[REVIEW] scanner-tuning: add credentialed scan coverage evidence gates

[MAUROCERON]

Review gap

scanner-tuning recommends authenticated scanning and credential verification, but it does not require reviewers to prove credentialed scan coverage per asset, platform, or check family before trusting scan results.

This can create false-negative risk when a report says no vulnerabilities were found, but the scanner never actually performed local checks because credentials failed, lacked privileges, were not attempted, or could not retrieve package/patch inventory.

Expected improvement

Add an authenticated scan coverage evidence gate requiring reviewers to document:

• asset/platform inventory and expected credential type;
• credential source and privilege level;
• authentication result per asset or asset class;
• evidence from scanner-specific auth indicators such as Tenable credentialed checks or Qualys authentication status QIDs;
• whether local package/patch inventory or registry/file checks succeeded;
• scan engine reachability and required management ports;
• coverage decision: Full / Partial / Failed / Not Attempted / Not Evaluable;
• retest and exception handling before accepting false-positive suppressions or severity downgrades.

Suggested validation fixtures

Add edge cases for:

• successful network scan but failed credentialed checks;
• authentication success without package inventory or Windows registry/share access;
• only some asset classes authenticated;
• scan agent present but stale/offline;
• full credentialed coverage with evidence.

References checked

• Tenable Nessus Credentialed Checks: https://docs.tenable.com/nessus/10_10/Content/NessusCredentialedChecks.htm
• Tenable Vulnerability Management Scan Tuning - Credentials Configuration: https://docs.tenable.com/quick-reference/vulnerability-management-scan-tuning/Content/VM-Scan-Tuning/CredentialsConfiguration.htm
• Qualys authentication status QIDs: https://docs.qualys.com/en/vm/latest/authentication/auth_stat_qids.htm
• Rapid7 InsightVM scan credentials: https://docs.rapid7.com/insightvm/configuring-scan-credentials/

Payment details can be provided privately after maintainer acceptance.

[danyili2632]

/attempt #1419

I am taking a focused implementation pass for skills/vuln-management/scanner-tuning/ covering credentialed scan coverage evidence by asset/platform/check family, scanner auth indicators, package/patch inventory success, engine reachability, stale/offline agents, coverage decisions, retest, and exception handling. Bounty target: Improver Moderate if accepted; preferred payment is Base USDC.

[MAUROCERON]

Implemented in PR #1420: #1420

[danyili2632]

Withdrawing my /attempt to avoid duplicate implementation noise: PR #1420 was submitted for this issue before I opened a PR. I will not submit a competing PR for #1419.