stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add sample proof bundle configurations and verification script
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Console CI / console-ci (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
VEX Proof Bundles / verify-bundles (push) Has been cancelled
Details

Browse Source 
- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`.
- Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs.
- Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details.
- Enhanced evidence entries with expiration dates and hashes for better integrity checks.
- Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.
This commit is contained in:
StellaOps Bot
2025-12-04 08:54:32 +02:00
parent e1262eb916
commit 4dc7cf834a
76 changed files with 3051 additions and 355 deletions
Download Patch File Download Diff File Expand all files Collapse all files

254
docs/modules/export-center/schemas/export-manifest.schema.json Normal file
View File

@@ -0,0 +1,254 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stellaops.io/schemas/export-center/export-manifest.schema.json",
"title": "StellaOps Export Manifest",
"description": "Schema for run manifests, attestations, integrity headers, and quota/backpressure metadata (EC2EC9).",
"type": "object",
"required": [
"schema",
"version",
"exportId",
"profile",
"tenant",
"selectors",
"generatedAt",
"contents"
],
"properties": {
"schema": { "type": "string", "const": "https://stellaops.io/export-center/manifest/v1alpha2" },
"version": { "type": "string", "pattern": "^1\\.1\\.[0-9]+$" },
"exportId": { "type": "string", "pattern": "^[a-z0-9-]{6,64}$" },
"runId": { "type": "string", "pattern": "^[a-z0-9-]{6,64}$" },
"profile": {
"type": "object",
"required": ["kind", "variant", "name"],
"properties": {
"kind": { "type": "string", "enum": ["json", "trivy", "mirror", "devportal", "attestation"] },
"variant": {
"type": "string",
"enum": ["raw", "policy", "db", "java-db", "full", "delta", "offline", "bundle"]
},
"name": { "type": "string", "pattern": "^[a-z0-9]([a-z0-9-]*[a-z0-9])?$" },
"revision": { "type": "string", "pattern": "^r[0-9]+$" }
},
"additionalProperties": false
},
"tenant": { "type": "string", "pattern": "^[a-z0-9]([a-z0-9-]*[a-z0-9])?$" },
"selectors": { "$ref": "#/$defs/selectors" },
"generatedAt": { "type": "string", "format": "date-time" },
"rerunHash": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" },
"contents": {
"type": "array",
"items": {
"type": "object",
"required": ["path", "digest", "bytes"],
"properties": {
"path": { "type": "string", "pattern": "^[A-Za-z0-9._/-]+$" },
"digest": { "$ref": "#/$defs/digest" },
"bytes": { "type": "integer", "minimum": 0 },
"records": { "type": "integer", "minimum": 0 },
"contentType": { "type": "string" }
},
"additionalProperties": false
}
},
"delta": {
"type": "object",
"required": ["baseExportId", "baseManifestDigest", "tombstones"],
"properties": {
"baseExportId": { "type": "string", "pattern": "^[a-z0-9-]{6,64}$" },
"baseManifestDigest": { "$ref": "#/$defs/digest" },
"tombstones": {
"type": "array",
"items": { "type": "string", "pattern": "^[A-Za-z0-9._/-]+$" }
},
"added": {
"type": "array",
"items": { "type": "string", "pattern": "^[A-Za-z0-9._/-]+$" }
},
"removed": {
"type": "array",
"items": { "type": "string", "pattern": "^[A-Za-z0-9._/-]+$" }
}
},
"additionalProperties": false
},
"integrity": {
"type": "object",
"required": ["httpHeaders", "oci"],
"properties": {
"httpHeaders": {
"type": "object",
"required": ["Digest", "X-Stella-Signature"],
"properties": {
"Digest": { "type": "string", "pattern": "^sha-256=[A-Za-z0-9+/=]+$" },
"X-Stella-Signature": { "type": "string" },
"X-Stella-Immutability": { "type": "string" }
},
"additionalProperties": false
},
"oci": {
"type": "object",
"required": ["annotations"],
"properties": {
"annotations": {
"type": "object",
