diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index e74badf..3e93161 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -83,7 +83,7 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
-            type=sha,prefix={{branch}}-
+            type=sha
             type=raw,value=staging,enable=${{ github.ref == 'refs/heads/main' }}
             type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}
       
@@ -92,7 +92,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          push: true
+          push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
@@ -103,14 +103,21 @@ jobs:
     name: Security Scanning
     runs-on: ubuntu-latest
     needs: build
+    if: github.event_name != 'pull_request'
     
     steps:
       - uses: actions/checkout@v4
       
+      - name: Extract first image tag
+        id: first-tag
+        run: |
+          FIRST_TAG=$(echo "${{ needs.build.outputs.image-tag }}" | head -n 1)
+          echo "tag=$FIRST_TAG" >> $GITHUB_OUTPUT
+      
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ${{ needs.build.outputs.image-tag }}
+          image-ref: ${{ steps.first-tag.outputs.tag }}
           format: 'sarif'
           output: 'trivy-results.sarif'
       
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index e77ff40..bc4ed03 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -47,8 +47,8 @@ jobs:
       uses: trufflesecurity/trufflehog@main
       with:
         path: ./
-        base: main
-        head: HEAD
+        base: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || '' }}
+        head: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }}
         extra_args: --debug --only-verified
 
   codeql:
diff --git a/eslint.config.js b/eslint.config.js
index ca991c6..447acee 100644
--- a/eslint.config.js
+++ b/eslint.config.js
@@ -28,7 +28,7 @@ module.exports = [
     },
     rules: {
       // Error prevention
-      'no-unused-vars': ['error', { 'argsIgnorePattern': '^_', 'varsIgnorePattern': '^_' }],
+      'no-unused-vars': ['error', { 'argsIgnorePattern': '^_', 'varsIgnorePattern': '^_', 'caughtErrorsIgnorePattern': '^_' }],
       'no-console': 'warn',
       'no-debugger': 'error',
       
diff --git a/src/services/claudeService.js b/src/services/claudeService.js
index 1d83ed9..5341937 100644
--- a/src/services/claudeService.js
+++ b/src/services/claudeService.js
@@ -1,6 +1,4 @@
-const { execFileSync, exec } = require('child_process');
-const { promisify } = require('util');
-const execAsync = promisify(exec);
+const { execFileSync } = require('child_process');
 // Use sync methods for file operations that need to be synchronous
 const fsSync = require('fs');
 const path = require('path');
@@ -87,7 +85,7 @@ For real functionality, please configure valid GitHub and Claude API tokens.`;
     try {
       execFileSync('docker', ['inspect', dockerImageName], { stdio: 'ignore' });
       logger.info({ dockerImageName }, 'Docker image already exists');
-    } catch (e) {
+    } catch (_e) {
       logger.info({ dockerImageName }, 'Building Docker image for Claude Code runner');
       execFileSync('docker', ['build', '-f', 'Dockerfile.claudecode', '-t', dockerImageName, '.'], {
         cwd: path.join(__dirname, '../..'),
@@ -149,7 +147,7 @@ Please complete this task fully and autonomously.`;
     };
 
