new advisories work and features gaps work

2026-01-14 18:39:19 +02:00
parent 95d5898650
commit 15aeac8e8b
148 changed files with 16731 additions and 554 deletions
--- a/docs/flows/10-cicd-gate-flow.md
+++ b/docs/flows/10-cicd-gate-flow.md
@@ -303,6 +303,102 @@ CLI translates verdict to exit code:
 | FAIL | 1 | Block deployment |
 | ERROR | 2 | Pipeline failure |

+### 5a. DSSE Witness Verification (Required)
+
+> Sprint: SPRINT_20260112_004_DOC_cicd_gate_verification
+
+Before deploying, pipelines must verify DSSE witness signatures and Rekor inclusion (or offline ledger). This ensures attestation integrity and provides tamper-evident audit trail.
+
+#### Online Verification
+
+```bash
+# Verify DSSE signature and Rekor inclusion
+stellaops proof verify \
+  --image ghcr.io/org/myapp:$COMMIT_SHA \
+  --attestation-type scan-result \
+  --check-rekor \
+  --fail-on-missing
+
+# Exit codes:
+# 0 - Verified successfully
+# 1 - Verification failed
+# 2 - Missing attestation or Rekor entry
+```
+
+#### Offline Verification (Air-Gapped Environments)
+
+```bash
+# Verify against local offline ledger
+stellaops proof verify \
+  --image myapp:$COMMIT_SHA \
+  --attestation-type scan-result \
+  --offline \
+  --ledger-path /var/lib/stellaops/ledger \
+  --fail-on-missing
+
+# Alternative: verify a bundled evidence pack
+stellaops evidence-pack verify \
+  --bundle /path/to/evidence-pack.tar.gz \
+  --check-signatures \
+  --check-merkle
+```
+
+#### Cosign Equivalent Commands
+
+For environments using cosign directly:
+
+```bash
+# Online: verify with Rekor
+cosign verify-attestation \
+  --type https://stellaops.io/attestation/scan/v1 \
+  --rekor-url https://rekor.sigstore.dev \
+  ghcr.io/org/myapp:$COMMIT_SHA
+
+# Offline: verify with bundled certificate
+cosign verify-attestation \
+  --type https://stellaops.io/attestation/scan/v1 \
+  --certificate /path/to/cert.pem \
+  --certificate-chain /path/to/chain.pem \
+  --offline \
+  ghcr.io/org/myapp:$COMMIT_SHA
+```
+
+#### GitHub Actions Integration
+
+```yaml
+- name: Verify attestation
+  run: |
+    stellaops proof verify \
+      --image ghcr.io/org/myapp:${{ github.sha }} \
+      --attestation-type scan-result \
+      --check-rekor \
+      --fail-on-missing
+
+- name: Push to registry (only if verified)
+  if: success()
+  run: |
+    docker push ghcr.io/org/myapp:${{ github.sha }}
+```
+
+#### GitLab CI Integration
+
+```yaml
+verify:
+  stage: verify
+  script:
+    - stellaops proof verify
+        --image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+        --attestation-type scan-result
+        --check-rekor
+        --fail-on-missing
+  rules:
+    - if: $CI_COMMIT_BRANCH == "main"
+```
+
+**Related Documentation:**
+- [Score Proofs Runbook](../operations/score-proofs-runbook.md)
+- [Proof Verification Runbook](../operations/proof-verification-runbook.md)
+
 ### 6. SARIF Integration

 CLI outputs SARIF for IDE and GitHub integration: