feat: add security sink detection patterns for JavaScript/TypeScript
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
This commit is contained in:
StellaOps Bot
107
deploy/compose/env/prod.env.example
vendored
107
deploy/compose/env/prod.env.example
vendored
@@ -1,49 +1,96 @@
|
||||
# Substitutions for docker-compose.prod.yaml
|
||||
# ⚠️ Replace all placeholder secrets with values sourced from your secret manager.
|
||||
MONGO_INITDB_ROOT_USERNAME=stellaops-prod
|
||||
MONGO_INITDB_ROOT_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
|
||||
MINIO_ROOT_USER=stellaops-prod
|
||||
MINIO_ROOT_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
|
||||
# Expose the MinIO console only to trusted operator networks.
|
||||
MINIO_CONSOLE_PORT=39001
|
||||
RUSTFS_HTTP_PORT=8080
|
||||
AUTHORITY_ISSUER=https://authority.prod.stella-ops.org
|
||||
AUTHORITY_PORT=8440
|
||||
SIGNER_POE_INTROSPECT_URL=https://licensing.prod.stella-ops.org/introspect
|
||||
# Substitutions for docker-compose.prod.yaml
|
||||
# WARNING: Replace all placeholder secrets with values sourced from your secret manager.
|
||||
|
||||
# PostgreSQL Database
|
||||
POSTGRES_USER=stellaops-prod
|
||||
POSTGRES_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
|
||||
POSTGRES_DB=stellaops_platform
|
||||
POSTGRES_PORT=5432
|
||||
|
||||
# Valkey (Redis-compatible cache and messaging)
|
||||
VALKEY_PORT=6379
|
||||
|
||||
# RustFS Object Storage
|
||||
RUSTFS_HTTP_PORT=8080
|
||||
|
||||
# Authority (OAuth2/OIDC)
|
||||
AUTHORITY_ISSUER=https://authority.prod.stella-ops.org
|
||||
AUTHORITY_PORT=8440
|
||||
AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
|
||||
|
||||
# Signer
|
||||
SIGNER_POE_INTROSPECT_URL=https://licensing.prod.stella-ops.org/introspect
|
||||
SIGNER_PORT=8441
|
||||
|
||||
# Attestor
|
||||
ATTESTOR_PORT=8442
|
||||
# Secrets for Issuer Directory are provided via issuer-directory.mongo.env (see etc/secrets/issuer-directory.mongo.secret.example).
|
||||
|
||||
# Issuer Directory
|
||||
ISSUER_DIRECTORY_PORT=8447
|
||||
ISSUER_DIRECTORY_MONGO_CONNECTION_STRING=mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017
|
||||
ISSUER_DIRECTORY_SEED_CSAF=true
|
||||
|
||||
# Concelier
|
||||
CONCELIER_PORT=8445
|
||||
SCANNER_WEB_PORT=8444
|
||||
UI_PORT=8443
|
||||
NATS_CLIENT_PORT=4222
|
||||
SCANNER_QUEUE_BROKER=nats://nats:4222
|
||||
# `true` enables signed scanner events for Notify ingestion.
|
||||
SCANNER_EVENTS_ENABLED=true
|
||||
SCANNER_EVENTS_DRIVER=redis
|
||||
# Leave SCANNER_EVENTS_DSN empty to inherit the Redis queue DSN when SCANNER_QUEUE_BROKER uses redis://.
|
||||
SCANNER_EVENTS_DSN=
|
||||
|
||||
# Scanner
|
||||
SCANNER_WEB_PORT=8444
|
||||
SCANNER_QUEUE_BROKER=valkey://valkey:6379
|
||||
# `true` enables signed scanner events for Notify ingestion.
|
||||
SCANNER_EVENTS_ENABLED=true
|
||||
SCANNER_EVENTS_DRIVER=valkey
|
||||
SCANNER_EVENTS_DSN=
|
||||
SCANNER_EVENTS_STREAM=stella.events
|
||||
SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
|
||||
SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
|
||||
|
||||
# Surface.Env configuration
|
||||
SCANNER_SURFACE_FS_ENDPOINT=https://surfacefs.prod.stella-ops.org/api/v1
|
||||
SCANNER_SURFACE_FS_BUCKET=surface-cache
|
||||
SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
|
||||
SCANNER_SURFACE_CACHE_QUOTA_MB=4096
|
||||
SCANNER_SURFACE_PREFETCH_ENABLED=false
|
||||
SCANNER_SURFACE_TENANT=default
|
||||
SCANNER_SURFACE_FEATURES=
|
||||
SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
|
||||
SCANNER_SURFACE_SECRETS_NAMESPACE=
|
||||
SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
|
||||
SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
|
||||
SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
|
||||
SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
|
||||
|
||||
# Offline Kit configuration
|
||||
SCANNER_OFFLINEKIT_ENABLED=false
|
||||
SCANNER_OFFLINEKIT_REQUIREDSSE=true
|
||||
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
|
||||
SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
|
||||
SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
|
||||
SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
|
||||
SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
|
||||
|
||||
# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
|
||||
ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
|
||||
ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
|
||||
SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
|
||||
SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
|
||||
SCHEDULER_QUEUE_KIND=Nats
|
||||
SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
|
||||
SCHEDULER_STORAGE_DATABASE=stellaops_scheduler
|
||||
|
||||
# Scheduler
|
||||
SCHEDULER_QUEUE_KIND=Valkey
|
||||
SCHEDULER_QUEUE_VALKEY_URL=valkey:6379
|
||||
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
|
||||
|
||||
# Notify
|
||||
NOTIFY_WEB_PORT=8446
|
||||
|
||||
# Advisory AI
|
||||
ADVISORY_AI_WEB_PORT=8448
|
||||
ADVISORY_AI_SBOM_BASEADDRESS=https://scanner-web:8444
|
||||
ADVISORY_AI_INFERENCE_MODE=Local
|
||||
ADVISORY_AI_REMOTE_BASEADDRESS=
|
||||
ADVISORY_AI_REMOTE_APIKEY=
|
||||
# External reverse proxy (Traefik, Envoy, etc.) that terminates TLS.
|
||||
FRONTDOOR_NETWORK=stellaops_frontdoor
|
||||
|
||||
# Web UI
|
||||
UI_PORT=8443
|
||||
|
||||
# NATS
|
||||
NATS_CLIENT_PORT=4222
|
||||
|
||||
# External reverse proxy (Traefik, Envoy, etc.) that terminates TLS.
|
||||
FRONTDOOR_NETWORK=stellaops_frontdoor
|
||||
|
||||
Reference in New Issue
Block a user