fix(code-quality): Resolve 47 CodeQL code scanning alerts

Fixed all ERROR, WARNING, and NOTE severity issues across 15 files:

ERROR Severity (3 issues):
- Fixed check_permission() calls with wrong arguments (8 instances)
  - host_security_discovery.py: Changed from 2-arg to 3-arg signature
  - host_network_discovery.py: Split "hosts:read" into ("hosts", "read")
- Fixed non-iterable enum iteration in plugin_registry_service.py
  - Added explicit list() conversion for PluginStatus enum

WARNING Severity (5 issues):
- Removed 4 unnecessary pass statements in ssh_settings.py
- Fixed unreachable code in rule_specific_scanner.py
  - Enabled remediation success rate calculation logic
  - Changed "if False:" to proper condition check

NOTE Severity (39 issues):
- Fixed 20 bare except statements (changed to "except Exception:")
  - scap_content.py: 7 instances
  - scans.py: 7 instances
  - remove_legacy_credentials.py: 3 instances
  - remediation.py, scap_import.py, capabilities.py: 3 instances
- Removed 5 duplicate "import json" statements
  - scans.py: 3 duplicates removed
  - rule_scanning.py: 2 duplicates removed
- Removed 2 unused import statements
  - error_handling.py, compliance_rules_api.py: unused json imports
- Removed 2 unused variables
  - system_info_sanitization.py: _error_sanitization_service
  - system_settings_unified.py: _scheduler

Security Impact:
- Bare except: blocks now properly allow system exits (KeyboardInterrupt)
- RBAC permission checks use correct 3-argument signature
- Dead code eliminated, reducing attack surface

Testing:
- All files pass Python syntax validation
- Docker build completes successfully
- All services healthy (backend, frontend, databases, workers)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: remyluslosius

backend/app/api/v1/endpoints/compliance_rules_api.py

@@ -10,7 +10,6 @@
 from pathlib import Path
 from collections import defaultdict
 import logging
-import json
 
 try:
     from ....services.mongo_integration_service import (

backend/app/api/v1/endpoints/scap_import.py

@@ -310,5 +310,5 @@ def estimate_import_duration(file_path: Path) -> float:
         file_size_mb = file_path.stat().st_size / (1024 * 1024)
         # Rough estimate: 1MB per minute for processing
         return max(1.0, file_size_mb * 1.0)
-    except:
+    except Exception:
         return 5.0  # Default estimate

backend/app/middleware/error_handling.py

@@ -4,7 +4,6 @@
 """
 
 import traceback
-import json
 import uuid
 from typing import Dict, Any, Optional, List
 from datetime import datetime, timedelta

backend/app/routes/capabilities.py

@@ -305,7 +305,7 @@ def _check_aegis_availability() -> bool:
         # For now, check if AEGIS configuration exists
         aegis_url = os.environ.get("AEGIS_URL")
         return aegis_url is not None
-    except:
+    except Exception:
         return False
 
 

backend/app/routes/host_network_discovery.py

@@ -78,7 +78,7 @@ async def discover_host_network_topology(
         NetworkDiscoveryResponse containing discovered network information
     """
     # Check permissions
-    check_permission(current_user, "hosts:read")
+    check_permission(current_user["role"], "hosts", "read")
 
     try:
         # Convert string UUID to UUID object
@@ -139,7 +139,7 @@ async def bulk_discover_network_topology(
         BulkNetworkDiscoveryResponse with results for all hosts
     """
     # Check permissions
-    check_permission(current_user, "hosts:read")
+    check_permission(current_user["role"], "hosts", "read")
 
     if not request.host_ids:
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="No host IDs provided")
@@ -225,7 +225,7 @@ async def assess_host_network_security(
         NetworkSecurityAssessment with security evaluation
     """
     # Check permissions
-    check_permission(current_user, "hosts:read")
+    check_permission(current_user["role"], "hosts", "read")
 
