Feature/26 t1 bac aa scan summary endpoint

[shaniashina]

Summary name: AutoAudit Security CI/CD Pipeline
Security Fixes Implemented
Several security improvements were implemented to strengthen the AutoAudit Security CI/CD workflow and improve overall DevSecOps practices. The workflow logic was corrected to ensure proper conditional execution of security jobs, while GitHub CodeQL was integrated for automated static application security testing (SAST). Additional protections were added through dependency vulnerability scanning, secret and credential detection using Gitleaks, and Docker container vulnerability scanning using Trivy. Workflow permissions were restricted following least privilege principles to reduce unnecessary access and improve security hardening. The workflow was also enhanced with scheduled weekly scans, improved maintainability, dependency caching, and better workflow organisation to support secure software development lifecycle (SSDLC) practices and continuous security validation.

#name: AutoAudit Security CI/CD Pipeline

Workflow Triggers

on:
push:
branches:
- main
- staging
- dev

pull_request:
branches:
- main
- staging
- dev

Weekly scheduled security scan

schedule:
- cron: '32 23 * * 6'

Default Repository Permissions

permissions:
contents: read

Jobs

jobs:

Detect Relevant Security Changes

detect-changes:
name: Detect Security Related Changes
runs-on: ubuntu-latest

outputs:
  security: ${{ steps.filter.outputs.security }}

steps:
  - name: Checkout Repository
    uses: actions/checkout@v4

  - name: Detect Changed Files
    id: filter
    uses: dorny/paths-filter@v3

    with:
      filters: |
        security:
          - '.github/workflows/**'
          - 'security/**'
          - 'backend/**'
          - 'src/**'
          - 'package.json'
          - 'package-lock.json'

Static Application Security Testing (SAST)

codeql-analysis:
name: CodeQL Security Analysis

runs-on: ubuntu-latest

needs: detect-changes

# Run analysis if:
# - Pull request event
# - Scheduled scan
# - Security-related files changed
if: |
  github.event_name != 'push' ||
  needs.detect-changes.outputs.security == 'true'

permissions:
  actions: read
  contents: read
  security-events: write
  packages: read

strategy:
  fail-fast: false

  matrix:
    language:
      - javascript-typescript

steps:

  - name: Checkout Repository
    uses: actions/checkout@v4

  - name: Setup Node.js Environment
    uses: actions/setup-node@v4

    with:
      node-version: 20
      cache: npm

  - name: Install Dependencies
    run: npm install

  # Initialize GitHub CodeQL
  - name: Initialize CodeQL
    uses: github/codeql-action/init@v3

    with:
      languages: ${{ matrix.language }}

  # Automatically build project
  - name: Perform CodeQL Autobuild
    uses: github/codeql-action/autobuild@v3

  # Run security analysis
  - name: Execute CodeQL Analysis
    uses: github/codeql-action/analyze@v3

    with:
      category: "/language:${{ matrix.language }}"

Dependency Vulnerability Review

dependency-review:
name: Dependency Security Review

runs-on: ubuntu-latest

# Only run on pull requests
if: github.event_name == 'pull_request'

permissions:
  contents: read
  pull-requests: write

steps:

  - name: Checkout Repository
    uses: actions/checkout@v4

  - name: Review Dependency Vulnerabilities
    uses: actions/dependency-review-action@v4

Secret and Credential Scanning

secret-scanning:
name: Secret and Credential Detection

runs-on: ubuntu-latest

permissions:
  contents: read

steps:

  - name: Checkout Repository
    uses: actions/checkout@v4

  # Scan repository for exposed secrets
  - name: Run Gitleaks Secret Scan
    uses: gitleaks/gitleaks-action@v2

Linting and Code Quality Validation

lint-validation:
name: Linting and Code Quality Checks

runs-on: ubuntu-latest

needs:
  - detect-changes
  - codeql-analysis

if: |
  github.event_name != 'push' ||
  needs.detect-changes.outputs.security == 'true'

steps:

  - name: Checkout Repository
    uses: actions/checkout@v4

    with:
      fetch-depth: 0

  # Run GitHub Super-Linter
  - name: Execute Super-Linter
    uses: super-linter/super-linter@v7

    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      DEFAULT_BRANCH: main
      VALIDATE_ALL_CODEBASE: false

      # Enabled Validators
      VALIDATE_YAML: true
      VALIDATE_GITHUB_ACTIONS: true

      # Disabled Validators
      VALIDATE_HTML: false
      VALIDATE_PYTHON_BLACK: false
      VALIDATE_PYTHON_FLAKE8: false
      VALIDATE_PYTHON_ISORT: false

Docker Container Security Scanning

container-security-scan:
name: Docker Container Vulnerability Scan

runs-on: ubuntu-latest

# Only run on main branch
if: github.ref == 'refs/heads/main'

permissions:
  contents: read

steps:

  - name: Checkout Repository
    uses: actions/checkout@v4

  # Build Docker image
  - name: Build Docker Image
    run: |
      docker build -t autoaudit-backend:latest .

  # Scan Docker image using Trivy
  - name: Scan Docker Image with Trivy
    uses: aquasecurity/trivy-action@0.24.0

    with:
      image-ref: autoaudit-backend:latest
      format: table
      exit-code: 0
      ignore-unfixed: true
      vuln-type: 'os,library'
      severity: 'CRITICAL,HIGH'

Future Secure Deployment Stage

deploy:

name: Secure Production Deployment

runs-on: ubuntu-latest

needs:

- codeql-analysis

- dependency-review

- secret-scanning

- lint-validation

- container-security-scan

if: github.ref == 'refs/heads/main'

environment: production

steps:

- name: Checkout Repository

uses: actions/checkout@v4

- name: Secure Deployment Placeholder

run: echo "Future production deployment process"

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c589c3ae93

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Use timezone-aware cutoff for access review filtering

_extract_access_reviews computes cutoff with datetime.utcnow() (naive), but the timestamps it compares against come from _parse_time, which returns timezone-aware datetimes (+00:00). When a log entry has a timestamp, this comparison raises TypeError: can't compare offset-naive and offset-aware datetimes, which aborts collection instead of returning access-review data.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Restore CI triggers for staging/dev and scheduled scans

This workflow now runs only for pull requests targeting main because push and schedule triggers were commented out and pull_request was narrowed to main. As a result, engine checks no longer run for staging/dev PRs or weekly scheduled security scans, so regressions and vulnerabilities in those flows will go untested.

Useful? React with 👍 / 👎.

[du-dhartley]

@shaniashina It appears that the target branch is incorrect - or was this deliberate?

[shaniashina]

Hello, No this was not deliberate. It was an error from my side which i didnt realise.

…

On Fri, May 22, 2026 at 8:05 PM du-dhartley ***@***.***> wrote: *du-dhartley* left a comment (Hardhat-Enterprises/AutoAudit#236) <#236 (comment)> @shaniashina <https://github.com/shaniashina> It appears that the target branch is incorrect - or was this deliberate? — Reply to this email directly, view it on GitHub <#236 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BRAAKK5OM5U4FFBHVMB2AZL44A7AHAVCNFSM6AAAAACZATA2EGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DKMJYGQ4DOMZVGQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>