From bf0925a4fcb3d7797a1592d5ce7b82048bc95a06 Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Sun, 4 Jan 2026 13:33:10 +0000
Subject: [PATCH] fix: return degraded status for scanner health check failures

- Scanner failures (e.g., GitHub API rate limits) no longer mark server as unhealthy
- Server can still serve cached packages when scanners are unavailable
- Readiness probes will now pass with degraded scanner status
- Prevents unnecessary pod restarts due to external API issues

Fixes: Readiness probes failing with 503 due to GHSA rate limiting
---
 pkg/app/app.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/app/app.go b/pkg/app/app.go
index 6ab2354..3d8b62d 100644
--- a/pkg/app/app.go
+++ b/pkg/app/app.go
@@ -290,7 +290,9 @@ func (a *App) initializeComponents() error {
 	a.healthChecker.AddCheck("scanner", func(ctx context.Context) (health.Status, string) {
 		if a.config.Security.Enabled {
 			if err := a.scanManager.Health(ctx); err != nil {
-				return health.StatusUnhealthy, err.Error()
+				// Scanner failures (e.g., API rate limits) shouldn't mark server as unhealthy
+				// Server can still serve cached packages, just can't scan new ones
+				return health.StatusDegraded, err.Error()
 			}
 		}
 		return health.StatusHealthy, ""