FLX-ENG-RFC-002-US-1.8 - First-Pass Objective Scans¶

Goal¶

Run first-pass objective scans against DMS to create the "before" baseline for Week 2 CI gate work.

Environment¶

Use D: for working files and caches:

• Repo: D: checkout for dms_ci_cd_test
• Existing DMS checkout: D:\Distribution-Management-Server
• Temporary scan output: docs\developer-guide\week1-scans\

Do not run scans against stale C: checkouts.

Approaches Considered¶

Verdict¶

Run local scans on D: for EPIC-1, then convert calibrated gates to CI in EPIC-6.

Scan Commands¶

cd D:\work\repos\dms_ci_cd_test
dotnet restore distribution-management-server-layered.sln
dotnet build distribution-management-server-layered.sln --configuration Release
dotnet test distribution-management-server-layered.sln --configuration Release
python -m pip install -r requirements.txt
pylint mock_meesho_server.py scripts
bandit -r . -x .venv
semgrep --config auto .

If the source of truth is D:\Distribution-Management-Server, run equivalent commands there and copy only summarized results into the report.

Test Cases¶

• Build result captured.
• Test result captured.
• Pylint score captured for Python files.
• Bandit severity counts captured.
• Semgrep severity counts captured.
• .NET analyzer/Sonar/Roslyn gap documented if no .NET SAST tool is configured yet.

Gating¶

• Stop and file P0 immediately for leaked secrets or private key exposure.
• Stop and file P0 for critical/high SAST findings that imply auth bypass or data exposure.
• Do not commit raw scan output containing secrets.
• Do not fail the PR only because baseline is poor; EPIC-1 measures, EPIC-6 gates.

Definition of Completion¶

• Scan commands and versions are documented.
• Summary table is added to US-1.5 report.
• Critical/high findings have GitHub issues.
• Baseline is ready for EPIC-6 CI gate calibration.

Reviewer Reply Template¶

Thanks, I kept this as a baseline scan and opened follow-up issues for anything that needs remediation.