docs consolidation work
This commit is contained in:
StellaOps Bot
@@ -55,6 +55,59 @@ Scanner analyses container images layer-by-layer, producing deterministic SBOM f
|
||||
- DOCS-SCANNER updates tracked in ../../TASKS.md.
|
||||
- Analyzer parity work in src/Scanner/**/TASKS.md.
|
||||
|
||||
## Implementation Status
|
||||
|
||||
### Phase 1 – Control plane & job queue (Complete)
|
||||
- Scanner WebService with queue abstraction (Valkey/NATS)
|
||||
- Job leasing with retries and dead-letter handling
|
||||
- CAS layer cache and artifact catalog
|
||||
- REST API endpoints for scan management
|
||||
|
||||
### Phase 2 – Analyzer parity & SBOM assembly (In Progress)
|
||||
- OS analyzers: apk/dpkg/rpm with deterministic metadata
|
||||
- Language analyzers: Java, Node, Python, Go, .NET, Rust with lock file support
|
||||
- Native analyzers: ELF/PE/MachO for binary analysis
|
||||
- SBOM views: inventory/usage with CycloneDX/SPDX emitters
|
||||
- Entry trace resolution and dependency analysis
|
||||
|
||||
### Phase 3 – Diff & attestations (In Progress)
|
||||
- Three-way diff engine (base, target, runtime)
|
||||
- DSSE SBOM/report signing pipeline
|
||||
- Attestation hand-off to Signer/Attestor
|
||||
- Metadata for Export Center integration
|
||||
|
||||
### Phase 4 – Integrations & exports (Planned)
|
||||
- Policy Engine integration for evaluation
|
||||
- Vuln Explorer metadata delivery
|
||||
- Export Center artifact packaging
|
||||
- CLI/Console workflows and buildx plugin
|
||||
|
||||
### Phase 5 – Observability & resilience (Planned)
|
||||
- Metrics: queue depth, scan latency, cache hit/miss, analyzer timing
|
||||
- Queue backpressure handling and cache eviction
|
||||
- SLO dashboards and alerting
|
||||
- Smoke tests and runbooks
|
||||
|
||||
### Key Acceptance Criteria
|
||||
- Scans produce deterministic SBOM inventory/usage with stable component identity
|
||||
- Queue/worker pipeline handles retries, backpressure, offline kits
|
||||
- DSSE attestations exported for Signer/Attestor without transformation
|
||||
- CLI/Console parity for scan submission, diffing, exports, verification
|
||||
- Offline scanning supported with local caches and manifest verification
|
||||
|
||||
### Technical Decisions & Risks
|
||||
- Analyzer drift prevented via golden fixtures, hash-based regression tests, deterministic sorting
|
||||
- Queue overload mitigated with adaptive backpressure, worker scaling, priority lanes
|
||||
- Storage growth managed via CAS dedupe, ILM policies, offline bundle pruning
|
||||
- Lock file integration (npm/yarn/pnpm, pip/poetry, gradle) with declared-only components
|
||||
- Surface cache reuse for Linux OS analyzers with rootfs-relative evidence
|
||||
|
||||
### Recent Enhancements (2025-12-12)
|
||||
- Deterministic SBOM composition with DSSE fixtures and offline verification
|
||||
- Node/Python/Java lock file collectors with CLI validation commands
|
||||
- Platform events rollout with scanner.report.ready@1 and scanner.scan.completed@1
|
||||
- Surface-cache environment resolution with startup validation
|
||||
|
||||
## Epic alignment
|
||||
- **Epic 6 – Vulnerability Explorer:** provide policy-aware scan outputs, explain traces, and findings ledger hooks for triage workflows.
|
||||
- **Epic 10 – Export Center:** generate export-ready artefacts, manifests, and DSSE metadata for bundles.
|
||||
|
||||
Reference in New Issue
Block a user