Docs: add security scanning guides and Makefile targets

[SpruhaCK]

Resolves #3494

This PR updates CONTRIBUTING.md to include comprehensive documentation for the project's security scanning workflows, specifically covering Semgrep and Trivy and introduces new Makefile targets to streamline local security scanning.

Changes

• Added "Running Dependency Scans" Section:
  Included a new section for Trivy, utilizing the newly created make commands to simplify the user experience.

• Added "Running Security Scans" Section:
  Documented the make security-scan command for local Semgrep analysis and included instructions for reviewing the generated semgrep-security-report.txt.

• Makefile Automation
  Introduced security-scan-deps and security-scan-repo targets to standardize local Trivy scans alongside existing security tools.

Note on Section Ordering: I have placed the Security and Dependency scan sections before the e2e and fuzz test sections to reflect the logical order of a standard CI/CD pipeline i.e. Static Analysis -> Dependency Scanning -> Functional Testing. The content of the e2e and fuzz sections remains unchanged.

Checklist

• Required: I followed the CONTRIBUTION.md rules.
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: only frontend tests failed in this branch as well as in main branch
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Summary by CodeRabbit

• Documentation

  • Added comprehensive security scanning guidance, including commands for running security scans, code-only scans, and image-only scans with remediation instructions.

• Chores

  • Reorganized security scanning workflow into a hierarchical structure for improved organization and clarity.
  • Updated CI/CD pipeline to enhance security scanning process with automated scanning and artifact uploads.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Adds hierarchical security-scan targets (code and image) to Makefiles, integrates Semgrep and Trivy scans in CI, documents local security-scan usage and suppression in CONTRIBUTING.md, renames backend/frontend image scan targets, and adds "aquasec" to the cspell dictionary.

Changes

Cohort / File(s)	Summary
Documentation CONTRIBUTING.md	Adds "Running Security Scan" section describing make security-scan, make security-scan-code, make security-scan-images, separate code/image scan targets, output locations (Semgrep report), remediation guidance, and suppression via NOSEMGREP.
Top-level Makefile Makefile	Introduces security-scan target depending on security-scan-code and security-scan-images; adds security-scan-code-semgrep and security-scan-code-trivy (docker invocations/echoes); replaces old scan-images grouping with explicit image scan prerequisites.
Backend Makefile backend/Makefile	Renames target scan-backend-image → security-scan-backend-image (recipe unchanged).
Frontend Makefile frontend/Makefile	Renames target scan-frontend-image → security-scan-frontend-image (recipe unchanged; Trivy invocation preserved).
CI Workflow .github/workflows/run-ci-cd.yaml	Replaces/renames code-scan job to run-security-scan-code, swaps Trivy repository/filesystem scans for a Semgrep step with artifact upload, rewire job dependencies to depend on the new job, and retain a Trivy filesystem scan step under the new flow.
Spellcheck Dictionary cspell/custom-dict.txt	Adds the word aquasec to the custom dictionary.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: implement enforced Semgrep scanning with clean baseline (#2984) #3406 — Adds Semgrep integration and security scan targets; closely aligns with the Makefile/CI Semgrep changes.
• Added code and dependency scan for Trivy workflow #1215 — Earlier CI changes introducing Trivy-based scan jobs; related to the CI security-scan job rework.
• Added Trivy scan in CI/CD pipeline #1208 — Modifications to image scanning steps in CI/Makefiles; related to renaming image scan targets.

Suggested reviewers

• kasya
• noland-crane

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	❓ Inconclusive	While the PR description explicitly mentions documenting Semgrep and Trivy workflows, the Makefile changes and CI/CD workflow modifications appear broader than the documented issue #3494, which only requested Semgrep documentation.	Clarify whether the Makefile target refactoring and run-ci-cd.yaml modifications are in scope for #3494 or represent additional enhancements beyond the original issue requirements.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding security scanning documentation and Makefile targets.
Description check	✅ Passed	The description is directly related to the changeset, detailing the documentation additions and Makefile targets introduced in the PR.
Linked Issues check	✅ Passed	The PR successfully implements all core requirements from issue #3494: adds security scan documentation to CONTRIBUTING.md, documents how to run local Semgrep scans via make security-scan, and explains how to review semgrep-security-report.txt. [#3494]
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@CONTRIBUTING.md`:
- Around line 413-423: Replace the bolded section titles "**Filesystem Scan**"
and "**Repository Scan**" with proper Markdown headings (e.g., "### Filesystem
Scan" and "### Repository Scan" or the heading level that matches adjacent
sections) so they are parsed as headings instead of bold text and MD036 is
satisfied; update the surrounding code blocks and lists to remain under those
headings and re-run markdownlint to confirm the warning is resolved.

