Skip to content

feat: audit reports#7099

Merged
varonix0 merged 15 commits into
mainfrom
daniel/secret-reporting
Jul 2, 2026
Merged

feat: audit reports#7099
varonix0 merged 15 commits into
mainfrom
daniel/secret-reporting

Conversation

@varonix0

@varonix0 varonix0 commented Jun 30, 2026

Copy link
Copy Markdown
Member

Context

Implements Audit reporting as an extension of secret insights for easier compliance.

Steps to verify the change

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Updated CLAUDE.md files (if needed)
  • Read the contributing guide

@infisical-review-police

Copy link
Copy Markdown

💬 Discussion in Slack: #pr-review-infisical-7099-feat-secret-reporting

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

@varonix0 varonix0 marked this pull request as ready for review June 30, 2026 20:41
@greptile-apps

greptile-apps Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds a "secret reporting" feature that generates compliance-oriented CSV reports (stale secrets, duplicate secrets, validation compliance violations, upcoming/failed rotations, upcoming reminders, and secret access logs) and emails them as attachments to specified recipients. The backend introduces a new audit_reports table, a BullMQ-based queue worker for generation, 7 configurable report generators, and CRUD REST endpoints. The frontend adds a card on the Insights page with a request modal and a paginated report history table.

  • Backend: New AuditReport DB table with migration; advisory-lock-guarded concurrency cap; per-report input schemas with Zod validation; CSV serialisation with formula-injection mitigation; SmtpTemplates.AuditReport template and attachment support added to the smtp service.
  • Frontend: AuditReportsCard and RequestAuditReportModal components wired to new React Query hooks; permission-gated creation, read, and deletion flows.

Confidence Score: 5/5

Safe to merge. The two findings are non-blocking quality nits with no impact on correctness or security.

The advisory-lock-guarded concurrency check, Zod-validated inputs, CSV formula-injection mitigation, and permission-gated endpoints are all correctly implemented. The two flagged items are cleanup concerns that do not affect correctness.

backend/src/ee/services/audit-report/audit-report-fns.ts and backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts

Important Files Changed

Filename Overview
backend/src/ee/services/audit-report/audit-report-service.ts Service layer for audit report CRUD. Uses pg_advisory_xact_lock inside a transaction to make the in-flight count check atomic. Permission, license, and project version checks are all in place.
backend/src/ee/services/audit-report/audit-report-generators.ts Defines seven report generators. failedRotationsReport still calls findByProject with no limit and filters failed rotations in-process, which is an unbounded DB read for large projects (flagged previously).
backend/src/ee/services/audit-report/audit-report-fns.ts CSV serialisation helpers and report presentation utilities. Contains a dead-code copy of evaluateStaticSecretConstraints that is never imported by the generators (which import the same function from secret-validation-rule-fns.ts instead).
backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts New findValueValidationCandidatesByProject method fetches full encrypted values for all non-personal secrets in a project with no row limit, which can be a large unbounded data transfer for enterprise projects.
backend/src/ee/services/audit-report/audit-report-queue.ts BullMQ worker that runs report generators, serialises the CSV bundle, sends it as an email attachment, and updates the report status. Handles duplicate delivery and deletion-during-processing gracefully.
backend/src/ee/services/audit-report/audit-report-dal.ts Clean DAL with paginated findByProject, countByProject, and countInFlightByProject. No unsafe OR queries.
backend/src/ee/routes/v1/audit-report-router.ts Fastify router with Zod-validated schemas, auth guards, rate limiting, and audit log writes for all four endpoints (POST, GET list, GET by id, DELETE).
backend/src/db/migrations/20260629120000_create-audit-reports.ts Clean migration: creates the audit_reports table with FK constraints, indexes, and an on-update trigger. down drops the trigger before the table.
backend/src/services/smtp/smtp-service.ts Adds optional attachments field to TSmtpSendMail and wires it through to the Nodemailer sendMail call. Minimal, non-breaking change.
frontend/src/pages/secret-manager/InsightsPage/components/AuditReportsCard.tsx Paginated table of audit report history with status badge, tooltip on error/partial status, and permission-gated delete confirmation dialog.
frontend/src/pages/secret-manager/InsightsPage/components/RequestAuditReportModal.tsx React Hook Form dialog for requesting audit reports; validates email recipients client-side with Zod and defaults to the requesting user's own email when left blank.
backend/src/services/secret-validation-rule/secret-validation-rule-fns.ts Exports CONSTRAINT_LABELS, evaluateConstraint, and the new evaluateStaticSecretConstraints / TStaticSecretConstraintViolation so the audit report generators can reuse constraint evaluation logic.

Reviews (2): Last reviewed commit: "requested changes" | Re-trigger Greptile

Comment thread backend/src/ee/services/audit-report/audit-report-fns.ts Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2bac7c712a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread backend/src/ee/services/audit-report/audit-report-fns.ts
Comment thread frontend/src/pages/secret-manager/InsightsPage/InsightsPage.tsx
Comment thread backend/src/ee/services/audit-report/audit-report-fns.ts
@veria-ai

veria-ai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

PR overview

All previously flagged issues have been addressed. No open security concerns remain on this pull request.

Security review

No open security issues remain on this pull request.

Fixed/addressed: 3 · PR risk: 0/10

Comment thread backend/src/ee/services/audit-report/audit-report-service.ts Outdated
@varonix0

Copy link
Copy Markdown
Member Author

@greptile re-review and update your summary. keep my latest changes in mind during your re-review

Comment thread backend/src/ee/services/audit-report/audit-report-generators.ts
@varonix0 varonix0 requested a review from akhilmhdh June 30, 2026 22:31
@varonix0 varonix0 changed the title feat: secret reporting feat: audit reports Jun 30, 2026
@mintlify

mintlify Bot commented Jun 30, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
infisical 🟢 Ready View Preview Jun 30, 2026, 10:43 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@akhilmhdh akhilmhdh left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Application testing

Comment thread backend/src/ee/routes/v1/audit-report-router.ts Outdated
Comment thread backend/src/ee/routes/v1/audit-report-router.ts Outdated
Comment thread backend/src/ee/routes/v1/audit-report-router.ts Outdated
Comment thread backend/src/ee/routes/v1/audit-report-router.ts Outdated
Comment thread docs/documentation/platform/insights.mdx Outdated
Comment thread backend/src/ee/services/audit-report/audit-report-service.ts Outdated
@varonix0 varonix0 merged commit 5c1fb06 into main Jul 2, 2026
17 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants