Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/security/aquasec-night-scan-example.yml`:
- Line 43: Replace the mutable tag in the example reusable-workflow reference
with an immutable commit SHA: change the uses line that currently reads
"AbsaOSS/organizational-workflows/.github/workflows/aquasec-scan.yml@v1.0.0" to
point to a specific commit SHA for the target repo (i.e.,
".github/workflows/aquasec-scan.yml@<commit-SHA>") so the example demonstrates
pinning to an immutable ref; update the line in
docs/security/aquasec-night-scan-example.yml where the uses: string appears (the
comment on that line can note to replace with the real SHA).

In `@docs/security/security.md`:
- Around line 34-36: Remove the stale gh_alert_numbers field from the example
child-issue payload in the security docs: locate the example payload that
contains gh_alert_numbers=["7"] (the "child-issue" example) and delete that
field and any trailing commas so the JSON/YAML remains valid; also scan the same
document for any other references to gh_alert_numbers and remove or replace them
with the current AquaSec-specific fields so the example matches the new AquaSec
Code Security API contract.

In `@src/security/alerts/aquasec_parser.py`:
- Around line 44-59: references_list is not normalized before using it for
help_uri and may be a non-list (string/other), causing incorrect values; update
parsing so you normalize rule_details.references into a canonical list once
(e.g., ensure references_list is a list) and then use that normalized list for
both references_list and when setting AlertMetadata.help_uri (use first element
if present), adjusting the code around references_list and AlertMetadata(...) /
help_uri to consume the canonical list safely.

In `@src/security/config.py`:
- Around line 56-60: The except clause handling conversion of project_number_raw
is using Python 2 comma syntax; update the exception handler in the block where
project_number is set (referencing project_number_raw, project_number) to catch
multiple exceptions with a tuple — i.e. replace the old "except ValueError,
TypeError:" with "except (ValueError, TypeError):" so both ValueError and
TypeError are properly caught under Python 3.

In `@src/security/main.py`:
- Around line 119-120: The log message from LabelChecker.check_labels() must be
prefixed with the module logging prefix; update the logger.error call that
currently logs "Required labels missing in %s: %s" to include LOGGING_PREFIX
(e.g., logger.error("%sRequired labels missing in %s: %s", LOGGING_PREFIX, repo,
", ".join(missing))). Ensure LOGGING_PREFIX is referenced (and available) in
this module and use the same logger.error formatting style as other messages in
this file.

In `@src/security/services/__init__.py`:
- Line 17: The module docstring in src/security/services/__init__.py uses an en
dash character in the text "Security services package – AquaSec API
integration."; replace that en dash with a plain ASCII hyphen (-) so the
docstring reads "Security services package - AquaSec API integration." to
satisfy Ruff RUF002 and avoid ambiguous Unicode; update the module-level string
in __init__.py accordingly.

In `@src/security/services/authenticator.py`:
- Around line 69-70: The token request currently mints an all-endpoints token by
setting allowed_endpoints=["ANY:*"]; change post_body so allowed_endpoints only
contains the minimal read endpoint(s the job actually calls (the scan-results
fetch used by src/security/services/scan_fetcher.py) instead of a wildcard.
Locate the post_body construction in authenticator.py (symbol: post_body) and
replace ["ANY:*"] with the exact HTTP method+path(s) used by the ScanFetcher
(e.g., the GET scan-results endpoint(s) invoked by the fetch function), keeping
group_id and validity logic unchanged.
- Around line 92-94: The code calls response.json() directly to get
bearer_token; wrap the JSON parsing in a try/except around the response.json()
call (the line that sets bearer_token) and catch JSON parsing errors
(requests.exceptions.JSONDecodeError and fallback ValueError) and in the except
raise SystemExit with the same auth-failure message ("ERROR: AquaSec API
response missing bearer token data.") so JSON decode failures follow the same
auth error path; keep the existing check for empty bearer_token after the try
block.

In `@src/security/services/label_checker.py`:
- Line 55: Update the log call in label_checker.py to prepend the required
domain prefix constant LOGGING_PREFIX to the error message: replace the current
logger.error invocation that logs "gh label list failed for %s:\n%s" with a
message that begins with LOGGING_PREFIX (e.g., f"{LOGGING_PREFIX} - ..."),
keeping the same placeholders for self.repo and result.stderr; modify the
logger.error call inside the method where the current line uses self.repo and
result.stderr so the domain prefix is included in the logged string.

In `@tests/security/alerts/test_aquasec_parser.py`:
- Around line 202-207: The assertions in test_parse_item_empty_extra_data
mismatch the current parser behavior: _parse_item returns empty strings for
missing fields, so update the test expectations on alert.rule_details.owasp and
alert.rule_details.references to assert "" (empty string) instead of "N/A" to
match the behavior of _parse_item and keep rule_details.cwe assertion as-is.

