Implement EdgeScan local integration script for macOS developers in package.json

apps/docs/docs/intro.md

@@ -104,6 +104,49 @@ pnpm run snyk:iac     # IaC - scan Bicep templates for misconfigurations
 
 > **Note**: Only use the npm scripts listed above. Other Snyk scripts (`snyk:monitor`, `snyk:code:report`) are reserved for CI/CD pipeline use only.
 
+## Local EdgeScan Setup
+
+EdgeScan is a **Dynamic Application Security Testing (DAST)** platform. Unlike Snyk or SonarCloud, which analyze source code, EdgeScan scans **live, running applications** to provide deep security intelligence and continuous vulnerability profiling for our serverless architecture.
+
+**How to use:**
+- Use `pnpm run edgescan:dev` to run local security validation scans.
+- **DO NOT use** `edgescan:agent` - this script is strictly reserved for the **GitHub Copilot AI Coding Agent** and CI/CD automation.
+
+### Prerequisites
+
+This setup is required for the `edgescan:dev` script.
+
+#### 1. Apple Native Containers
+
+This is a one-time setup for macOS developers.
+
+1. Download the `container-installer-signed.pkg` from the [Apple Native Containers releases](https://github.com/apple/container/releases).
+2. Run the installer.
+3. Once finished, start the container system:
+   ```bash
+   container system start
+   ```
+   Input `Y` when prompted.
+4. Confirm it is working as expected:
+   ```bash
+   container system status
+   ```
+   Expected output:
+   ```text
+   ❯ container system status
+   apiserver is running
+   ...
+   ```
+
+#### 2. EdgeScan API Token
+
+1. Log in to [intealth.edgescan.com](https://intealth.edgescan.com).
+2. Go to your **Profile Settings** and generate an API token for your account.
+3. Export the token in your terminal (consider adding this to your `~/.zshrc` or `~/.bashrc`):
+   ```bash
+   export ES_API_TOKEN="<your token here>"
+   ```
+
 ## Start Development
 
 Run the development environment:

apps/ui-community/package.json

@@ -7,13 +7,13 @@
         "prebuild": "biome lint",
         "build": "tsc --build && vite build",
         "start": "vite",
-		"lint": "biome lint",
-		"preview": "vite preview",
-		"test": "vitest run --silent --reporter=dot",
-		"test:coverage": "vitest run --coverage --silent --reporter=dot",
-		"test:watch": "vitest",
-		"storybook": "storybook dev -p 6008",
-		"build-storybook": "storybook build"
+        "lint": "biome lint",
+        "preview": "vite preview",
+        "test": "vitest run --silent --reporter=dot",
+        "test:coverage": "vitest run --coverage --silent --reporter=dot",
+        "test:watch": "vitest",
+        "storybook": "storybook dev -p 6008",
+        "build-storybook": "storybook build"
 	},
 	"dependencies": {
 		"@ant-design/icons": "^6.0.2",

build-pipeline/core/monorepo-build-stage.yml

@@ -434,7 +434,7 @@ stages:
     # Deploy API package with production dependencies
     - task: Bash@3
       displayName: 'Artifact: Prepare API'
-      condition: and(succeeded(), eq(variables['BuildJob.HAS_BACKEND_CHANGES'], 'true'), ne(variables['Build.Reason'], 'PullRequest'))
+      condition: and(succeeded(), eq(variables['BuildJob.HAS_BACKEND_CHANGES'], 'true'))
       inputs:
         targetType: 'inline'
         script: |
@@ -495,7 +495,7 @@ stages:
     # Package UI Community compiled assets into artifact
     - task: ArchiveFiles@2
       displayName: 'Artifact: Prepare UI Community'
-      condition: and(succeeded(), eq(variables['BuildJob.HAS_FRONTEND_CHANGES'], 'true'), ne(variables['Build.Reason'], 'PullRequest'))
+      condition: and(succeeded(), eq(variables['BuildJob.HAS_FRONTEND_CHANGES'], 'true'))
       inputs:
         rootFolderOrFile: 'apps/ui-community/dist'
         includeRootFolder: false
@@ -506,7 +506,7 @@ stages:
     # Package Docs compiled assets into artifact
     - task: ArchiveFiles@2
       displayName: 'Artifact: Prepare Docs'
-      condition: and(succeeded(), eq(variables['BuildJob.HAS_DOCS_CHANGES'], 'true'), ne(variables['Build.Reason'], 'PullRequest'))
+      condition: and(succeeded(), eq(variables['BuildJob.HAS_DOCS_CHANGES'], 'true'))
       inputs:
         rootFolderOrFile: 'apps/docs/build'
         includeRootFolder: false
@@ -517,17 +517,17 @@ stages:
     # Upload API artifact as build result
     - publish: $(Build.ArtifactStagingDirectory)/api-$(Build.BuildId).zip
       displayName: 'Artifact: Publish API'
-      condition: and(succeeded(), eq(variables['BuildJob.HAS_BACKEND_CHANGES'], 'true'), ne(variables['Build.Reason'], 'PullRequest'))
+      condition: and(succeeded(), eq(variables['BuildJob.HAS_BACKEND_CHANGES'], 'true'))
       artifact: api
 
