diff --git a/docs/content/direct/testing.md b/docs/content/direct/testing.md
index 150360a3..c5589c4e 100644
--- a/docs/content/direct/testing.md
+++ b/docs/content/direct/testing.md
@@ -38,21 +38,36 @@ go test -v -timeout 60s -run ^TestCRDHandling$ ./test/integration/controller-man
 
 See `test/e2e/` in the GitHub repository. It has a README.
 
-## Security scanning in CI
+## CI Security Scanning
 
-KubeStellar aims to use automated security scanning workflows as part of its CI pipeline to improve supply-chain security and provide early visibility into potential vulnerabilities.
+KubeStellar will include automated security scanning workflows as part of its CI
+infrastructure. These planned workflows are designed to improve supply-chain security
+and provide early visibility into potential vulnerabilities.
 
 ### OpenSSF Scorecard
 
-An OpenSSF Scorecard workflow can be used to evaluate the repository against a set of security best practices (such as branch protection, dependency management, and CI configuration).  
-When enabled (for example via a GitHub Actions workflow under `.github/workflows`), it typically runs on a schedule and/or on changes to the main branch and publishes its results to the GitHub **Security** tab.
+KubeStellar will run an OpenSSF Scorecard workflow to evaluate the repository
+against a set of security best practices, such as branch protection,
+dependency management, and CI configuration.
 
-### Trivy image scanning
+The planned Scorecard workflow is expected to:
+- Run on a schedule and on changes to the main branch
+- Produce results in SARIF format
+- Publish findings to the GitHub **Security** tab
 
-KubeStellar can also be integrated with Trivy to scan container images built in CI for known vulnerabilities (CVEs).  
-A Trivy-based workflow generally reports **CRITICAL** and **HIGH** severity findings and can upload results in SARIF format, making them visible in the GitHub **Security** tab.
+### Trivy Container Image Scanning
 
-If these workflows are configured in your clone of the repository, they are part of the CI infrastructure only and do not affect the runtime behavior of KubeStellar deployments.
+KubeStellar will also use Trivy to scan container images built in CI for known
+vulnerabilities (CVEs).
+
+The planned Trivy scanning workflow is expected to:
+- Build container images during CI
+- Scan for **CRITICAL** and **HIGH** severity vulnerabilities
+- Upload results in SARIF format to the GitHub **Security** tab
+
+These workflows are part of the project’s CI infrastructure only (and may not yet
+be present in this repository) and do not affect the runtime behavior of KubeStellar
+deployments.
 
 ## Testing releases