diff --git a/.gitea/workflows/security-scan.yml b/.gitea/workflows/security-scan.yml
index 99a8a4fe..48440d3c 100644
--- a/.gitea/workflows/security-scan.yml
+++ b/.gitea/workflows/security-scan.yml
@@ -2,18 +2,13 @@ name: Security Vulnerability Scan
 
 on:
   push:
-    branches: [ main, develop, staging ]
+    branches: [ main, develop ]
   pull_request:
-    branches: [ main, develop, staging ]
+    branches: [ main, develop ]
   schedule:
     # Daily security scan at 2 AM UTC
     - cron: '0 2 * * *'
   workflow_dispatch:
-    inputs:
-      branch:
-        description: 'Branch to scan'
-        required: false
-        default: 'main'
 
 jobs:
   security-audit:
@@ -23,12 +18,25 @@ jobs:
     steps:
       - name: Checkout code
         run: |
-          REF_NAME="${{ github.ref_name }}"
-          REPO="${{ github.repository }}"
-          if [ -z "$REF_NAME" ]; then
+          # For pull_request events, use the head ref (source branch)
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            REF_NAME="${{ github.head_ref || github.event.pull_request.head.ref }}"
+          elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            REF_NAME="${{ inputs.branch || github.ref_name }}"
+          else
+            REF_NAME="${{ github.ref_name }}"
+          fi
+          
+          # Fallback to main if REF_NAME is still empty
+          if [ -z "$REF_NAME" ] || [ "$REF_NAME" = "" ]; then
             REF_NAME="main"
           fi
           
+          REPO="${{ github.repository }}"
+          
+          echo "📋 Cloning branch: $REF_NAME"
+          echo "📦 Repository: $REPO"
+          
           # Use CI token if available, otherwise try public access
           if [ -n "${{ secrets.CI_TOKEN }}" ]; then
             git clone --depth 1 --branch "$REF_NAME" \