feat: Add Go module and workspace test fixtures
- Created expected JSON files for Go modules and workspaces. - Added go.mod and go.sum files for example projects. - Implemented private module structure with expected JSON output. - Introduced vendored dependencies with corresponding expected JSON. - Developed PostgresGraphJobStore for managing graph jobs. - Established SQL migration scripts for graph jobs schema. - Implemented GraphJobRepository for CRUD operations on graph jobs. - Created IGraphJobRepository interface for repository abstraction. - Added unit tests for GraphJobRepository to ensure functionality.
This commit is contained in:
StellaOps Bot
118
deploy/compose/env/cas.env.example
vendored
Normal file
118
deploy/compose/env/cas.env.example
vendored
Normal file
@@ -0,0 +1,118 @@
|
||||
# CAS (Content Addressable Storage) Environment Configuration
|
||||
# Copy to .env and customize for your deployment
|
||||
#
|
||||
# Aligned with best-in-class vulnerability scanner retention policies:
|
||||
# - Trivy: 7 days vulnerability DB
|
||||
# - Grype: 5 days DB, configurable
|
||||
# - Anchore Enterprise: 90-365 days typical
|
||||
# - Snyk Enterprise: 365 days
|
||||
|
||||
# =============================================================================
|
||||
# DATA PATHS (ensure directories exist with proper permissions)
|
||||
# =============================================================================
|
||||
CAS_DATA_PATH=/var/lib/stellaops/cas
|
||||
CAS_EVIDENCE_PATH=/var/lib/stellaops/evidence
|
||||
CAS_ATTESTATION_PATH=/var/lib/stellaops/attestations
|
||||
|
||||
# =============================================================================
|
||||
# RUSTFS CONFIGURATION
|
||||
# =============================================================================
|
||||
RUSTFS_LOG_LEVEL=info
|
||||
RUSTFS_COMPRESSION=zstd
|
||||
RUSTFS_COMPRESSION_LEVEL=3
|
||||
|
||||
# =============================================================================
|
||||
# PORTS
|
||||
# =============================================================================
|
||||
RUSTFS_CAS_PORT=8180
|
||||
RUSTFS_EVIDENCE_PORT=8181
|
||||
RUSTFS_ATTESTATION_PORT=8182
|
||||
|
||||
# =============================================================================
|
||||
# ACCESS CONTROL - API KEYS
|
||||
# IMPORTANT: Change these in production!
|
||||
# =============================================================================
|
||||
|
||||
# CAS Storage (mutable, lifecycle-managed)
|
||||
RUSTFS_CAS_API_KEY=cas-api-key-CHANGE-IN-PRODUCTION
|
||||
RUSTFS_CAS_READONLY_KEY=cas-readonly-key-CHANGE-IN-PRODUCTION
|
||||
|
||||
# Evidence Storage (immutable)
|
||||
RUSTFS_EVIDENCE_API_KEY=evidence-api-key-CHANGE-IN-PRODUCTION
|
||||
RUSTFS_EVIDENCE_READONLY_KEY=evidence-readonly-key-CHANGE-IN-PRODUCTION
|
||||
|
||||
# Attestation Storage (immutable)
|
||||
RUSTFS_ATTESTATION_API_KEY=attestation-api-key-CHANGE-IN-PRODUCTION
|
||||
RUSTFS_ATTESTATION_READONLY_KEY=attestation-readonly-key-CHANGE-IN-PRODUCTION
|
||||
|
||||
# =============================================================================
|
||||
# SERVICE ACCOUNT KEYS
|
||||
# Each service has its own key for fine-grained access control
|
||||
# IMPORTANT: Generate unique keys per environment!
|
||||
# =============================================================================
|
||||
|
||||
# Scanner service - access to scanner artifacts, surface cache, runtime facts
|
||||
RUSTFS_SCANNER_KEY=scanner-svc-key-GENERATE-UNIQUE
|
||||
# Bucket access: scanner-artifacts (rw), surface-cache (rw), runtime-facts (rw)
|
||||
|
||||
# Signals service - access to runtime facts, signals data, provenance feed
|