     // Build docker run command - properly escape values for shell
-    const envArgs = Object.entries(envVars)
+    Object.entries(envVars)
       .filter(([_, value]) => value !== undefined && value !== '')
       .map(([key, value]) => {
         // Convert to string and escape shell special characters in the value
diff --git a/test-results/jest/results.xml b/test-results/jest/results.xml
index d352e74..8324e8b 100644
--- a/test-results/jest/results.xml
+++ b/test-results/jest/results.xml
@@ -1,33 +1,53 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<testsuites name="jest tests" tests="30" failures="0" errors="0" time="0.65">
-  <testsuite name="GitHub Controller - Check Suite Events" errors="0" failures="0" skipped="0" timestamp="2025-05-22T21:49:28" time="0.424" tests="6">
-    <testcase classname="GitHub Controller - Check Suite Events should trigger PR review when check suite succeeds with PRs" name="GitHub Controller - Check Suite Events should trigger PR review when check suite succeeds with PRs" time="0.005">
+<testsuites name="jest tests" tests="38" failures="0" errors="0" time="0.646">
+  <testsuite name="Claude Service" errors="0" failures="0" skipped="0" timestamp="2025-05-24T18:17:16" time="0.346" tests="4">
+    <testcase classname="Claude Service processCommand should handle test mode correctly" name="Claude Service processCommand should handle test mode correctly" time="0.003">
+    </testcase>
+    <testcase classname="Claude Service processCommand should properly set up Docker command in production mode" name="Claude Service processCommand should properly set up Docker command in production mode" time="0.002">
+    </testcase>
+    <testcase classname="Claude Service processCommand should handle errors properly" name="Claude Service processCommand should handle errors properly" time="0.014">
+    </testcase>
+    <testcase classname="Claude Service processCommand should write long commands to temp files" name="Claude Service processCommand should write long commands to temp files" time="0.001">
+    </testcase>
+  </testsuite>
+  <testsuite name="GitHub Controller - Check Suite Events" errors="0" failures="0" skipped="2" timestamp="2025-05-24T18:17:16" time="0.072" tests="10">
+    <testcase classname="GitHub Controller - Check Suite Events should trigger PR review when check suite succeeds with PRs and combined status passes" name="GitHub Controller - Check Suite Events should trigger PR review when check suite succeeds with PRs and combined status passes" time="0.004">
     </testcase>
     <testcase classname="GitHub Controller - Check Suite Events should not trigger PR review when check suite fails" name="GitHub Controller - Check Suite Events should not trigger PR review when check suite fails" time="0.001">
     </testcase>
     <testcase classname="GitHub Controller - Check Suite Events should not trigger PR review when check suite succeeds but has no PRs" name="GitHub Controller - Check Suite Events should not trigger PR review when check suite succeeds but has no PRs" time="0.001">
     </testcase>
-    <testcase classname="GitHub Controller - Check Suite Events should handle multiple PRs in check suite" name="GitHub Controller - Check Suite Events should handle multiple PRs in check suite" time="0.001">
+    <testcase classname="GitHub Controller - Check Suite Events should handle multiple PRs in check suite in parallel" name="GitHub Controller - Check Suite Events should handle multiple PRs in check suite in parallel" time="0.002">
     </testcase>
-    <testcase classname="GitHub Controller - Check Suite Events should handle Claude service errors gracefully" name="GitHub Controller - Check Suite Events should handle Claude service errors gracefully" time="0">
+    <testcase classname="GitHub Controller - Check Suite Events should handle Claude service errors gracefully" name="GitHub Controller - Check Suite Events should handle Claude service errors gracefully" time="0.001">
     </testcase>
-    <testcase classname="GitHub Controller - Check Suite Events should use check suite head_sha when PR head.sha is missing" name="GitHub Controller - Check Suite Events should use check suite head_sha when PR head.sha is missing" time="0">
+    <testcase classname="GitHub Controller - Check Suite Events should skip PR when head.sha is missing" name="GitHub Controller - Check Suite Events should skip PR when head.sha is missing" time="0.001">
+    </testcase>
+    <testcase classname="GitHub Controller - Check Suite Events should skip PR review when combined status is not success" name="GitHub Controller - Check Suite Events should skip PR review when combined status is not success" time="0">
+      <skipped/>
+    </testcase>
+    <testcase classname="GitHub Controller - Check Suite Events should handle combined status API errors" name="GitHub Controller - Check Suite Events should handle combined status API errors" time="0">
+      <skipped/>
+    </testcase>
+    <testcase classname="GitHub Controller - Check Suite Events should handle mixed success and failure in multiple PRs" name="GitHub Controller - Check Suite Events should handle mixed success and failure in multiple PRs" time="0.001">
+    </testcase>
+    <testcase classname="GitHub Controller - Check Suite Events should skip PR review when already reviewed at same commit" name="GitHub Controller - Check Suite Events should skip PR review when already reviewed at same commit" time="0">
     </testcase>
   </testsuite>
-  <testsuite name="githubService" errors="0" failures="0" skipped="0" timestamp="2025-05-22T21:49:29" time="0.044" tests="10">
+  <testsuite name="githubService" errors="0" failures="0" skipped="0" timestamp="2025-05-24T18:17:16" time="0.064" tests="10">
     <testcase classname="githubService getFallbackLabels should identify bug labels correctly" name="githubService getFallbackLabels should identify bug labels correctly" time="0.001">
     </testcase>
     <testcase classname="githubService getFallbackLabels should identify feature labels correctly" name="githubService getFallbackLabels should identify feature labels correctly" time="0">
     </testcase>
-    <testcase classname="githubService getFallbackLabels should identify enhancement labels correctly" name="githubService getFallbackLabels should identify enhancement labels correctly" time="0">
+    <testcase classname="githubService getFallbackLabels should identify enhancement labels correctly" name="githubService getFallbackLabels should identify enhancement labels correctly" time="0.001">
     </testcase>
-    <testcase classname="githubService getFallbackLabels should identify question labels correctly" name="githubService getFallbackLabels should identify question labels correctly" time="0.001">