🧹 Nitpick comments (1)

Makefile (1)

85-91: Pin the Trivy Docker image tag for consistency with local scans.

The unpinned aquasec/trivy image in these targets can pull different versions over time, causing scan results to drift. While trivy.yaml already standardizes severity filtering and checks, pinning the image tag ensures reproducible behavior across runs and environments. Consider pinning to a specific stable release.

🔧 Suggested update

+TRIVY_IMAGE ?= aquasec/trivy:0.50.1
+
 security-scan-deps:
 	`@echo` "Running Trivy Filesystem Scan..."
-	`@docker` run --rm -v "$(PWD):/src" aquasec/trivy fs /src
+	`@docker` run --rm -v "$(PWD):/src" $(TRIVY_IMAGE) fs /src

 security-scan-repo:
 	`@echo` "Running Trivy Repository Scan..."
-	`@docker` run --rm -v "$(PWD):/src" aquasec/trivy repo /src
+	`@docker` run --rm -v "$(PWD):/src" $(TRIVY_IMAGE) repo /src

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@CONTRIBUTING.md`:
- Around line 409-427: Update the "Running Security Scan" section in
CONTRIBUTING.md (the paragraph describing make security-scan) to explicitly
state that semgrep-security-report.txt is written to the project root; locate
the block that lists the command and the bullet points and append or change the
sentence to read something like "Generates a persistent
semgrep-security-report.txt file in the project root" so contributors know the
exact file location when reviewing findings from the make security-scan command.
- Around line 429-451: Update the "Repository Scan" description to accurately
state that the command (triggered by make security-scan-repo which runs trivy
repo /src) scans the current repository snapshot (the checked-out tree at HEAD)
for secrets, misconfigurations and vulnerabilities rather than scanning the full
Git commit history; replace any wording that says "scan the Git history" with
phrasing like "scan the repository snapshot (checked-out tree at HEAD) for
secrets and configurations" and keep the note that it identifies critical/high
vulnerabilities that block CI/CD.

[hassaansaleem28]

I verified that scan-images correctly delegates to the sub-Makefiles, so the local plumbing works.
Currently, run-ci-cd.yaml (Lines 968-989) uses hardcoded inline configuration for Trivy.
Ig to fully standardize local and CI workflows, we should update the CI to run make scan-images. This ensures that our CI always matches the local development environment and removes duplicate configuration.

[SpruhaCK]

I verified that scan-images correctly delegates to the sub-Makefiles, so the local plumbing works. Currently, run-ci-cd.yaml (Lines 968-989) uses hardcoded inline configuration for Trivy. Ig to fully standardize local and CI workflows, we should update the CI to run make scan-images. This ensures that our CI always matches the local development environment and removes duplicate configuration.

Hi @hassaansaleem28 , thanks for the review! I agree, moving the CI logic into these Makefile targets is the best way to keep our local and cloud environments consistent.

Since the current scope of this PR is focused on the local plumbing and documentation for #3494 and trivy, I’d be happy to coordinate that CI refactor with you as a follow-up once these changes are merged!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.49%. Comparing base (cfa9af5) to head (16bc4d4).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3525   +/-   ##
=======================================
  Coverage   85.49%   85.49%           
=======================================
  Files         462      462           
  Lines       14260    14260           
  Branches     1900     1900           
=======================================
  Hits        12191    12191           
  Misses       1689     1689           
  Partials      380      380           

Flag	Coverage Δ
backend	84.48% <ø> (ø)
frontend	88.27% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cfa9af5...16bc4d4. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.