lacework · jeremydubreil · Jun 17, 2026 · Jun 11, 2026
diff --git a/src/index.ts b/src/index.ts
@@ -17,9 +17,6 @@ import {
   generateCacheKey,
 } from './util'
 
-// Set to false to disable SCA globally
-const enableScaRunning = true
-
 async function runAnalysis() {
   const target = getInput('target')
 
@@ -61,7 +58,7 @@ async function runAnalysis() {
   let cacheHit = false
   let cacheKey: string | undefined
   if (targetScan === 'old') {
-    cacheKey = await generateCacheKey(enableIacRunning, enableScaRunning, targetScan, modifiedFiles)
+    cacheKey = await generateCacheKey(enableIacRunning, targetScan, modifiedFiles)
     if (cacheKey) {
       const restored = await cache.restoreCache([resultsPath], cacheKey)
       if (restored) {
@@ -76,23 +73,11 @@ async function runAnalysis() {
   }
 
   if (!cacheHit) {
-    let success = await runCodesec(
-      'scan',
-      enableIacRunning,
-      enableScaRunning,
-      resultsPath,
-      targetScan,
-      modifiedFiles
-    )
+    let success = await runCodesec('scan', enableIacRunning, resultsPath, targetScan, modifiedFiles)
     if (success && targetScan !== 'new') {
       // Save the analysis results when not scanning the PR source branch
       if (!cacheKey) {
-        cacheKey = await generateCacheKey(
-          enableIacRunning,
-          enableScaRunning,
-          targetScan,
-          modifiedFiles
-        )
+        cacheKey = await generateCacheKey(enableIacRunning, targetScan, modifiedFiles)
       }
       if (cacheKey) {
         try {
@@ -106,14 +91,12 @@ async function runAnalysis() {
   } else {
     // Cache restored — rename files to match current targetScan if needed
     const possibleNames = ['old', 'scan']
-    if (enableScaRunning) {
-      const scaDir = path.join(resultsPath, 'sca')
-      for (const name of possibleNames) {
-        const existing = path.join(scaDir, `sca-${name}.sarif`)
-        if (existsSync(existing) && name !== targetScan) {
-          renameSync(existing, path.join(scaDir, `sca-${targetScan}.sarif`))
-          break
-        }
+    const scaDir = path.join(resultsPath, 'sca')
+    for (const name of possibleNames) {
+      const existing = path.join(scaDir, `sca-${name}.sarif`)
+      if (existsSync(existing) && name !== targetScan) {
+        renameSync(existing, path.join(scaDir, `sca-${targetScan}.sarif`))
+        break
       }
     }
     if (enableIacRunning) {
@@ -129,21 +112,19 @@ async function runAnalysis() {
   }
 
   // Upload SCA SARIF from the returned results path
-  if (enableScaRunning) {
-    const scaSarifFile = path.join(resultsPath, 'sca', `sca-${targetScan}.sarif`)
-    if (existsSync(scaSarifFile)) {
-      info(`Found SCA SARIF file to upload: ${scaSarifFile}`)
-      toUpload.push(scaSarifFile)
-
-      // Copy SARIF to code-scanning-path for backward compatibility
-      const codeScanningPath = getInput('code-scanning-path')
-      if (codeScanningPath) {
-        info(`Copying SARIF to code-scanning-path: ${codeScanningPath}`)
-        copyFileSync(scaSarifFile, codeScanningPath)
-      }
-    } else {
-      info(`SCA SARIF file not found at: ${scaSarifFile}`)
+  const scaSarifFile = path.join(resultsPath, 'sca', `sca-${targetScan}.sarif`)
+  if (existsSync(scaSarifFile)) {
+    info(`Found SCA SARIF file to upload: ${scaSarifFile}`)
+    toUpload.push(scaSarifFile)
+
+    // Copy SARIF to code-scanning-path for backward compatibility
+    const codeScanningPath = getInput('code-scanning-path')
+    if (codeScanningPath) {
+      info(`Copying SARIF to code-scanning-path: ${codeScanningPath}`)
+      copyFileSync(scaSarifFile, codeScanningPath)
     }
+  } else {
+    info(`SCA SARIF file not found at: ${scaSarifFile}`)
   }
 
   // Upload IAC JSON from the returned results path
@@ -173,34 +154,22 @@ async function displayResults() {
   const artifactNew = await downloadArtifact('results-new')
 
   // Create local scan-results directory for compare
-  if (enableScaRunning) {
-    mkdirSync('scan-results/sca', { recursive: true })
-  }
+  mkdirSync('scan-results/sca', { recursive: true })
   if (enableIacRunning) {
     mkdirSync('scan-results/iac', { recursive: true })
   }
 
   // Check and copy files for each scanner type
-  const scaAvailable =
-    enableScaRunning && (await prepareScannerFiles('sca', artifactOld, artifactNew))
-  const iacAvailable =
-    enableIacRunning && (await prepareScannerFiles('iac', artifactOld, artifactNew))
-
-  // Need at least one scanner to compare
-  if (!scaAvailable && !iacAvailable) {
-    info('No scanner files available for comparison. Nothing to compare.')
-    setOutput('display-completed', true)
+  if (!(await prepareScannerFiles('sca', artifactOld, artifactNew))) {
+    error('SCA files not found. Cannot perform compare.')
     return
   }
+  const iacAvailable =
+    enableIacRunning && (await prepareScannerFiles('iac', artifactOld, artifactNew))
 
   // Run codesec compare mode with available scanners
   const resultsPath = path.join(process.cwd(), 'scan-results')
-  await runCodesec(
-    'compare',
-    enableIacRunning && iacAvailable,
-    enableScaRunning && scaAvailable,
-    resultsPath
-  )
+  await runCodesec('compare', enableIacRunning && iacAvailable, resultsPath)
 
   // Read comparison output - check all possible outputs
   const outputs = [

diff --git a/src/util.ts b/src/util.ts
@@ -143,13 +143,12 @@ export async function getModifiedFiles(): Promise<string | undefined> {
 // 3. action='compare' -> compares new/old results, generates diff markdown for PR comment
 //
 // Parameters:
-// - runIac/runSca: which scanners to enable (default false - enable when ready to test)
+// - runIac: whether to enable the IaC scanner
 // - scanTarget: 'new', 'old', or 'scan' depending on mode
 // - computeCacheKey: if true, runs GENERATE_CACHE_KEY mode instead of scanning
 export async function runCodesec(
   action: string,
   runIac: boolean = false,
-  runSca: boolean = false,
   reportsDir: string,
   scanTarget?: string,
   modifiedFiles?: string,
@@ -191,7 +190,7 @@ export async function runCodesec(
       '-e',
       `LW_API_SECRET=${lwApiSecret}`,
       '-e',
-      `RUN_SCA=${runSca}`,
+      `RUN_SCA=true`,
       '-e',
       `RUN_IAC=${runIac}`,
       '-e',
@@ -224,17 +223,15 @@ export async function runCodesec(
     }
 
     // Copy results out of container to temp dir
-    if (runSca) {
-      const scaDir = path.join(reportsDir, 'sca')
-      mkdirSync(scaDir, { recursive: true })
-      await callCommand(
-        'docker',
-        'container',
-        'cp',
-        `${containerName}:/tmp/scan-results/sca/sca-${scanTarget || 'scan'}.sarif`,
-        path.join(scaDir, `sca-${scanTarget || 'scan'}.sarif`)
-      )
-    }
+    const scaDir = path.join(reportsDir, 'sca')
+    mkdirSync(scaDir, { recursive: true })
+    await callCommand(
+      'docker',
+      'container',
+      'cp',
+      `${containerName}:/tmp/scan-results/sca/sca-${scanTarget || 'scan'}.sarif`,
+      path.join(scaDir, `sca-${scanTarget || 'scan'}.sarif`)
+    )
 
     if (runIac) {
       const iacDir = path.join(reportsDir, 'iac')
@@ -285,7 +282,7 @@ export async function runCodesec(
       '-e',
       `LW_API_SECRET=${lwApiSecret}`,
       '-e',
-      `RUN_SCA=${runSca}`,
+      `RUN_SCA=true`,
       '-e',
       `RUN_IAC=${runIac}`,
       'lacework/codesec:latest',
@@ -331,14 +328,13 @@ export function readMarkdownFile(filePath: string): string {
 
 export async function generateCacheKey(
   runIac: boolean,
-  runSca: boolean,
   scanTarget?: string,
   modifiedFiles?: string
 ): Promise<string | undefined> {
   const reportsDir = path.join(os.tmpdir(), `codesec-cache-${Date.now()}`)
 
   try {
-    await runCodesec('scan', runIac, runSca, reportsDir, scanTarget, modifiedFiles, true)
+    await runCodesec('scan', runIac, reportsDir, scanTarget, modifiedFiles, true)
   } catch (e) {
     info(`Cache key generation failed: ${(e as Error).message}`)
     return undefined