     # Upload UI Community artifact as build result
     - publish: $(Build.ArtifactStagingDirectory)/ui-community-$(Build.BuildId).zip
       displayName: 'Artifact: Publish UI Community'
-      condition: and(succeeded(), eq(variables['BuildJob.HAS_FRONTEND_CHANGES'], 'true'), ne(variables['Build.Reason'], 'PullRequest'))
+      condition: and(succeeded(), eq(variables['BuildJob.HAS_FRONTEND_CHANGES'], 'true'))
       artifact: ui-community
 
     # Upload Docs artifact as build result
     - publish: $(Build.ArtifactStagingDirectory)/docs-$(Build.BuildId).zip
       displayName: 'Artifact: Publish Docs'
-      condition: and(succeeded(), eq(variables['BuildJob.HAS_DOCS_CHANGES'], 'true'), ne(variables['Build.Reason'], 'PullRequest'))
+      condition: and(succeeded(), eq(variables['BuildJob.HAS_DOCS_CHANGES'], 'true'))
       artifact: docs

build-pipeline/core/monorepo-deployment-stage.yml

@@ -33,7 +33,7 @@ stages:
 - stage: ${{parameters.stageName}}
   displayName: ${{parameters.stageName}} stage
   dependsOn: Build
-  condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'))
+  condition: succeeded()
   jobs:
   - template: ../../apps/api/deploy-api.yml
     parameters:

build-pipeline/core/monorepo-edgescan-stage.yml

@@ -14,20 +14,17 @@ stages:
 - stage: ${{parameters.stageName}}
   displayName: 'EdgeScan Security Scan'
   dependsOn: ${{parameters.dependsOn}}
-  condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'))
+  condition: succeeded()
   jobs:
   - job: EdgeScan
     displayName: 'EdgeScan CI/CD Integration'
-    variables:
-      # Generates a monthly key like "2026-01" to ensure the image is refreshed monthly
-      cacheMonth: $[format('{0:yyyy-MM}', pipeline.startTime)]
     pool:
       vmImage: ${{parameters.vmImageName}}
     steps:
     - task: Cache@2
       displayName: 'Cache EdgeScan Docker Image'
       inputs:
-        key: 'docker | edgescan | latest | $(cacheMonth)'
+        key: 'docker | edgescan | latest'
         path: $(Pipeline.Workspace)/docker-cache
         cacheHitVar: DOCKER_CACHE_HIT
 

knip.json

@@ -79,5 +79,5 @@
     "@graphql-typed-document-node/core",
     "ts-scope-trimmer-plugin"
   ],
-  "ignoreBinaries": ["func"]
+  "ignoreBinaries": ["func", "container"]
 }

package.json

@@ -48,7 +48,8 @@
     "snyk:iac:report": "snyk iac test iac/build/**/*.json --org=cellixjs --remote-repo-url=https://github.com/CellixJs/cellixjs --target-reference=main --target-name=cellixjs-iac --report",
     "analyze": "pnpm -r exec -- pnpm dlx @e18e/cli analyze",
     "prepare": "husky",
-    "edgescan:run": "docker run --tty --rm edgescan/cicd-integration:latest --api-token $ES_API_TOKEN --asset-id $ES_ASSET_ID --start-scan --max-risk-threshold 3 --wait --color"
+    "edgescan:agent": "docker run --tty --rm edgescan/cicd-integration:latest --api-token $ES_API_TOKEN --asset-id $ES_ASSET_ID --start-scan --max-risk-threshold 3 --wait --color",
+    "edgescan:dev": "container run --tty --rm --platform linux/amd64 edgescan/cicd-integration:latest --api-token $ES_API_TOKEN --asset-id 74096 --start-scan --max-risk-threshold 3 --wait --color"
   },
   "devDependencies": {
     "@amiceli/vitest-cucumber": "^5.1.2",