feature: add PKI Network Discovery

[carlosmonastyrski]

Context

This PR adds the PKI Network Discovery feature, enabling users to scan their network infrastructure (IP ranges, CIDR blocks, and domains) to automatically discover TLS certificates deployed across endpoints. Discovery jobs can be configured with target IPs/domains and ports, triggered manually or scheduled for recurring scans, and results are stored as certificate installations with imported certificates from them.

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[linear]

ENG-4521 Implement Certificate Discovery

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR introduces PKI Network Discovery: new DB tables for discovery configs, installations, linking, and scan history; new backend EE services/DAL/routes to manage discovery jobs and PKI installation entities; and frontend UI/API hooks plus docs to expose the feature.

Main issue found in the current diff is in the DB migration rollback path: down() drops the tables before dropping the associated updatedAt triggers, but dropOnUpdateTrigger() issues DROP TRIGGER ... ON <table> which will fail once the table has already been dropped. The trigger drops should happen before table drops (or the helper should tolerate missing tables).

Confidence Score: 3/5

• This PR is reasonably safe to merge once the rollback migration is fixed.
• Core feature additions look consistent, but the new migration’s down() path will fail due to dropping tables before dropping triggers, which breaks rollback/idempotency expectations for migrations.
• backend/src/db/migrations/20260205012343_add-pki-discovery-tables.ts

Important Files Changed

Filename	Overview
backend/src/db/migrations/20260205012343_add-pki-discovery-tables.ts	Adds PKI discovery/installations tables and adds certificate.source column; down() drops triggers after dropping tables (order likely wrong).
backend/src/ee/services/pki-discovery/pki-discovery-config-dal.ts	Introduces DAL queries for discovery configs; contains root-level orWhereRaw inside andWhere callback which is fine, but claimScanSlot uses whereNotExists with a full query builder (may not correlate correctly) and updates status without transaction/locking.
backend/src/ee/services/pki-discovery/pki-discovery-service.ts	Adds discovery CRUD and scan trigger logic with permissions; manual scan rate limit based on lastScannedAt may not be updated at trigger time (could block scans unexpectedly depending on scan updater).
backend/src/ee/services/pki-discovery/pki-discovery-installation-dal.ts	Adds DAL for discovery↔installation links; upsertLink is non-atomic (check-then-insert) but handles FK violation; otherwise straightforward.
backend/src/ee/services/pki-discovery/pki-installation-service.ts	Adds PKI installation list/read/update/delete services with permissions; logic appears consistent with other services.

[greptile-apps]

_{99 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[carlosmonastyrski]

@greptile, re-review this PR with the context of my previous responses to your comments, and update the Overview and Summar

[greptile-apps]

_{100 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
9387833	Triggered	Generic Password	5225490	docker-compose.dev.yml	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}