stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

new advisories work and features gaps work

Browse Source
This commit is contained in:
master
2026-01-14 18:39:19 +02:00
parent 95d5898650
commit 15aeac8e8b
148 changed files with 16731 additions and 554 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
docs/doctor/doctor-capabilities.md
View File

@@ -2525,6 +2525,57 @@ EOF
---
#### check.security.evidence.integrity
| Property | Value |
|----------|-------|
| **CheckId** | `check.security.evidence.integrity` |
| **Plugin** | `stellaops.doctor.security` |
| **Category** | Security |
| **Severity** | Fail |
| **Tags** | `security`, `evidence`, `integrity`, `dsse`, `rekor`, `offline` |
| **What it verifies** | Evidence files have valid DSSE signatures, Rekor inclusion proofs, and consistent hashes |
| **Evidence collected** | Evidence locker path, total files, valid/invalid/skipped counts, specific issues |
| **Failure modes** | Empty DSSE payload, missing signatures, invalid base64, missing Rekor UUID, missing inclusion proof hashes, digest mismatch |
**What it checks:**
1. **DSSE Envelope Structure**: Validates `payloadType`, `payload` (base64), and `signatures` array
2. **Signature Completeness**: Each signature has `keyid` and valid base64 `sig`
3. **Payload Digest Consistency**: If `payloadDigest` field present, recomputes and compares SHA-256
4. **Evidence Bundle Structure**: Validates `bundleId`, `manifest.version`, and optional `contentDigest`
5. **Rekor Receipt Validity**: If present, validates `uuid`, `logIndex`, and `inclusionProof.hashes`
**Remediation:**
```bash
# 1. List evidence files with issues
stella doctor --check check.security.evidence.integrity --output json \
| jq '.evidence.issues[]'
# 2. Re-sign affected evidence bundles
stella evidence resign --bundle-id {BUNDLE_ID}
# 3. Verify Rekor inclusion manually (if online)
rekor-cli get --uuid {REKOR_UUID} --format json | jq
# 4. For offline environments, verify against local ledger
stella evidence verify --offline --bundle-id {BUNDLE_ID}
# 5. Re-generate evidence pack from source
stella export evidence-pack --artifact {ARTIFACT_DIGEST} --force
```
**Configuration:**
```yaml
# etc/appsettings.yaml
EvidenceLocker:
LocalPath: /var/lib/stellaops/evidence
# Or use Evidence:BasePath for alternate key
```
**Verification:** `stella doctor --check check.security.evidence.integrity`
---
### 9.5 Integration Plugins - SCM (`stellaops.doctor.integration.scm.*`)
#### check.integration.scm.github.connectivity