"required": [
"io.stellaops.export.profile",
"io.stellaops.export.run",
"io.stellaops.export.manifest-digest",
"io.stellaops.export.provenance-ref"
],
"properties": {
"io.stellaops.export.profile": { "type": "string" },
"io.stellaops.export.run": { "type": "string" },
"io.stellaops.export.manifest-digest": { "$ref": "#/$defs/digest" },
"io.stellaops.export.provenance-ref": { "type": "string" },
"org.opencontainers.image.ref.name": { "type": "string" }
}
}
},
"additionalProperties": false
}
},
"additionalProperties": false
},
"attestations": {
"type": "object",
"required": ["provenanceRef", "dsseEnvelope", "slsaLevel", "log"],
"properties": {
"provenanceRef": { "type": "string" },
"dsseEnvelope": { "type": "string" },
"slsaLevel": { "type": "string" },
"log": {
"type": "object",
"required": ["kind", "logId", "logIndex", "entryDigest", "timestamp"],
"properties": {
"kind": { "type": "string", "enum": ["hashedrekord", "rekor"] },
"logId": { "type": "string" },
"logIndex": { "type": "integer", "minimum": 0 },
"entryDigest": { "$ref": "#/$defs/digest" },
"timestamp": { "type": "string", "format": "date-time" }
},
"additionalProperties": false
}
},
"additionalProperties": false
},
"distribution": {
"type": "object",
"properties": {
"http": {
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"retentionDays": { "type": "integer", "minimum": 1, "maximum": 3650 },
"etag": { "type": "string" },
"rangeRequests": { "type": "boolean" }
},
"additionalProperties": false
},
"oci": {
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"reference": { "type": "string" }
},
"additionalProperties": false
},
"object": {
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"bucket": { "type": "string" },
"prefix": { "type": "string" }
},
"additionalProperties": false
}
},
"additionalProperties": false
},
"encryption": {
"type": "object",
"properties": {
"mode": { "type": "string", "enum": ["age", "aes-gcm"] },
"recipients": {
"type": "array",
"items": {
"type": "object",
"required": ["keyId", "fingerprint"],
"properties": {
"keyId": { "type": "string" },
"fingerprint": { "type": "string" },
"wrappedKey": { "type": "string" }
},
"additionalProperties": false
}
},
"strict": { "type": "boolean" }
},
"additionalProperties": false
},
"approval": {
"type": "object",
"properties": {
"required": { "type": "boolean" },
"reason": { "type": "string" },
"approvedBy": { "type": "string" },
"ticket": { "type": "string" }
},
"additionalProperties": false
},
"quotas": {
"type": "object",
"properties": {
"maxActiveRuns": { "type": "integer", "minimum": 1, "maximum": 32 },
"maxQueuedRuns": { "type": "integer", "minimum": 1, "maximum": 512 },
"backpressureMode": {
"type": "string",
"enum": ["reject", "defer", "throttle"]
},
"cpuThrottlePercent": { "type": "integer", "minimum": 1, "maximum": 100 }
},
"additionalProperties": false
}
},
"additionalProperties": false,
"$defs": {
"digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" },
"selectors": {
"type": "object",
"properties": {
"tenants": {
"type": "array",
"items": { "type": "string", "pattern": "^[a-z0-9*.-]+$" },
"uniqueItems": true
},
"products": {
"type": "array",
"items": { "type": "string", "pattern": "^pkg:[A-Za-z0-9.+\\-_/:@*]+$" }
},
"timeWindow": {
"oneOf": [
{ "type": "string", "pattern": "^[0-9]+d$" },
{ "type": "string", "pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}/[0-9]{4}-[0-9]{2}-[0-9]{2}$" }
]
},
"severities": {
"type": "array",
"items": { "type": "string", "enum": ["critical", "high", "medium", "low", "info"] },
"uniqueItems": true
},
"ecosystems": {
"type": "array",
"items": {
"type": "string",
"enum": ["npm", "maven", "pypi", "nuget", "go", "cargo", "rpm", "deb", "apk", "java"]
},
"uniqueItems": true
}
},
"additionalProperties": false
}
}
}

206
docs/modules/export-center/schemas/export-profile.schema.json Normal file
View File

