stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 4 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
docs/features/unchecked/scanner/mesh-entrypoint-graph.md Normal file
View File

@@ -0,0 +1,27 @@
# Mesh Entrypoint Graph (Multi-Container Reachability)
## Module
Scanner
## Status
IMPLEMENTED
## Description
Cross-container entrypoint reachability analysis that parses Kubernetes and Docker Compose manifests to build a mesh graph of service-to-service connections, enabling vulnerability impact analysis across multi-container deployments.
## Implementation Details
- **Mesh Entrypoint Analysis**:
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/MeshEntrypointAnalyzer.cs` - `MeshEntrypointAnalyzer` performs cross-container entrypoint reachability analysis
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/MeshEntrypointGraph.cs` - `MeshEntrypointGraph` represents the service-to-service connection graph across containers
- **Manifest Parsers**:
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/IManifestParser.cs` - `IManifestParser` interface for container orchestration manifest parsing
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/KubernetesManifestParser.cs` - `KubernetesManifestParser` parses Kubernetes Deployment, Service, and Ingress manifests to extract service topology
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/DockerComposeParser.cs` - `DockerComposeParser` parses Docker Compose files to extract service connections, port mappings, and network topology
## E2E Test Plan
- [ ] Provide a Kubernetes deployment with multiple services and verify the mesh graph correctly maps service-to-service connections
- [ ] Provide a Docker Compose file with linked services and verify cross-container connections are identified
- [ ] Verify a vulnerability in an internet-facing service is classified with higher exposure than one in an internal-only service
- [ ] Verify the mesh graph identifies transitive reachability (service A -> service B -> vulnerable service C)
- [ ] Verify port mappings and network policies are factored into the mesh connectivity analysis
- [ ] Verify the mesh graph handles service discovery (DNS-based and environment variable-based) for connection resolution