stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-28 20:55:22 +02:00
parent d040c001ac
commit 2548abc56f
231 changed files with 47468 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

226
docs/schemas/attestation-vuln-scan.schema.json Normal file
View File

@@ -0,0 +1,226 @@
{
"$id": "https://stella.ops/schema/attestation-vuln-scan.json",
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "VulnScanAttestation",
"description": "In-toto style attestation for vulnerability scan results",
"type": "object",
"required": ["_type", "predicateType", "subject", "predicate", "attestationMeta"],
"properties": {
"_type": {
"type": "string",
"const": "https://in-toto.io/Statement/v0.1",
"description": "In-toto statement type URI"
},
"predicateType": {
"type": "string",
"const": "https://stella.ops/predicates/vuln-scan/v1",
"description": "Predicate type URI for Stella Ops vulnerability scans"
},
"subject": {
"type": "array",
"items": {
"$ref": "#/$defs/AttestationSubject"
},
"minItems": 1,
"description": "Artifacts that were scanned"
},
"predicate": {
"$ref": "#/$defs/VulnScanPredicate",
"description": "Vulnerability scan result predicate"
},
"attestationMeta": {
"$ref": "#/$defs/AttestationMeta",
"description": "Attestation metadata including signer info"
}
},
"$defs": {
"AttestationSubject": {
"type": "object",
"required": ["name", "digest"],
"properties": {
"name": {
"type": "string",
"description": "Subject name (e.g. image reference)",
"examples": ["registry.internal/stella/app-service@sha256:7d9c..."]
},
"digest": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Algorithm -> digest map",
"examples": [{"sha256": "7d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aee"}]
}
}
},
"VulnScanPredicate": {
"type": "object",
"required": ["scanner", "scanStartedAt", "scanCompletedAt", "severityCounts", "findingReport"],
"properties": {
"scanner": {
"$ref": "#/$defs/ScannerInfo",
"description": "Scanner that produced this result"
},
"scannerDb": {
"$ref": "#/$defs/ScannerDbInfo",
"description": "Vulnerability database info"
},
"scanStartedAt": {
"type": "string",
"format": "date-time",
"description": "ISO-8601 timestamp when scan started"
},
"scanCompletedAt": {
"type": "string",
"format": "date-time",
"description": "ISO-8601 timestamp when scan completed"
},
"severityCounts": {
"type": "object",
"properties": {
"CRITICAL": { "type": "integer", "minimum": 0 },
"HIGH": { "type": "integer", "minimum": 0 },
"MEDIUM": { "type": "integer", "minimum": 0 },
"LOW": { "type": "integer", "minimum": 0 }
},
"description": "Count of findings by severity"
},
"findingReport": {
"$ref": "#/$defs/FindingReport",
"description": "Reference to the full findings report"
}
}
},
"ScannerInfo": {
"type": "object",
"required": ["name", "version"],
"properties": {
"name": {
"type": "string",
"description": "Scanner name",
"examples": ["Trivy", "Snyk", "Grype"]
},
"version": {
"type": "string",
"description": "Scanner version",
"examples": ["0.53.0"]
}
}
},
"ScannerDbInfo": {
"type": "object",
"properties": {
"lastUpdatedAt": {
"type": "string",
"format": "date-time",
"description": "ISO-8601 timestamp when vulnerability DB was last updated"
}
}
},
"FindingReport": {
"type": "object",
"required": ["mediaType", "location", "digest"],
"properties": {
"mediaType": {
"type": "string",
"default": "application/json",
"description": "Media type of the report",
"examples": ["application/json", "application/vnd.cyclonedx+json"]
},
"location": {
"type": "string",
"description": "Path or URI to the report file",
"examples": ["reports/trivy/app-service-7d9c-vulns.json"]
},
"digest": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Content digest of the report"
}
}
},
"AttestationMeta": {
"type": "object",
"required": ["statementId", "createdAt", "signer"],
"properties": {
"statementId": {
"type": "string",
"description": "Unique identifier for this attestation statement"
},
"createdAt": {
"type": "string",
"format": "date-time",
"description": "ISO-8601 timestamp when attestation was created"
},
"signer": {
"$ref": "#/$defs/AttestationSigner",
"description": "Entity that signed this attestation"
}
}
},
"AttestationSigner": {
"type": "object",
"required": ["name", "keyId"],
"properties": {
"name": {
"type": "string",
"description": "Signer name/identity",
"examples": ["ci/trivy-signer"]
},
"keyId": {
"type": "string",
"description": "Key identifier (fingerprint)",
"examples": ["SHA256:ae12c8d1..."]
}
}
}
},
"examples": [
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://stella.ops/predicates/vuln-scan/v1",
"subject": [
{
"name": "registry.internal/stella/app-service@sha256:7d9c...",
"digest": {
"sha256": "7d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aee"
}
}
],
"predicate": {
"scanner": {
"name": "Trivy",
"version": "0.53.0"
},
"scannerDb": {
"lastUpdatedAt": "2025-11-20T09:32:00Z"
},
"scanStartedAt": "2025-11-21T09:00:00Z",
"scanCompletedAt": "2025-11-21T09:01:05Z",
"severityCounts": {
"CRITICAL": 1,
"HIGH": 7,
"MEDIUM": 13,
"LOW": 4
},
"findingReport": {
"mediaType": "application/json",
"location": "reports/trivy/app-service-7d9c-vulns.json",
"digest": {
"sha256": "db569aa8a1b847a922b7d61d276cc2a0ccf99efad0879500b56854b43265c09a"
}
}
},
"attestationMeta": {
"statementId": "att-vuln-trivy-app-service-7d9c",
"createdAt": "2025-11-21T09:01:05Z",
"signer": {
"name": "ci/trivy-signer",
"keyId": "SHA256:ae12c8d1..."
}
}
}
]
}