In `@tests/security/services/__init__.py`:
- Line 17: Remove the module-level docstring (the triple-quoted string at the
top of the tests.security.services.__init__ module) so the test package's
__init__ contains no documentation; simply delete that string literal and keep
any necessary imports or __all__ intact.

In `@tests/security/services/test_label_checker.py`:
- Line 43: Tests use the incorrect assert order (actual == expected); change
them to the canonical assert expected == actual pattern by flipping each
comparison, e.g. replace assertions like assert checker._fetch_labels() ==
["scope:security", "epic"] with assert ["scope:security", "epic"] ==
checker._fetch_labels(), and apply the same flip for the other occurrences
referenced (lines using checker._fetch_labels() or similar actual-first
comparisons at the other mentioned locations).

In `@tests/security/services/test_notification_sender.py`:
- Around line 19-23: A local import of the requests module exists inside a test
function; move the import for requests to module scope with the other imports at
the top of the file (next to pytest, MagicMock, NotifiedIssue, SeverityChange,
and NotificationSender) so tests follow the rule of placing all imports at the
top; update any test that currently does "import requests" inside the function
(around the block that references
NotificationSender/NotifiedIssue/SeverityChange) to use the module-level
requests import.

In `@tests/security/test_main.py`:
- Around line 30-36: The autouse fixture _aqua_env sets Aqua env vars but
doesn't stub the external dependency "gh", so main() can exit early on runners
without gh; update the _aqua_env fixture to also stub availability of the GitHub
CLI by monkeypatching the lookup used by your code (e.g.,
monkeypatch.setattr(shutil, "which", lambda name: "/usr/bin/gh" if name == "gh"
else None) or monkeypatch.setenv behavior your code relies on) so that when
tests call main() it sees "gh" as present; modify the fixture _aqua_env to
include that monkeypatch call so all tests in this module see a fake gh.

---

Outside diff comments:
In `@src/security/services/label_checker.py`:
- Line 59: Add a single blank newline character at the end of the file
src/security/services/label_checker.py so the file ends with one trailing
newline (ensure the file ends with exactly one blank line character after the
last line of code to comply with the coding guidelines).

In `@tests/security/conftest.py`:
- Around line 17-22: Remove the module-level docstring from this test module
(the triple-quoted string at the top of tests/security/conftest.py); replace it
with a short inline comment or move any necessary explanation into test-specific
docstrings or external docs so the module no longer contains a top-level
documentation string, ensuring no change to fixture behavior or test data
mutability.

---

Nitpick comments:
In `@src/security/services/scan_fetcher.py`:
- Around line 74-76: The debug log in scan_fetcher.py at the block using
page_num, page_response and total_expected calls logger.debug without the
required "Security -" prefix; update that logger.debug call to start the message
with "Security - " (e.g., "Security - Expected %d total findings.") so it
follows the project's logging prefix convention and remains consistent with
other Security logs.

In `@tests/security/services/test_authenticator.py`:
- Around line 82-88: The test
test_authenticate_raises_system_exit_on_request_exception currently imports
requests inside the function; move the local "import requests" to the
module-level imports at the top of tests/security/services/test_authenticator.py
so all imports are declared once per file. Update the file imports block and
remove the in-function import, keeping the existing mocker.patch call that
references "security.services.authenticator.requests.post" and the same
side_effect setup.

In `@tests/security/services/test_issue_syncer.py`:
- Line 17: Remove the module-level docstring at the top of
tests/security/services/test_issue_syncer.py so the file begins with import
statements; ensure no other top-level documentation remains in the test module
(tests should start with imports and then test code, per the guideline that test
modules must not contain docstrings).
- Around line 80-87: The test test_sync_does_not_send_notifications is
tautological because it only asserts result is not None; update it to assert
specific behavior: when gh_issue_list_by_label is mocked to {} and
sync_alerts_and_issues returns a MagicMock SyncResult with notifications=["n"],
severity_changes=[], verify that IssueSyncer.sync(...) returns that same
SyncResult (or alternatively assert the returned object's notifications list is
empty if the intent is "does not send notifications"). Locate the test function
and replace the generic assert with an equality/assertion against the mocked
SyncResult (or an assertion on result.notifications) to make the test verify the
intended behavior of IssueSyncer.sync.

In `@tests/security/services/test_scan_fetcher.py`:
- Around line 114-121: The test function
test_fetch_findings_raises_system_exit_on_request_exception contains a local
import of requests; move that import to the top-level module imports in
tests/security/services/test_scan_fetcher.py so all dependencies are declared at
file scope, leaving the test body to only construct ScanFetcher and apply
mocker.patch on "security.services.scan_fetcher.requests.get" (referencing the
ScanFetcher class and the test function name to locate the spot).