+    <testcase classname="githubService getFallbackLabels should identify question labels correctly" name="githubService getFallbackLabels should identify question labels correctly" time="0">
     </testcase>
     <testcase classname="githubService getFallbackLabels should identify documentation labels correctly" name="githubService getFallbackLabels should identify documentation labels correctly" time="0">
     </testcase>
     <testcase classname="githubService getFallbackLabels should default to medium priority when no specific priority keywords found" name="githubService getFallbackLabels should default to medium priority when no specific priority keywords found" time="0">
     </testcase>
-    <testcase classname="githubService getFallbackLabels should handle empty descriptions gracefully" name="githubService getFallbackLabels should handle empty descriptions gracefully" time="0">
+    <testcase classname="githubService getFallbackLabels should handle empty descriptions gracefully" name="githubService getFallbackLabels should handle empty descriptions gracefully" time="0.001">
     </testcase>
     <testcase classname="githubService addLabelsToIssue - test mode should return mock data in test mode" name="githubService addLabelsToIssue - test mode should return mock data in test mode" time="0">
     </testcase>
@@ -36,33 +56,23 @@
     <testcase classname="githubService postComment - test mode should return mock comment data in test mode" name="githubService postComment - test mode should return mock comment data in test mode" time="0">
     </testcase>
   </testsuite>
-  <testsuite name="AWS Credential Provider" errors="0" failures="0" skipped="0" timestamp="2025-05-22T21:49:29" time="0.044" tests="7">
+  <testsuite name="AWS Credential Provider" errors="0" failures="0" skipped="0" timestamp="2025-05-24T18:17:16" time="0.036" tests="7">
     <testcase classname="AWS Credential Provider should get credentials from AWS profile" name="AWS Credential Provider should get credentials from AWS profile" time="0.001">
     </testcase>
     <testcase classname="AWS Credential Provider should cache credentials" name="AWS Credential Provider should cache credentials" time="0.001">
     </testcase>
     <testcase classname="AWS Credential Provider should clear credential cache" name="AWS Credential Provider should clear credential cache" time="0">
     </testcase>
-    <testcase classname="AWS Credential Provider should get Docker environment variables" name="AWS Credential Provider should get Docker environment variables" time="0.001">
+    <testcase classname="AWS Credential Provider should get Docker environment variables" name="AWS Credential Provider should get Docker environment variables" time="0">
     </testcase>
-    <testcase classname="AWS Credential Provider should throw error if AWS_PROFILE is not set" name="AWS Credential Provider should throw error if AWS_PROFILE is not set" time="0.008">
+    <testcase classname="AWS Credential Provider should throw error if AWS_PROFILE is not set" name="AWS Credential Provider should throw error if AWS_PROFILE is not set" time="0.006">
     </testcase>
-    <testcase classname="AWS Credential Provider should throw error for non-existent profile" name="AWS Credential Provider should throw error for non-existent profile" time="0.001">
+    <testcase classname="AWS Credential Provider should throw error for non-existent profile" name="AWS Credential Provider should throw error for non-existent profile" time="0">
     </testcase>
     <testcase classname="AWS Credential Provider should throw error for incomplete credentials" name="AWS Credential Provider should throw error for incomplete credentials" time="0.001">
     </testcase>
   </testsuite>
-  <testsuite name="GitHub Controller" errors="0" failures="0" skipped="0" timestamp="2025-05-22T21:49:29" time="0.043" tests="4">
-    <testcase classname="GitHub Controller should process a valid webhook with @TestBot mention" name="GitHub Controller should process a valid webhook with @TestBot mention" time="0.002">
-    </testcase>
-    <testcase classname="GitHub Controller should reject a webhook with invalid signature" name="GitHub Controller should reject a webhook with invalid signature" time="0.008">
-    </testcase>
-    <testcase classname="GitHub Controller should ignore comments without @TestBot mention" name="GitHub Controller should ignore comments without @TestBot mention" time="0.001">
-    </testcase>
-    <testcase classname="GitHub Controller should handle errors from Claude service" name="GitHub Controller should handle errors from Claude service" time="0.005">
-    </testcase>
-  </testsuite>
-  <testsuite name="Container Execution E2E Tests" errors="0" failures="0" skipped="0" timestamp="2025-05-22T21:49:29" time="0.022" tests="3">
+  <testsuite name="Container Execution E2E Tests" errors="0" failures="0" skipped="0" timestamp="2025-05-24T18:17:16" time="0.018" tests="3">
     <testcase classname="Container Execution E2E Tests Container should be properly configured" name="Container Execution E2E Tests Container should be properly configured" time="0.001">
     </testcase>
     <testcase classname="Container Execution E2E Tests Should process a simple Claude request" name="Container Execution E2E Tests Should process a simple Claude request" time="0">
@@ -70,4 +80,14 @@
     <testcase classname="Container Execution E2E Tests Should handle errors gracefully" name="Container Execution E2E Tests Should handle errors gracefully" time="0">
     </testcase>
   </testsuite>
+  <testsuite name="GitHub Controller" errors="0" failures="0" skipped="0" timestamp="2025-05-24T18:17:16" time="0.039" tests="4">
+    <testcase classname="GitHub Controller should process a valid webhook with @TestBot mention" name="GitHub Controller should process a valid webhook with @TestBot mention" time="0.002">
+    </testcase>
+    <testcase classname="GitHub Controller should reject a webhook with invalid signature" name="GitHub Controller should reject a webhook with invalid signature" time="0.007">
+    </testcase>
+    <testcase classname="GitHub Controller should ignore comments without @TestBot mention" name="GitHub Controller should ignore comments without @TestBot mention" time="0">
+    </testcase>
+    <testcase classname="GitHub Controller should handle errors from Claude service" name="GitHub Controller should handle errors from Claude service" time="0.004">
+    </testcase>
+  </testsuite>
 </testsuites>
\ No newline at end of file
diff --git a/test/unit/services/claudeService.test.js b/test/unit/services/claudeService.test.js
index 6a5fe51..b044ade 100644
--- a/test/unit/services/claudeService.test.js
+++ b/test/unit/services/claudeService.test.js
@@ -49,7 +49,7 @@ jest.mock('../../../src/utils/secureCredentials', () => ({
 }));
 
 // Now require the module under test
-const { execFileSync, exec } = require('child_process');
+const { execFileSync } = require('child_process');
 const { writeFileSync } = require('fs');
 const { promisify } = require('util');
 const { sanitizeBotMentions } = require('../../../src/utils/sanitize');
@@ -92,7 +92,7 @@ describe('Claude Service', () => {
       process.env.NODE_ENV = 'production';
       
       // Mock dependencies needed in production mode
-      execFileSync.mockImplementation((cmd, args, options) => {
+      execFileSync.mockImplementation((cmd, args, _options) => {
         if (args[0] === 'inspect') return '{}';
         return 'mocked output';
       });
@@ -142,7 +142,7 @@ describe('Claude Service', () => {
       process.env.NODE_ENV = 'production';
       
       // Mock the Docker inspect to succeed
-      execFileSync.mockImplementation((cmd, args, options) => {
+      execFileSync.mockImplementation((cmd, args, _options) => {
         if (args[0] === 'inspect') return '{}';
         if (args[0] === 'logs') return 'error logs';
         if (args[0] === 'kill') return '';
@@ -192,24 +192,20 @@ describe('Claude Service', () => {
       process.env.NODE_ENV = 'production';
       
       // Mock the Docker inspect to succeed
-      execFileSync.mockImplementation((cmd, args, options) => {
+      execFileSync.mockImplementation((cmd, args, _options) => {
         if (args[0] === 'inspect') return '{}';
         return 'mocked output';
       });
       
-      // Make sure our original command is accessible
-      const longCommand = options.command;
-      
       // Capture file write calls
-      let capturedFilePath = null;
-      writeFileSync.mockImplementation((path, content, options) => {
-        capturedFilePath = path;
+      writeFileSync.mockImplementation((_path, _content, _options) => {
+        // File write is mocked
       });
       
       // Call the original implementation
       try {
         await originalProcessCommand(options);
-      } catch (e) {
+      } catch (_e) {
         // Ignore errors, we just want to check if writeFileSync was called
       }