up

2025-11-27 23:44:42 +02:00
parent ef6e4b2067
commit 3b96b2e3ea
298 changed files with 47516 additions and 1168 deletions
--- a/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs
+++ b/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs
@@ -18,6 +18,7 @@ using StellaOps.Scanner.Sbomer.BuildXPlugin.Descriptor;
 using StellaOps.Scanner.Sbomer.BuildXPlugin.Manifest;
 using StellaOps.Scanner.Sbomer.BuildXPlugin.Surface;
 using StellaOps.Scanner.Surface.Env;
+using StellaOps.Scanner.Surface.Secrets;

 namespace StellaOps.Scanner.Sbomer.BuildXPlugin;

@@ -219,7 +220,9 @@ internal static class Program
        var sbomName = GetOption(args, "--sbom-name") ?? Path.GetFileName(sbomPath);

        var attestorUriText = GetOption(args, "--attestor") ?? Environment.GetEnvironmentVariable("STELLAOPS_ATTESTOR_URL");
-        var attestorToken = GetOption(args, "--attestor-token") ?? Environment.GetEnvironmentVariable("STELLAOPS_ATTESTOR_TOKEN");
+        var attestorToken = GetOption(args, "--attestor-token")
+            ?? Environment.GetEnvironmentVariable("STELLAOPS_ATTESTOR_TOKEN")
+            ?? TryResolveAttestationToken(); // Fallback to Surface.Secrets
        var attestorInsecure = GetFlag(args, "--attestor-insecure")
            || string.Equals(Environment.GetEnvironmentVariable("STELLAOPS_ATTESTOR_INSECURE"), "true", StringComparison.OrdinalIgnoreCase);
        Uri? attestorUri = null;
@@ -382,9 +385,7 @@ internal static class Program
            var services = new ServiceCollection();
            services.AddSingleton<IConfiguration>(configuration);
            services.AddLogging();
-
-            using var provider = services.BuildServiceProvider();
-            var env = SurfaceEnvironmentFactory.Create(provider, options =>
+            services.AddSurfaceEnvironment(options =>
            {
                options.ComponentName = "Scanner.BuildXPlugin";
                options.AddPrefix("SCANNER");
@@ -392,7 +393,10 @@ internal static class Program
                options.RequireSurfaceEndpoint = false;
            });

-            return env.Settings;
+            using var provider = services.BuildServiceProvider();
+            var env = provider.GetService<ISurfaceEnvironment>();
+
+            return env?.Settings;
        }
        catch
        {
@@ -401,6 +405,59 @@ internal static class Program
        }
    }

+    private static string? TryResolveAttestationToken()
+    {
+        try
+        {
+            var configuration = new ConfigurationBuilder()
+                .AddEnvironmentVariables()
+                .Build();
+
+            var services = new ServiceCollection();
+            services.AddSingleton<IConfiguration>(configuration);
+            services.AddLogging();
+            services.AddSurfaceEnvironment(options =>
+            {
+                options.ComponentName = "Scanner.BuildXPlugin";
+                options.AddPrefix("SCANNER");
+                options.AddPrefix("SURFACE");
+                options.RequireSurfaceEndpoint = false;
+            });
+            services.AddSurfaceSecrets(options =>
+            {
+                options.ComponentName = "Scanner.BuildXPlugin";
+                options.EnableCaching = true;
+                options.EnableAuditLogging = false; // No need for audit in CLI tool
+            });
+
+            using var provider = services.BuildServiceProvider();
+            var secretProvider = provider.GetService<ISurfaceSecretProvider>();
+            var env = provider.GetService<ISurfaceEnvironment>();
+
+            if (secretProvider is null || env is null)
+            {
+                return null;
+            }
+
+            var tenant = env.Settings.Secrets.Tenant;
+            var request = new SurfaceSecretRequest(
+                Tenant: tenant,
+                Component: "Scanner.BuildXPlugin",
+                SecretType: "attestation");
+
+            using var handle = secretProvider.GetAsync(request).AsTask().GetAwaiter().GetResult();
+            var secret = AttestationSecret.Parse(handle);
+
+            // Return the API key or token for attestor authentication
+            return secret.RekorApiKey;
+        }
+        catch
+        {
+            // Silent fallback - secrets not available via Surface.Secrets
+            return null;
+        }
+    }
+
    private static string? GetOption(string[] args, string optionName)
    {
        for (var i = 0; i < args.Length; i++)