save checkpoint: save features

2026-02-12 10:27:23 +02:00
parent dca86e1248
commit 5bca406787
8837 changed files with 1796879 additions and 5294 deletions
--- a/docs/features/checked/scanner/ai-governance-policy-loader-for-ml-bom-scanning.md
+++ b/docs/features/checked/scanner/ai-governance-policy-loader-for-ml-bom-scanning.md
@@ -0,0 +1,31 @@
+# AI Governance Policy Loader for ML-BOM Scanning
+
+## Module
+Scanner
+
+## Status
+IMPLEMENTED
+
+## Description
+Configurable AI governance policies for scanner-level enforcement of model card requirements, training data lineage thresholds, and EU AI Act compliance categories during SBOM analysis.
+
+## Implementation Details
+- **Policy Loader**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Policy/AiGovernancePolicyLoader.cs` - Loads and validates AI governance policy configurations
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Policy/AiGovernancePolicy.cs` - Policy model defining model card requirements, training data lineage thresholds, and EU AI Act compliance categories
+- **Enforcement Analyzers**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelCardCompletenessAnalyzer.cs` - Enforces model card completeness requirements from policy
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelCardScoring.cs` - Scores model cards against policy thresholds
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/TrainingDataProvenanceAnalyzer.cs` - Validates training data lineage against policy thresholds
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/AiSafetyRiskAnalyzer.cs` - EU AI Act risk classification
+- **Worker Integration**:
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/AiMlSecurity/AiMlSecurityStageExecutor.cs` - Stage executor that loads governance policy and runs analyzers during scan
+- **Models**: `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Models/AiMlSecurityModels.cs`
+
+## E2E Test Plan
+- [ ] Configure an AI governance policy with specific model card requirements (e.g., require description, intended use, limitations fields)
+- [ ] Scan an image containing an ML model with incomplete model card metadata
+- [ ] Verify the scan produces findings for missing model card fields per policy
+- [ ] Configure training data lineage threshold and verify scan flags models below threshold
+- [ ] Configure EU AI Act compliance category and verify classification is applied to findings
+- [ ] Verify policy changes are picked up on subsequent scans without service restart
--- a/docs/features/checked/scanner/ai-ml-supply-chain-security-analysis-module.md
+++ b/docs/features/checked/scanner/ai-ml-supply-chain-security-analysis-module.md
@@ -0,0 +1,50 @@
+# AI/ML Supply Chain Security Analysis Module
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Dedicated scanner module for AI/ML supply chain security including EU AI Act risk classification, model card completeness analysis, training data provenance verification, bias/fairness analysis, and AI governance policy enforcement. Distinct from the existing "AI Authority Classification Engine" which focuses on VEX/advisory AI classification, not ML-BOM supply chain scanning.
+
+## Implementation Details
+- **Core Analyzer**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/AiMlSecurityAnalyzer.cs` - `IAiMlSecurityAnalyzer` / `AiMlSecurityAnalyzer` orchestrates all AI/ML security checks
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/AiMlSecurityServiceCollectionExtensions.cs` - DI registration
+- **Analysis Context & Results**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/AiMlSecurityContext.cs` - `AiMlSecurityContext` input model
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/AiMlSecurityResult.cs` - `AiMlSecurityResult`, `IAiMlSecurityCheck` interface for pluggable checks
+- **Individual Analyzers** (each implements `IAiMlSecurityCheck`):
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/AiSafetyRiskAnalyzer.cs` - EU AI Act risk classification
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelCardCompletenessAnalyzer.cs` - Model card completeness scoring
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelCardScoring.cs` - Scoring logic for model card fields
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/TrainingDataProvenanceAnalyzer.cs` - Training data lineage verification
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/BiasFairnessAnalyzer.cs` - Bias and fairness analysis
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelBinaryAnalyzer.cs` - Model binary format analysis
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelProvenanceVerifier.cs` - Model provenance verification
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/AiModelInventoryGenerator.cs` - Generates inventory of discovered AI/ML models
+- **Governance Policy**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Policy/AiGovernancePolicyLoader.cs` - Policy configuration loader
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Policy/AiGovernancePolicy.cs` - Policy model
+- **Reporting**: `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Reporting/AiMlSecurityReportFormatter.cs`
+- **Models**: `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Models/AiMlSecurityModels.cs`
+- **Worker Stage**: `src/Scanner/StellaOps.Scanner.Worker/Processing/AiMlSecurity/AiMlSecurityStageExecutor.cs`
+
+## E2E Test Plan
+- [ ] Scan a container image containing ML model artifacts (e.g., ONNX, TensorFlow SavedModel, PyTorch)
+- [ ] Verify `AiModelInventoryGenerator` discovers and lists all ML models in the scan results
+- [ ] Verify `ModelCardCompletenessAnalyzer` produces findings for models with missing/incomplete model cards
+- [ ] Verify `AiSafetyRiskAnalyzer` assigns EU AI Act risk classification (unacceptable, high, limited, minimal)
+- [ ] Verify `TrainingDataProvenanceAnalyzer` flags models without verifiable training data lineage
+- [ ] Verify `BiasFairnessAnalyzer` produces bias/fairness findings where applicable
+- [ ] Verify `ModelBinaryAnalyzer` identifies model format and potential binary-level issues
+- [ ] Verify all findings appear in the unified scan report and SARIF export
+
+## Verification
+- Run ID: run-001
+- Verified at (UTC): 2026-02-12T06:54:23.1292623Z
+- FLOW tiers: Tier 0 source verification, Tier 1 build/test/code review, Tier 2 integration verification.
