Engineering Audit Report — Acme Notes

Date: 2026-07-15 · Auditor: audit-software-project skill · Repository: github.com/example/acme-notes (fictional)
Scope: Local repository inspection, plus read-only GitHub checks and a lockfile dependency scan

States are assigned against the criteria in criteria.html (click any control tag below to see the threshold inline). Findings marked Not Verified or Red can be revised if you hold evidence this audit couldn't access — see Questions requiring human confirmation.

Summary Blockers 30-day plan Payments Account management Authentication Notes management Deployment & infra Questions Boundary Criteria ↗

Executive summary

Acme Notes is a small customer-facing note-taking app with paid subscriptions. The most severe finding is a live-looking committed secret in the Payments feature (control 3.4) — an immediate blocker. Account management also has a Red: deleted accounts remain visible to internal search, a privacy-adjacent gap (control 14.2). Deployment & infra and Notes management each carry moderate, non-blocking findings. Ownership and documentation are in good shape.

Immediate blockers

Payments — live-looking Stripe secret key committed in config/settings.py:42 G1

30-day improvement plan

  1. Payments: Rotate committed Stripe secret key and add secret scanning to CI G1
  2. Account management: Fix soft-delete so purged accounts stop appearing in admin search G2
  3. Deployment & infra: Require CI to pass before merge on the default branch G3
  4. Authentication: Add integration test coverage for the login/reset-password flow G4
  5. Notes management: Add pagination to the unbounded /api/notes list endpoint G5

Risk context

Confirmed at intake: customer-facing SaaS handling personal data (note content, account emails) and payments, deployed via a third-party platform, with a small public API (no external consumers confirmed beyond the project's own mobile client).

Findings by feature

States: Green = adequate & evidenced. Amber = partial/inconsistent/moderate risk. Red = missing/significant risk. Not Verified = evidence unavailable, not a failure. Not Applicable = doesn't apply, reason stated. Control IDs in parentheses trace to audit-controls.md; G-tags link to the gap register.

Payments

🔴 1 · 🟢 3 · ⚪ 1

Account management

🔴 1 · 🟢 2

Authentication

🟠 1 · 🟢 3

Notes management

🔴 1 · 🟠 2 · 🟢 2

Deployment & infra

🔴 2 · 🟠 1 · 🟢 4 · ⚪ 2

Controls not reached this pass: 2.2, 10.2 — deprioritized in favor of higher-risk areas within the audit's time budget; recommend covering on the next re-audit.

Questions requiring human confirmation

Inspection boundary

What was checked: full local repository, git history, tracked dependency lockfiles, GitHub branch protection and PR review history via gh.

What was not accessible: production infrastructure, hosting-platform dashboards, backup/restore evidence, alerting dashboards beyond what the project owner confirmed verbally.

GitHub read-only checks: ran · Dependency scan: ran (npm audit --package-lock-only)

Accessibility and internationalization were not assessed; they require browser-based testing outside this audit's static-analysis scope.

↑ Back to top · Overview · Gap register