trycompai · Marfuen · Apr 6, 2026 · Apr 3, 2026 · Apr 6, 2026 · Apr 6, 2026
diff --git a/apps/api/src/audit/audit-log.interceptor.ts b/apps/api/src/audit/audit-log.interceptor.ts
@@ -24,6 +24,7 @@ import {
   type ChangesRecord,
   buildChanges,
   buildDescription,
+  extractActionDescription,
   extractCommentContext,
   extractDownloadDescription,
   extractEntityId,
@@ -129,6 +130,10 @@ export class AuditLogInterceptor implements NestInterceptor {
                 responseBody,
                 requestBody,
               );
+              const actionDesc = extractActionDescription(
+                request.url,
+                method,
+              );
               const downloadDesc = extractDownloadDescription(
                 request.url,
                 method,
@@ -145,7 +150,7 @@ export class AuditLogInterceptor implements NestInterceptor {
                 (request as { userRoles?: string[] }).userRoles,
               );
               let descriptionOverride: string | null =
-                versionDesc ?? downloadDesc ?? policyActionDesc ?? findingDesc;
+                actionDesc ?? versionDesc ?? downloadDesc ?? policyActionDesc ?? findingDesc;
 
               const isAutomationUpdate = policyActionDesc && /automations/.test(request.url) && method === 'PATCH';
               const isAttachmentAction = policyActionDesc && /attachments/.test(request.url);

diff --git a/apps/api/src/audit/audit-log.utils.ts b/apps/api/src/audit/audit-log.utils.ts
@@ -55,6 +55,25 @@ export function extractCommentContext(
   return null;
 }
 
+/**
+ * Detects action sub-endpoints (e.g. trigger-assessment) on resources
+ * and returns a human-readable description instead of the generic
+ * "Created <resource>" that the POST method would produce.
+ */
+export function extractActionDescription(
+  path: string,
+  method: string,
+): string | null {
+  if (method !== 'POST') return null;
+
+  const pathWithoutQuery = path.split('?')[0]!;
+
+  if (/\/vendors\/[^/]+\/trigger-assessment\/?$/.test(pathWithoutQuery))
+    return 'Triggered vendor risk assessment';
+
+  return null;
+}
+
 /**
  * Detects download/export GET endpoints and returns a human-readable
  * description. Returns null for non-download endpoints.