||||
RUSTFS_SIGNALS_KEY=signals-svc-key-GENERATE-UNIQUE
|
||||
# Bucket access: runtime-facts (rw), signals-data (rw), provenance-feed (rw)
|
||||
|
||||
# Replay service - access to replay bundles, inputs lock files
|
||||
RUSTFS_REPLAY_KEY=replay-svc-key-GENERATE-UNIQUE
|
||||
# Bucket access: replay-bundles (rw), inputs-lock (rw)
|
||||
|
||||
# Ledger service - access to evidence bundles, merkle roots, hash chains
|
||||
RUSTFS_LEDGER_KEY=ledger-svc-key-GENERATE-UNIQUE
|
||||
# Bucket access: evidence-bundles (rw), merkle-roots (rw), hash-chains (rw)
|
||||
|
||||
# Exporter service - read-only access to evidence bundles
|
||||
RUSTFS_EXPORTER_KEY=exporter-svc-key-GENERATE-UNIQUE
|
||||
# Bucket access: evidence-bundles (r)
|
||||
|
||||
# Attestor service - access to attestations, DSSE envelopes, Rekor receipts
|
||||
RUSTFS_ATTESTOR_KEY=attestor-svc-key-GENERATE-UNIQUE
|
||||
# Bucket access: attestations (rw), dsse-envelopes (rw), rekor-receipts (rw)
|
||||
|
||||
# Verifier service - read-only access to attestations
|
||||
RUSTFS_VERIFIER_KEY=verifier-svc-key-GENERATE-UNIQUE
|
||||
# Bucket access: attestations (r), dsse-envelopes (r), rekor-receipts (r)
|
||||
|
||||
# Global read-only key (for debugging/auditing)
|
||||
RUSTFS_READONLY_KEY=readonly-global-key-GENERATE-UNIQUE
|
||||
# Bucket access: * (r)
|
||||
|
||||
# =============================================================================
|
||||
# LIFECYCLE MANAGEMENT
|
||||
# =============================================================================
|
||||
# Cron schedule for retention policy enforcement (default: 3 AM daily)
|
||||
LIFECYCLE_CRON=0 3 * * *
|
||||
LIFECYCLE_TELEMETRY=true
|
||||
|
||||
# =============================================================================
|
||||
# RETENTION POLICIES (days, 0 = indefinite)
|
||||
# Aligned with enterprise vulnerability scanner best practices
|
||||
# =============================================================================
|
||||
# Vulnerability DB: 7 days (matches Trivy default, Grype uses 5)
|
||||
CAS_RETENTION_VULNERABILITY_DB_DAYS=7
|
||||
|
||||
# SBOM artifacts: 365 days (audit compliance - SOC2, ISO27001, FedRAMP)
|
||||
CAS_RETENTION_SBOM_ARTIFACTS_DAYS=365
|
||||
|
||||
# Scan results: 90 days (common compliance window)
|
||||
CAS_RETENTION_SCAN_RESULTS_DAYS=90
|
||||
|
||||
# Evidence bundles: indefinite (content-addressed, immutable, audit trail)
|
||||
CAS_RETENTION_EVIDENCE_BUNDLES_DAYS=0
|
||||
|
||||
# Attestations: indefinite (signed, immutable, verifiable)
|
||||
CAS_RETENTION_ATTESTATIONS_DAYS=0
|
||||
|
||||
# Temporary artifacts: 1 day (work-in-progress, intermediate files)
|
||||
CAS_RETENTION_TEMP_ARTIFACTS_DAYS=1
|
||||
|
||||
# =============================================================================
|
||||
# TELEMETRY (optional)
|
||||
# =============================================================================
|
||||
OTLP_ENDPOINT=
|
||||
12
deploy/compose/env/mock.env.example
vendored
Normal file
12
deploy/compose/env/mock.env.example
vendored
Normal file
@@ -0,0 +1,12 @@
|
||||
# Dev-only overlay env for docker-compose.mock.yaml
|
||||
# Use together with dev.env.example:
|
||||
# docker compose --env-file env/dev.env.example --env-file env/mock.env.example -f docker-compose.dev.yaml -f docker-compose.mock.yaml config
|
||||
|
||||
# Optional: override ports if you expose mock services
|
||||
ORCHESTRATOR_PORT=8450
|
||||
POLICY_REGISTRY_PORT=8451
|
||||
VEX_LENS_PORT=8452
|
||||
FINDINGS_LEDGER_PORT=8453
|
||||
VULN_EXPLORER_API_PORT=8454
|
||||
PACKS_REGISTRY_PORT=8455
|
||||
TASK_RUNNER_PORT=8456
|
||||
Reference in New Issue
Block a user