[Good First Issue] Conduct AI security audit of inference pipeline and API

[Oshgig]

Overview

The ClimateVision API accepts image uploads and bounding boxes without rigorous security validation. Given the project's use by NGOs and government agencies, we need an AI security audit aligned with OWASP Agentic Top 10 and MITRE ATLAS frameworks to identify and mitigate vulnerabilities.

Scope

• Create src/climatevision/security/api_security.py with:
  • Input payload size limits and validation
  • Bounding box sanitization (prevent injection/DoS)
  • Rate limiting per API key
  • File upload validation (magic bytes, extension whitelist)
• Create src/climatevision/security/pipeline_guard.py with:
  • Adversarial input detection for uploaded images
  • Model output confidence thresholds to prevent poisoned predictions
• Create scripts/security_scan.py CLI tool:
  • Scans all endpoints for OWASP-style vulnerabilities
  • Generates security_report.json with severity ratings and remediation steps
• Create notebooks/08_security_audit.ipynb documenting findings
• Add security tests to tests/test_security.py

Acceptance Criteria

• All API endpoints pass security scan with zero critical findings
• Adversarial inputs are rejected before reaching the model
• Security report is generated on every release
• Tests cover injection, overflow, and malformed input scenarios

Resources

• src/climatevision/api/main.py — FastAPI endpoints
• src/climatevision/api/auth.py — existing auth layer
• OWASP Agentic Top 10: https://owasp.org/www-project-agentic-security/
• Linda's skillguard project (reference implementation)

Difficulty: Intermediate
Owner: Linda Oraegbunam (@obielin)
Labels: good first issue, security, backend, api

[Oshgig]

Closing for now — will reopen when Linda's pipeline is finalized.

[Goldokpa]

Reopening now that Linda's pipeline is set up. @obielin — this is ready for you to work on.