From c207aa72e9abab8c09df9e61116e3bdfd8a67dda Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Sun, 4 Jan 2026 13:33:49 +0000
Subject: [PATCH] fix: accept GitHub API rate limits in GHSA health check

- Rate limits (403) are now accepted as healthy
- Rate limiting is expected without a GitHub token
- Only real errors (network failures, 500s) fail the health check
- Prevents health check failures due to unauthenticated API usage

Related: GHSA scanner health checks
---
 pkg/scanner/ghsa/ghsa.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/pkg/scanner/ghsa/ghsa.go b/pkg/scanner/ghsa/ghsa.go
index 2d10054..680c79d 100644
--- a/pkg/scanner/ghsa/ghsa.go
+++ b/pkg/scanner/ghsa/ghsa.go
@@ -107,11 +107,17 @@ func (s *Scanner) Health(ctx context.Context) error {
 	}
 	defer resp.Body.Close() // #nosec G104 -- Cleanup, error not critical
 
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("github api returned status: %d", resp.StatusCode)
+	// Accept any 2xx or 403 (rate limit) as healthy
+	// Rate limits are expected without a GitHub token and shouldn't fail health checks
+	if resp.StatusCode >= 200 && resp.StatusCode < 300 {
+		return nil
+	}
+	if resp.StatusCode == http.StatusForbidden {
+		log.Debug().Msg("GitHub API rate limited (expected without token)")
+		return nil
 	}
 
-	return nil
+	return fmt.Errorf("github api returned status: %d", resp.StatusCode)
 }
 
 // mapRegistryToEcosystem maps our registry names to GitHub ecosystem names