finish secrets finding work and audit remarks work save

src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexCandidateEmitter.cs

@@ -12,11 +12,16 @@ public sealed class VexCandidateEmitter
 {
     private readonly VexCandidateEmitterOptions _options;
     private readonly IVexCandidateStore? _store;
+    private readonly TimeProvider _timeProvider;
 
-    public VexCandidateEmitter(VexCandidateEmitterOptions? options = null, IVexCandidateStore? store = null)
+    public VexCandidateEmitter(
+        VexCandidateEmitterOptions? options = null,
+        IVexCandidateStore? store = null,
+        TimeProvider? timeProvider = null)
     {
         _options = options ?? VexCandidateEmitterOptions.Default;
         _store = store;
+        _timeProvider = timeProvider ?? TimeProvider.System;
     }
 
     /// <summary>
@@ -79,7 +84,7 @@ public sealed class VexCandidateEmitter
             ImageDigest: context.TargetImageDigest,
             CandidatesEmitted: candidates.Count,
             Candidates: [.. candidates],
-            Timestamp: DateTimeOffset.UtcNow);
+            Timestamp: _timeProvider.GetUtcNow());
     }
 
     /// <summary>
@@ -163,16 +168,16 @@ public sealed class VexCandidateEmitter
             EvidenceLinks: [.. evidenceLinks],
             Confidence: confidence,
             ImageDigest: context.TargetImageDigest,
-            GeneratedAt: DateTimeOffset.UtcNow,
-            ExpiresAt: DateTimeOffset.UtcNow.Add(_options.CandidateTtl),
+            GeneratedAt: _timeProvider.GetUtcNow(),
+            ExpiresAt: _timeProvider.GetUtcNow().Add(_options.CandidateTtl),
             RequiresReview: true);
     }
 
-    private static string GenerateCandidateId(
+    private string GenerateCandidateId(
         FindingSnapshot finding,
         VexCandidateEmissionContext context)
     {
-        var input = $"{context.TargetImageDigest}:{finding.FindingKey}:{DateTimeOffset.UtcNow.Ticks}";
+        var input = $"{context.TargetImageDigest}:{finding.FindingKey}:{_timeProvider.GetUtcNow().Ticks}";
         var hash = SHA256.HashData(Encoding.UTF8.GetBytes(input));
         return $"vexc-{Convert.ToHexString(hash).ToLowerInvariant()[..16]}";
     }

src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexEvidence.cs

@@ -97,9 +97,17 @@ public sealed record VexEvidence
 
     /// <summary>
     /// Whether the VEX statement is still valid (not expired).
+    /// Uses system time for evaluation. For deterministic testing, use <see cref="IsValidAt"/>.
     /// </summary>
     [JsonIgnore]
-    public bool IsValid => ExpiresAt is null || ExpiresAt > DateTimeOffset.UtcNow;
+    public bool IsValid => IsValidAt(TimeProvider.System.GetUtcNow());
+
+    /// <summary>
+    /// Checks whether the VEX statement is valid at a specific point in time.
+    /// </summary>
+    /// <param name="now">The time to check validity against.</param>
+    /// <returns>True if the statement is valid (not expired), false otherwise.</returns>
+    public bool IsValidAt(DateTimeOffset now) => ExpiresAt is null || ExpiresAt > now;
 
     /// <summary>
     /// Whether this VEX statement indicates the vulnerability is not exploitable.