SECURE_URL" \
               --loglevel debug \

From bd118142e3bac2a70c29d7176269e649785dc43f Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 17:34:31 +0900
Subject: [PATCH 44/47] Fix: Ensure SECURE_TOKEN is injected properly

---
 .github/workflows/scan.yml | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index fd883020ed..218b319abd 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -1,42 +1,42 @@
-name: Sysdig Image Scan
+name: Voting App Build & Scan
 
 on:
   push:
     branches:
       - main
+  pull_request:
   workflow_dispatch:
 
 jobs:
-  image-scan:
+  build-and-scan:
     runs-on: ubuntu-latest
 
     env:
       SYS_DIG_SECURE_URL: https://app.au1.sysdig.com
 
     steps:
-      - name: Checkout code
+      - name: Checkout source
         uses: actions/checkout@v3
 
-      - name: Build Docker images
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to DockerHub (optional)
+        if: secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_TOKEN
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build Voting App images
         run: |
           docker build -t voting-app ./vote
           docker build -t worker ./worker
           docker build -t result ./result
 
-      - name: Debug
+      - name: Scan image with Sysdig CLI Scanner
         env:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
-        run: |
-          echo "🔍 Token Length: ${#SECURE_API_TOKEN}"
-          echo "🔍 Token Head: ${SECURE_API_TOKEN:0:5}"
-          if [ -z "$SECURE_API_TOKEN" ]; then
-            echo "❌ SECURE_API_TOKEN is NOT set!"
-            exit 1
-          else
-            echo "✅ SECURE_API_TOKEN is available."
-          fi
-
-      - name: Run Sysdig Scan (voting-app)
         run: |
           docker run --rm \
             --platform linux/amd64 \
@@ -46,7 +46,7 @@ jobs:
             -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
             quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
               --apiurl "$SYS_DIG_SECURE_URL" \
-              --loglevel debug \
+              --loglevel info \
               --skiptlsverify \
               docker://voting-app
 

From f0b136a7ce846fdfad339b52343e22b1360a90d1 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 17:40:33 +0900
Subject: [PATCH 45/47] Fix: Ensure

---
 .github/workflows/scan.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 218b319abd..4e0d89ceab 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -49,4 +49,3 @@ jobs:
               --loglevel info \
               --skiptlsverify \
               docker://voting-app
-

From 91bf86164f8236c86d9c3d61c0be1581abd2fb12 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 17:44:17 +0900
Subject: [PATCH 46/47] Fix: Ensure

---
 .github/workflows/scan.yml | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 4e0d89ceab..54afebe676 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -22,7 +22,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
 
       - name: Log in to DockerHub (optional)
-        if: secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_TOKEN
+        if: ${{ secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_TOKEN }}
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -38,14 +38,5 @@ jobs:
         env:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
         run: |
-          docker run --rm \
-            --platform linux/amd64 \
-            --user 0 \
-            -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" \
-            -v /var/run/docker.sock:/var/run/docker.sock \
-            -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" \
-            quay.io/sysdig/sysdig-cli-scanner:1.22.4 \
-              --apiurl "$SYS_DIG_SECURE_URL" \
-              --loglevel info \
-              --skiptlsverify \
-              docker://voting-app
+          docker run --rm             --platform linux/amd64             --user 0             -v "$(pwd)/scan-logs:/home/nonroot/scan-logs"             -v /var/run/docker.sock:/var/run/docker.sock             -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}"             quay.io/sysdig/sysdig-cli-scanner:1.22.4               --apiurl "$SYS_DIG_SECURE_URL"               --loglevel info               --skiptlsverify               docker://voting-app
+

From bfb81b6ea742b4d39583188334f47304ebc81663 Mon Sep 17 00:00:00 2001
From: keitahigaki <higaki.keichan@gmail.com>
Date: Wed, 16 Jul 2025 21:47:19 +0900
Subject: [PATCH 47/47] Harden Kubernetes IaC manifests based on Sysdig scan
 results