@@ -0,0 +1,206 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stellaops.io/schemas/export-center/export-profile.schema.json",
"title": "StellaOps ExportProfile",
"description": "Canonical schema for Export Center profile definitions with selector and approval guardrails (EC1, EC4, EC9).",
"type": "object",
"required": ["apiVersion", "kind", "metadata", "spec"],
"properties": {
"apiVersion": {
"type": "string",
"const": "stellaops.io/export.v1"
},
"kind": {
"type": "string",
"const": "ExportProfile"
},
"metadata": {
"type": "object",
"required": ["name", "tenant"],
"properties": {
"name": {
"type": "string",
"minLength": 3,
"maxLength": 64,
"pattern": "^[a-z0-9]([a-z0-9-]*[a-z0-9])?$"
},
"tenant": {
"type": "string",
"pattern": "^[a-z0-9]([a-z0-9-]*[a-z0-9])?$"
},
"revision": {
"type": "string",
"pattern": "^r[0-9]+$"
},
"labels": {
"type": "object",
"additionalProperties": {
"type": "string",
"maxLength": 128
}
}
},
"additionalProperties": false
},
"spec": {
"type": "object",
"required": ["kind", "variant", "distribution"],
"properties": {
"kind": {
"type": "string",
"enum": ["json", "trivy", "mirror", "devportal", "attestation"]
},
"variant": {
"type": "string",
"enum": [
"raw",
"policy",
"db",
"java-db",
"full",
"delta",
"offline",
"bundle"
]
},
"distribution": {
"type": "array",
"items": {
"type": "string",
"enum": ["http", "oci", "object"]
},
"uniqueItems": true,
"minItems": 1
},
"compression": {
"type": "object",
"properties": {
"codec": {
"type": "string",
"enum": ["zstd", "gzip", "none"]
},
"level": {
"type": "integer",
"minimum": 1,
"maximum": 22
}
},
"additionalProperties": false
},
"encryption": {
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"mode": { "type": "string", "enum": ["age", "aes-gcm"] },
"recipientKeys": {
"type": "array",
"items": {
"type": "string",
"pattern": "^(age1|kms://)"
}
},
"strict": { "type": "boolean" }
},
"additionalProperties": false
},
"retention": {
"type": "object",
"properties": {
"mode": { "type": "string", "enum": ["days", "never"] },
"value": { "type": "integer", "minimum": 1, "maximum": 3650 }
},
"additionalProperties": false
},
"limits": {
"type": "object",
"properties": {
"maxActiveRuns": { "type": "integer", "minimum": 1, "maximum": 32 },
"maxQueuedRuns": { "type": "integer", "minimum": 1, "maximum": 512 },
"backpressureMode": {
"type": "string",
"enum": ["reject", "defer", "throttle"]
}
},
"additionalProperties": false
},
"selectors": { "$ref": "#/$defs/selectors" },
"approval": {
"type": "object",
"properties": {
"required": { "type": "boolean" },
"reason": { "type": "string", "maxLength": 256 },
"ticket": { "type": "string", "maxLength": 64 },
"approver": { "type": "string", "maxLength": 64 }
},
"additionalProperties": false
},
"schemaVersion": {
"type": "string",
"enum": ["1.1.0"],
"default": "1.1.0"
}
},
"additionalProperties": false
}
},
"additionalProperties": false,
"$defs": {
"selectors": {
"type": "object",
"properties": {
"tenants": {
"type": "array",
"items": {
"type": "string",
"pattern": "^[a-z0-9*.-]+$"
},
"uniqueItems": true
},
"products": {
"type": "array",
"items": {
"type": "string",
"pattern": "^pkg:[A-Za-z0-9.+\\-_/:@*]+$"
}
},
"ecosystems": {
"type": "array",
"items": {
"type": "string",
"enum": [
"npm",
"maven",
"pypi",
"nuget",
"go",
"cargo",
"rpm",
"deb",
"apk",
"java"
]
},
"uniqueItems": true
},
"timeWindow": {
"oneOf": [
{ "type": "string", "pattern": "^[0-9]+d$" },
{
"type": "string",
"pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}/[0-9]{4}-[0-9]{2}-[0-9]{2}$"
}
]
},
"severities": {
"type": "array",
"items": {
"type": "string",
"enum": ["critical", "high", "medium", "low", "info"]
},
"uniqueItems": true
}
},
"additionalProperties": false
}
}
}