diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
index 48f8b66..6d0f697 100644
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -25,7 +25,7 @@ Follow these conventions:
 Project-specific rules:
 - Python: 4 spaces (override BC Gov standard)
 - APIs: Additional validation for public endpoints
-- Branches: feature/JIRA-123-description
+- Branches: always created from `main` (`git checkout main && git pull && git checkout -b feature/JIRA-123-description`)
 
 Never:
 - Create duplicate files
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
index c6772ca..d629b98 100644
--- a/.github/workflows/analysis.yml
+++ b/.github/workflows/analysis.yml
@@ -21,7 +21,9 @@ jobs:
   trivy:
     name: Trivy Security Scan
     if: github.event_name != 'pull_request' || !github.event.pull_request.draft
-    runs-on: ubuntu-24.04
+    continue-on-error: true
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
     permissions:
       contents: read
       security-events: write
@@ -29,13 +31,13 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.34.1
+        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
         with:
           format: "sarif"
           output: "trivy-results.sarif"
           ignore-unfixed: true
           scan-type: "fs"
-          scanners: "vuln,secret,config"
+          scanners: "vuln,secret,misconfig"
           severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab