Summary
Add a Security Regression Detection system that compares current scan results against previous scans and highlights increases or decreases in security risk over time.
Motivation
Currently PatchPilot provides a snapshot of security findings for a single scan, but it does not help users understand how the security posture of a project evolves over time.
Security teams often need to answer questions such as:
- Did this release introduce new vulnerabilities?
- Has the number of Critical findings increased?
- Are remediation efforts improving security posture?
- Which scanner categories are regressing over time?
Users currently have to manually compare scan reports and evidence packs, which is inefficient and error-prone.
Introducing Security Regression Detection would enable continuous security monitoring and make PatchPilot more suitable for production CI/CD workflows.
Proposed solution
Store scan summaries and findings history for each project/job and compare new scan results against a selected baseline scan.
Backend
Example Output
{
"baseline_scan": "scan_001",
"current_scan": "scan_002",
"regressions": {
"critical": 2,
"high": 4
},
"improvements": {
"medium": 6
},
"overall_trend": "Worsened"
}Frontend
Add a Security Trends page showing:
- Finding count changes
- Severity distribution over time
- Security posture improvements
- Newly introduced vulnerabilities
- Fixed vulnerabilities
Evidence Pack Integration
Include:
security-regression-report.json
security-trend-summary.txt
in generated evidence packs.
ML tier (if applicable)
Alternatives considered
-
Manual report comparison
- Rejected because it does not scale and increases analyst effort.
-
External dashboard integrations
- Rejected because users should be able to track security posture directly within PatchPilot.
-
Comparing only severity counts
- Rejected because users also need insight into newly introduced and resolved findings.
Acceptance criteria
Additional context
This feature aligns with enterprise vulnerability management workflows where security posture is tracked continuously rather than through isolated scans. It would provide valuable insights for CI/CD pipelines, security audits, and compliance reporting.
Summary
Add a Security Regression Detection system that compares current scan results against previous scans and highlights increases or decreases in security risk over time.
Motivation
Currently PatchPilot provides a snapshot of security findings for a single scan, but it does not help users understand how the security posture of a project evolves over time.
Security teams often need to answer questions such as:
Users currently have to manually compare scan reports and evidence packs, which is inefficient and error-prone.
Introducing Security Regression Detection would enable continuous security monitoring and make PatchPilot more suitable for production CI/CD workflows.
Proposed solution
Store scan summaries and findings history for each project/job and compare new scan results against a selected baseline scan.
Backend
Persist scan history and metadata.
Add a regression analysis service.
Compare:
Example Output
{ "baseline_scan": "scan_001", "current_scan": "scan_002", "regressions": { "critical": 2, "high": 4 }, "improvements": { "medium": 6 }, "overall_trend": "Worsened" }Frontend
Add a Security Trends page showing:
Evidence Pack Integration
Include:
in generated evidence packs.
ML tier (if applicable)
Alternatives considered
Manual report comparison
External dashboard integrations
Comparing only severity counts
Acceptance criteria
Additional context
This feature aligns with enterprise vulnerability management workflows where security posture is tracked continuously rather than through isolated scans. It would provide valuable insights for CI/CD pipelines, security audits, and compliance reporting.