---
 k8s-specifications/db-deployment.yaml     | 47 ++++++++++++++---------
 k8s-specifications/redis-deployment.yaml  | 42 +++++++++++++-------
 k8s-specifications/result-deployment.yaml | 36 +++++++++++++----
 k8s-specifications/vote-deployment.yaml   | 36 +++++++++++++----
 k8s-specifications/worker-deployment.yaml | 33 ++++++++++++++--
 5 files changed, 145 insertions(+), 49 deletions(-)

diff --git a/k8s-specifications/db-deployment.yaml b/k8s-specifications/db-deployment.yaml
index bc94ca7368..dde2f3f658 100644
--- a/k8s-specifications/db-deployment.yaml
+++ b/k8s-specifications/db-deployment.yaml
@@ -1,8 +1,6 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  labels:
-    app: db
   name: db
 spec:
   replicas: 1
@@ -14,20 +12,33 @@ spec:
       labels:
         app: db
     spec:
+      serviceAccountName: default
       containers:
-      - image: postgres:15-alpine
-        name: postgres
-        env:
-        - name: POSTGRES_USER
-          value: postgres
-        - name: POSTGRES_PASSWORD
-          value: postgres
-        ports:
-        - containerPort: 5432
-          name: postgres
-        volumeMounts:
-        - mountPath: /var/lib/postgresql/data
-          name: db-data
-      volumes:
-      - name: db-data
-        emptyDir: {} 
+      - name: postgres
+        image: postgres:15
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "500m"
+            memory: "256Mi"
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 5
diff --git a/k8s-specifications/redis-deployment.yaml b/k8s-specifications/redis-deployment.yaml
index 24aa52135f..a985c681a2 100644
--- a/k8s-specifications/redis-deployment.yaml
+++ b/k8s-specifications/redis-deployment.yaml
@@ -1,8 +1,6 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  labels:
-    app: redis
   name: redis
 spec:
   replicas: 1
@@ -14,15 +12,33 @@ spec:
       labels:
         app: redis
     spec:
+      serviceAccountName: default
       containers:
-      - image: redis:alpine
-        name: redis
-        ports:
-        - containerPort: 6379
-          name: redis
-        volumeMounts:
-        - mountPath: /data
-          name: redis-data
-      volumes:
-      - name: redis-data
-        emptyDir: {} 
+      - name: redis
+        image: redis:7
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "500m"
+            memory: "256Mi"
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 5
diff --git a/k8s-specifications/result-deployment.yaml b/k8s-specifications/result-deployment.yaml
index b85488a667..6428795f83 100644
--- a/k8s-specifications/result-deployment.yaml
+++ b/k8s-specifications/result-deployment.yaml
@@ -1,8 +1,6 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  labels:
-    app: result
   name: result
 spec:
   replicas: 1
@@ -14,9 +12,33 @@ spec:
       labels:
         app: result
     spec:
+      serviceAccountName: default
       containers:
-      - image: dockersamples/examplevotingapp_result
-        name: result
-        ports:
-        - containerPort: 80
-          name: result
+      - name: result
+        image: dockersamples/examplevotingapp_result
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "500m"
+            memory: "256Mi"
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 5
diff --git a/k8s-specifications/vote-deployment.yaml b/k8s-specifications/vote-deployment.yaml
index 165a9478f8..018a458d75 100644
--- a/k8s-specifications/vote-deployment.yaml
+++ b/k8s-specifications/vote-deployment.yaml
@@ -1,8 +1,6 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  labels:
-    app: vote
   name: vote
 spec:
   replicas: 1
@@ -14,9 +12,33 @@ spec:
       labels:
         app: vote
     spec:
+      serviceAccountName: default
       containers:
-      - image: dockersamples/examplevotingapp_vote
-        name: vote
-        ports:
-        - containerPort: 80
-          name: vote
+      - name: vote
+        image: dockersamples/examplevotingapp_vote
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "500m"
+            memory: "256Mi"
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 5
diff --git a/k8s-specifications/worker-deployment.yaml b/k8s-specifications/worker-deployment.yaml
index 9e35450aec..bc2aa4498d 100644
--- a/k8s-specifications/worker-deployment.yaml
+++ b/k8s-specifications/worker-deployment.yaml
@@ -1,8 +1,6 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  labels:
-    app: worker
   name: worker
 spec:
   replicas: 1
@@ -14,6 +12,33 @@ spec:
       labels:
         app: worker
     spec:
+      serviceAccountName: default
       containers:
-      - image: dockersamples/examplevotingapp_worker
-        name: worker
+      - name: worker
+        image: worker
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "500m"
+            memory: "256Mi"
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 5