stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat(zastava): add evidence locker plan and schema examples

Browse Source 
- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps.
- Added example JSON schemas for observer events and webhook admissions.
- Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control.
- Created alert rules for Vuln Explorer to monitor API latency and projection errors.
- Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails.
- Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization.
- Added expected projection SHA256 for vulnerability events.
- Created k6 load testing script for Vuln Explorer API.
- Added sample projection and replay event data for testing.
- Implemented ReplayInputsLock for deterministic replay inputs management.
- Developed tests for ReplayInputsLock to ensure stable hash computation.
- Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity.
- Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality.
- Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
This commit is contained in:
StellaOps Bot
2025-12-02 09:27:31 +02:00
parent 885ce86af4
commit 2d08f52715
74 changed files with 1690 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/modules/zastava/kit/README.md
View File

@@ -10,3 +10,8 @@ Contents to include when built:
Deterministic packaging: `tar --mtime @0 --owner 0 --group 0 --numeric-owner -cf - kit | zstd -19 --long=27 --no-progress > zastava-kit.tzst`.
Pending: fill with signed artefacts and Evidence Locker URIs after DSSE signing.
Planned Evidence Locker paths (post-signing):
- `evidence-locker/zastava/2025-12-06/observer_event.schema.dsse`
- `evidence-locker/zastava/2025-12-06/webhook_admission.schema.dsse`
- `evidence-locker/zastava/2025-12-06/thresholds.dsse`
- `evidence-locker/zastava/2025-12-06/zastava-kit.tzst` + `SHA256SUMS`

14
docs/modules/zastava/kit/verify.sh
View File

@@ -8,7 +8,17 @@ if ! command -v sha256sum >/dev/null; then
fi
sha256sum --check SHA256SUMS
# TODO: add DSSE verification once signatures are available; placeholder below
# cosign verify-blob --key cosign.pub --signature observer_event.schema.json.sig observer_event.schema.json
if command -v cosign >/dev/null && [ -f cosign.pub ]; then
echo "cosign present; DSSE verification placeholders (update paths when signed):"
echo "- observer_event.schema.dsse"
echo "- webhook_admission.schema.dsse"
echo "- thresholds.dsse"
# Example commands (uncomment once DSSE files exist):
# cosign verify-blob --key cosign.pub --signature observer_event.schema.dsse schemas/observer_event.schema.json
# cosign verify-blob --key cosign.pub --signature webhook_admission.schema.dsse schemas/webhook_admission.schema.json
# cosign verify-blob --key cosign.pub --signature thresholds.dsse thresholds.yaml
else
echo "cosign not found or cosign.pub missing; skipped DSSE verification"
fi
echo "OK: hashes verified (DSSE verification pending)"