Workflow ยท Baseline Scan

Baseline Scan: Where Observation Becomes Trust

Baseline Scan is the trust boundary in AuditWalk. Scan captures evidence; Baseline Scan promotes reviewed evidence into the trusted reference state used by PreFlight, Compare, Doctor, and Repair.

Definition

What Baseline Scan is

Baseline Scan is the explicit promotion of a reviewed scan artifact into trusted reference state. It is not an automatic result of scanning. It is a deliberate operator action.

In AuditWalk terms: scan captures what is; Baseline Scan establishes what should be treated as trusted for future comparison.

Importance

Why Baseline Scan matters

Without a trusted baseline, change data has weak context. Baseline Scan gives Compare and PreFlight a stable reference so deviations can be surfaced and judged as expected or suspicious.

Operational value

  • Makes drift detection meaningful, not generic
  • Improves incident triage quality
  • Supports repeatable trust decisions over time

Risk reduction

  • Prevents accidental trust assignment
  • Keeps observation and approval separate
  • Preserves operator accountability

Doctrine

Observation vs trust

scan run                 -> produce evidence
review artifact          -> human/operator judgment
baseline set --scan-id <scan_id> -> establish trusted reference

This separation is the core safety model. The system can collect facts; only the operator can declare trust.

Workflow

How Baseline Scan integrates with the workflow

Scan -> Baseline Scan -> PreFlight -> Compare -> Doctor -> Repair

Baseline Scan is the gate between passive evidence capture and downstream diagnostic/repair workflows.

CLI

Baseline Scan in the CLI

This page uses a clear command story: scan run creates evidence, and baseline set promotes reviewed evidence into trusted state.

Create a baseline-grade scan (full)

auditwalk scan run --profile full

Create a higher-scrutiny scan (paranoid)

auditwalk scan run --profile paranoid

List and review scan artifacts

auditwalk scan list
auditwalk scan show --scan-id <scan_id>

Promote reviewed artifact into baseline state

auditwalk baseline set --scan-id <scan_id>

Show active baseline and baseline history

auditwalk baseline show
auditwalk baseline history

Follow-up commands after baseline

auditwalk preflight run --scope browser,system
auditwalk compare run
auditwalk doctor
auditwalk repair

Example workflow

auditwalk scan run --profile full
auditwalk scan show --scan-id scan_00042
auditwalk baseline set --scan-id scan_00042
auditwalk preflight run --scope browser,system
auditwalk compare run

Profiles

Profile implications for baseline quality

full should be the default baseline-grade profile. paranoid is suitable where higher scrutiny is worth runtime cost. quick is best treated as observation-first unless your policy explicitly accepts it for baseline promotion.

Guidance

User guidance and caveats

  • Never promote an unreviewed scan into baseline state.
  • Baseline changes should be intentional and documented.
  • If environment risk increases, re-baseline using full or paranoid.
  • Keep CLI vocabulary stable across docs to avoid operator confusion.

Information Architecture

Suggested site structure placement

/scan/            -> profile behavior and scan engine contract
/baseline-scan/   -> trust promotion model and baseline lifecycle
/system.html      -> workflow-level architecture
/linux-cli/       -> command surface and install/use flow

Copy

Short summary and main-page excerpt copy

Short summary: Baseline Scan is the deliberate trust action that promotes reviewed scan evidence into the reference state used by AuditWalk to evaluate future change.

Homepage excerpt:
"Baseline Scan is where observed evidence becomes trusted reference.
AuditWalk does not auto-trust scans; it requires explicit operator promotion
so every compare and preflight result has real context."