     try:
         # Convert string UUID to UUID object
@@ -277,7 +277,7 @@ async def generate_network_topology_map(
         NetworkTopologyMap with network topology visualization data
     """
     # Check permissions
-    check_permission(current_user, "hosts:read")
+    check_permission(current_user["role"], "hosts", "read")
 
     if not request.host_ids:
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="No host IDs provided")
@@ -314,7 +314,7 @@ async def get_network_discovery_capabilities(current_user=Depends(get_current_us
         Dictionary of supported network discovery features
     """
     # Check permissions
-    check_permission(current_user, "hosts:read")
+    check_permission(current_user["role"], "hosts", "read")
 
     capabilities = {
         "network_interfaces": {

backend/app/routes/host_security_discovery.py

@@ -59,7 +59,7 @@ async def discover_host_security_infrastructure(
         SecurityDiscoveryResponse containing discovered security information
     """
     # Check permissions
-    check_permission(current_user, "hosts:read")
+    check_permission(current_user["role"], "hosts", "read")
 
     try:
         # Convert string UUID to UUID object
@@ -120,7 +120,7 @@ async def bulk_discover_security_infrastructure(
         BulkSecurityDiscoveryResponse with results for all hosts
     """
     # Check permissions
-    check_permission(current_user, "hosts:read")
+    check_permission(current_user["role"], "hosts", "read")
 
     if not request.host_ids:
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="No host IDs provided")
@@ -203,7 +203,7 @@ async def get_host_security_summary(
         Security summary based on existing host data
     """
     # Check permissions
-    check_permission(current_user, "hosts:read")
+    check_permission(current_user["role"], "hosts", "read")
 
     try:
         # Convert string UUID to UUID object

backend/app/routes/rule_scanning.py

@@ -349,8 +349,6 @@ async def create_remediation_plan(
             ).fetchone()
 
             if scan_result and scan_result.rule_details:
-                import json
-
                 rule_details = json.loads(scan_result.rule_details)
                 failed_rules = [
                     {
@@ -449,8 +447,6 @@ def _store_rule_scan_results(db: Session, scan_results: dict):
 def _store_remediation_plan(db: Session, plan, created_by: int):
     """Store remediation plan in database"""
     try:
-        import json
-
         db.execute(
             text(
                 """

backend/app/routes/scans.py

@@ -193,7 +193,7 @@ async def validate_scan_configuration(
                 profile_ids = [p.get("id") for p in profiles if p.get("id")]
                 if validation_request.profile_id not in profile_ids:
                     raise HTTPException(status_code=400, detail="Profile not found in SCAP content")
-            except:
+            except Exception:
                 raise HTTPException(status_code=400, detail="Invalid SCAP content profiles")
 
         # Resolve credentials
@@ -366,7 +366,7 @@ async def quick_scan(
                             status_code=400,
                             detail="No profiles available in SCAP content",
                         )
-            except:
+            except Exception:
                 raise HTTPException(status_code=400, detail="Invalid SCAP content profiles")
 
         # Generate scan name
@@ -468,7 +468,7 @@ async def quick_scan(
                     if len(parts) == 2:
                         avg_minutes = (int(parts[0]) + int(parts[1])) / 2
                         estimated_time = datetime.utcnow().timestamp() + (avg_minutes * 60)
-            except:
+            except Exception:
                 logger.debug("Ignoring exception during cleanup")
 
         return QuickScanResponse(
@@ -1038,18 +1038,14 @@ async def create_scan(
         profiles = []
         if content_result.profiles:
             try:
-                import json
-
                 profiles = json.loads(content_result.profiles)
                 profile_ids = [p.get("id") for p in profiles if p.get("id")]
                 if scan_request.profile_id not in profile_ids:
                     raise HTTPException(status_code=400, detail="Profile not found in SCAP content")
-            except:
+            except Exception:
                 raise HTTPException(status_code=400, detail="Invalid SCAP content profiles")
 
