stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add initial documentation

Browse Source
This commit is contained in:
Vladimir Moushkov
2025-07-20 21:38:21 +03:00
parent 8ba0a0ba6d
commit 42d9d2d860
24 changed files with 4447 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

245
docs/22_RECIPES_PIPELINES_LIBRARY.md Normal file
View File

@ -0,0 +1,245 @@
#22 · PipelineRecipes Library— **StellaOps**
#Recipes & Pipeline Library
> *Readytocopy snippets for CI/CD engines, local shells, and K8s jobs.*
> Each recipe honours the **sub5s pledge**: SBOMfirst when possible, ΔSBOM when layers are cached, and imageunpack only as a fallback.
---
##0RegistryPrimer
All agent images and helper tools are published to a **private, anonymous registry**
```
registry.git.stella-ops.ru
```
* **Pulls are readonly & unauthenticated.**
* Cosign signatures are embedded (`*.sig`) and verified at runtime when the host has `cosign` installed.
* To mirror for airgapped OUK installs, export with:
```
oras pull registry.git.stella-ops.ru/library/santech:1.0 --output ./ouk-bundle
```
---
##1Shell Quickstarts
###1.1Scan a Local Image (SBOMfirst)
```bash
# Free tier: 333 scans/day without large delay added
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
https://stella.local/registry/santech:1.0 \
scan \
--image python:3.12-slim \
--endpoint https://stella.local \
--sbom-type spdx-json \
--threshold High
```
* `--sbom-type` enumerates **`trivy-json-v2 | spdx-json | cyclonedx-json`**; defaults to autodetect when omitted.
* Exitcode maps to policy (nonzero if blocked).
###1.2Delta SBOM Path
```bash
# Free tier: 333 scans/day without large delay added
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-e STELLA_DELTA=1 \
https://stella.local/registry/santech:1.0 \
scan \
--image myapp:latest \
--delta \
--endpoint https://stella.local
```
`--delta` triggers the `/layers/missing` fast check; observed P951s on cached bases.
---
##2GitHub Actions
```yaml
# .github/workflows/stella-scan.yml
name: Stella Scan
on:
push:
branches: [main]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build Image
run: docker build -t ${{ github.repository }}:${{ github.sha }} .
- name: Scan with StellaOps (ΔSBOM + YAML policies)
run: |
# Free tier: 333 scans/day without large delay added
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $GITHUB_WORKSPACE/policy:/policy:ro \
https://stella.local/registry/santech:1.0 \
scan \
--image ${{ github.repository }}:${{ github.sha }} \
--delta \
--policy-file /policy/scan-policy.yaml \
--endpoint ${{ secrets.STELLA_API }}
```
*Stores SARIF to `$RUNNER_TEMP/stella-report.sarif`; upload via `actions/upload-artifact` if desired.*
---
##3GitLab CI
```yaml
stella_scan:
image:
name: ttps://stella.local/registry/santech:1.0
entrypoint: [""]
stage: test
variables:
STELLA_ENDPOINT: "https://stella.local/api"
script:
- docker build -t myapp:$CI_COMMIT_SHORT_SHA .
- >
# Free tier: 333 scans/day without large delay added
./santech scan
--image myapp:$CI_COMMIT_SHORT_SHA
--sbom-type cyclonedx-json
--threshold Critical
--endpoint $STELLA_ENDPOINT
allow_failure: false
artifacts:
when: always
paths:
- stella-report.html
```
*`allow_failure:false` enforces gate by failing the stage on Critical findings.*
---
##4Tekton Pipelines (K8s)
```yaml
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: stella-scan
spec:
workspaces:
- name: dockerconfig
steps:
- name: scan
image: https://stella.local/registry/santech:1.0
script: |
#!/usr/bin/env sh
# Free tier: 333 scans/day without large delay added
santech scan \
--image $(params.image) \
--delta \
--threshold High \
--endpoint $(params.endpoint)
```
---
##5Policy Import / Export
###5.1Import YAML Policy via CLI
```bash
curl -X POST https://stella.local/api/v1/policy/import \
-H "Authorization: Bearer $TOKEN" \
-F "file=@scan-policy.yaml"
```
###5.2Export & Commit to Git
```bash
curl -s -H "Authorization: Bearer $TOKEN" \
https://stella.local/api/v1/policy/export \
> policy-backup-$(date +%F).yaml
git add policy-backup-*.yaml && git commit -m "Policy snapshot"
```
---
##6Offline OUK Example
Inside an **airgapped** cluster:
1. Run `ouk-fetch.sh` from the admin node.
2. Load images into the internal registry:
```bash
ctr -n k8s.io images import ./ouk-bundle/*.tar
```
3. Use the same pipeline snippets; DNS points to `registry.git.stella-ops.ru` via local CoreDNS override.
---
##7VariantD Enforce Gate in Prod
```bash
# Free tier: 333 scans/day without large delay added
santech scan \
--image registry.prod.corp/app:${TAG} \
--delta \
--policy-file prod.rego \
--enforce \
--endpoint https://stella.prod \
|| { echo "Security gate blocked release!"; exit 1; }
```
*`--enforce` turns warnings into nonzero exit codes.*
---
##8CheatSheet (CLI Flags)
| Flag / Env | Meaning | Default |
|----------------------------|---------------------------------------------------|---------|
| `--sbom-type` | Force SBOM output format (`trivyjson-v2` …) | *Auto* |
| `--delta` `STELLA_DELTA=1` | Enable layer diff / `/layers/missing` fast path. | Off |
| `--policy-file` | Import YAML/Rego before scan. | None |
| `--threshold` | Fails scan if sev ≥ threshold. | High |
| `--enforce` | Exit nonzero on policy block. | Off |
| `--endpoint` | API base URL. | `http://localhost:8080` |
| `--insecure` | Skip TLS verify (test only!). | Off |
---
##9FAQ
**Q  I need Syft+SPDX, what changes?**
A Set `--sbom-type spdx-json`; Trivy is bypassed and the scanner plugin selects Syft.
**Q  Can I run Santech as rootless?**
A Yes; mount the hosts Docker socket via `--userns=keep-id` or use `--context host` with nerdctl.
**Q  Does ΔSBOM work for multiarch manifests?**
A Today it only checks `linux/amd64` layers; roadmap item *Q12026* widens support.
---
##10Change Log
| Date | Note |
|------------|--------------------------------------------------------------|
| 20250714 | Added internal registry, ΔSBOM, multiformat & policy flows |
| 20250712 | Initial public recipe set (GitHub, GitLab, Tekton, shell). |
---