Add security findings report improvement notes

[pranavisrikanth]

Summary

This PR adds a lightweight GRC/reporting improvement artefact for AutoAudit.

The document proposes several improvements for AutoAudit’s security findings and compliance reporting structure, including:

• remediation guidance
• evidence summaries
• severity classification
• framework mapping visibility
• improved report readability

The contribution is intended to support future report generation improvements and improve how compliance findings are communicated to technical and non-technical stakeholders.

Type of Change

• Bug fix
• New feature
• Breaking change
• Refactor / code cleanup
• Documentation
• CI/CD / infrastructure
• Security

Affected Components

• /backend-api
• /frontend
• /engine (collectors / policies)
• /security
• /infrastructure
• /.github/workflows
• /docs

Motivation

Recent project discussions highlighted opportunities to improve AutoAudit’s report generation and compliance findings presentation. This artefact documents possible reporting improvements that could support remediation clarity, evidence visibility, audit readability, and stakeholder communication.

Testing Done

• Unit tests pass locally
• Tested manually — describe how:
• No tests required — explain why:

This is a documentation-only contribution and does not modify application logic.

Security Considerations

No direct security impact. This PR only adds documentation and reporting improvement recommendations.

Breaking Changes

• No breaking changes
• Yes — describe below:

Rollback Plan

• Revert commit is sufficient
• Requires additional steps — describe below:

Checklist

• Code follows project conventions
• No secrets, credentials, or tokens committed
• Relevant documentation updated (if applicable)
• CI/CD workflows pass on this branch
• PR is focused on one thing

Screenshots

Not applicable.

[6igby]

• Could you justify on why this documentation needs to be in the repo? From my understanding you are proposing grc improvements or changes.
• if it doesn't relate directly to anything in the repo (e.g. vulnerability reporting on github), this might be better served on the Teams shared folder.
• the naming of the file is also a little misleading, is it a template? (and if so for what and where would it be used), or just suggestive documentation?

[6igby]

please address these comments or the PR's 220 and 221 if you would like to justify why such documents belong in the repo or if we can close them