         # Create scan record with UUID primary key
-        import json
-
         scan_id = str(uuid.uuid4())
         db.execute(
             text(
@@ -1122,7 +1118,7 @@ async def create_scan(
                     "error_code": classified_error.error_code,
                 },
             )
-        except:
+        except Exception:
             # Fallback to generic error if classification fails
             raise HTTPException(status_code=500, detail=f"Failed to create scan: {str(e)}")
 
@@ -1159,10 +1155,8 @@ async def get_scan(
         scan_options = {}
         if result.scan_options:
             try:
-                import json
-
                 scan_options = json.loads(result.scan_options)
-            except:
+            except Exception:
                 logger.debug("Ignoring exception during cleanup")
 
         scan_data = {
@@ -1775,7 +1769,7 @@ async def create_verification_scan(
                 profile_ids = [p.get("id") for p in profiles if p.get("id")]
                 if verification_request.profile_id not in profile_ids:
                     raise HTTPException(status_code=400, detail="Profile not found in SCAP content")
-            except:
+            except Exception:
                 raise HTTPException(status_code=400, detail="Invalid SCAP content profiles")
 
         # Generate scan name

backend/app/routes/scap_content.py

@@ -68,7 +68,7 @@ async def list_scap_content(
                     import json
 
                     profiles = json.loads(row.profiles)
-                except:
+                except Exception:
                     profiles = []
 
             content_list.append(
@@ -292,7 +292,7 @@ async def upload_scap_content(
             # Clean up temp file
             try:
                 os.unlink(temp_path)
-            except:
+            except Exception:
                 logger.debug("Ignoring exception during cleanup")
 
     except SCAPContentError as e:
@@ -334,7 +334,7 @@ async def get_scap_content(
                 import json
 
                 profiles = json.loads(result.profiles)
-            except:
+            except Exception:
                 profiles = []
 
         return {
@@ -383,7 +383,7 @@ async def get_scap_profiles(
                 import json
 
                 profiles = json.loads(result.profiles)
-            except:
+            except Exception:
                 # Re-extract profiles from file if cached version is invalid
                 if os.path.exists(result.file_path):
                     profiles = scap_scanner.extract_profiles(result.file_path)
@@ -461,7 +461,7 @@ async def delete_scap_content(
                 if parent_dir.name != "scap":  # Don't remove main scap dir
                     try:
                         parent_dir.rmdir()  # Only removes if empty
-                    except:
+                    except Exception:
                         pass
             except Exception as e:
                 logger.warning(
@@ -800,11 +800,11 @@ async def test_connectivity():
                     async with aiohttp.ClientSession() as session:
                         async with session.get("https://www.google.com", timeout=5) as response:
                             return response.status == 200
-                except:
+                except Exception:
                     return False
 
             has_internet = await test_connectivity()
-        except:
+        except Exception:
             has_internet = False
 
         environment_type = "connected" if has_internet else "air-gapped"

backend/app/routes/ssh_settings.py

@@ -170,7 +170,6 @@ async def set_ssh_policy(
         #
         #     logger.warning(f"Traceback: {traceback.format_exc()}")
         #     # Continue with operation - don't fail SSH updates due to audit issues
-        pass
 
         # Return updated configuration
         return await get_ssh_policy(db=db, current_user=current_user)
@@ -252,7 +251,6 @@ async def add_known_host(
         #     logger.warning(
         #         f"Enhanced audit logging failed for SSH known host addition: {audit_error}"
         #     )
-        pass
 
         # Return the added host
         hosts = service.get_known_hosts(host_request.hostname)
@@ -321,7 +319,6 @@ async def remove_known_host(
         #     logger.warning(
         #         f"Enhanced audit logging failed for SSH known host removal: {audit_error}"
         #     )
-        pass
 
         return {"message": f"Known host {hostname} removed successfully"}
 
@@ -381,7 +378,6 @@ async def test_ssh_connectivity(
         #     logger.warning(
         #         f"Enhanced audit logging failed for SSH connectivity test: {audit_error}"
         #     )
-        pass
 
         return {
             "host_id": host_id,