+
+
--- a/docs/features/checked/scanner/api-gateway-boundary-extractor.md
+++ b/docs/features/checked/scanner/api-gateway-boundary-extractor.md
@@ -0,0 +1,37 @@
+# API Gateway Boundary Extractor (Kong, Envoy/Istio, AWS API Gateway, Traefik)
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Parses API gateway configurations from Kong, Envoy/Istio, AWS API Gateway, and Traefik to extract route-level boundary information for reachability analysis. Determines which internal services are exposed through gateway routes.
+
+## Implementation Details
+- **Core Extractor**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/GatewayBoundaryExtractor.cs` - `GatewayBoundaryExtractor` implements `IBoundaryProofExtractor`; parses Kong, Envoy/Istio, AWS API Gateway, and Traefik configurations
+  - Includes gateway-specific auth detection: `DetectKongAuth()`, `DetectEnvoyAuth()` (including Istio JWT/AuthorizationPolicy), `DetectTraefikAuth()`
+  - Identifies Istio mesh internal routes and external ingress routes
+- **Supporting Infrastructure**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IacBoundaryExtractor.cs` - Infrastructure-as-code boundary extraction
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryServiceCollectionExtensions.cs` - DI registration for boundary extractors
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryExtractionContext.cs` - Context model for boundary extraction
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/RichGraphBoundaryExtractor.cs` - Integrates boundary data into rich graphs
+- **Tests**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/GatewayBoundaryExtractorTests.cs`
+
+## E2E Test Plan
+- [ ] Provide a Kong configuration file with routes exposing internal services and verify extracted boundary information includes route paths, upstream services, and auth requirements
+- [ ] Provide an Envoy/Istio configuration with VirtualService and AuthorizationPolicy and verify correct route-to-service mappings and auth detection
+- [ ] Provide an AWS API Gateway configuration and verify correct extraction of REST/HTTP API routes with Lambda/ECS integrations
+- [ ] Provide a Traefik configuration with middleware auth and verify correct route extraction with authentication metadata
+- [ ] Verify extracted boundaries are reflected in the reachability rich graph via `GET /api/v1/scans/{scanId}/reachability`
+- [ ] Verify that gated gateway routes (auth-required) reduce reachability risk scores compared to ungated routes
+
+## Verification
+- Run ID: run-001
+- Verified at (UTC): 2026-02-12T06:59:12.7973839Z
+- FLOW tiers: Tier 0 source verification, Tier 1 build/test/code review, Tier 2 integration verification.
+
--- a/docs/features/checked/scanner/auto-vex-generation-from-smart-diff.md
+++ b/docs/features/checked/scanner/auto-vex-generation-from-smart-diff.md
@@ -0,0 +1,42 @@
+# Auto-VEX Generation from Smart-Diff
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+VEX candidate emission from SmartDiff detection results, generating VEX statements backed by delta evidence.
+
+## Implementation Details
+- **VEX Candidate Emission**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexCandidateEmitter.cs` - Emits VEX candidates from SmartDiff detection results.
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexCandidateModels.cs` - VEX candidate data models.
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexEvidence.cs` - Delta evidence backing VEX statements.
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/Repositories.cs` - Repository interfaces for VEX candidate persistence.
+- **SmartDiff Predicate**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/SmartDiffPredicate.cs` - SmartDiff predicate model including VEX data.
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/ReachabilityGateBridge.cs` - Bridges reachability gate data into SmartDiff VEX candidates.
+- **SARIF Output**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Output/SarifOutputGenerator.cs` - SARIF export including VEX candidate data.
+  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SmartDiffEndpoints.cs` - API now embeds VEX candidates in SARIF responses.
+- **API Endpoints**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Program.cs` - Registers SmartDiff endpoints and SmartDiff repositories in API DI.
+  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SmartDiffEndpoints.cs` - Exposes scan-scoped VEX candidate/review routes and candidate lookup routes.
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/InMemoryScanMetadataRepository.cs` - Resolves scan metadata for scan-scoped candidate APIs.
+  - `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/SmartDiffEndpointsTests.cs` - API behavioral coverage for candidates, review, and SARIF embedding.
+
+## E2E Test Plan
+- [x] Scan two versions of the same image to produce a smart-diff delta.
+- [x] Call `GET /api/v1/smart-diff/{scanId}/vex-candidates` and verify VEX candidates are returned.
+- [x] Verify each VEX candidate includes evidence links referencing the specific delta changes.
+- [x] Submit a review decision via `POST /api/v1/smart-diff/{scanId}/vex-candidates/review` and verify the candidate status updates.
+- [x] Export the SARIF output and verify VEX candidate data is embedded in the SARIF report.
+- [x] Verify VEX candidates include reachability gate context when gates are detected.
+
+## Verification
+- Run ID: `run-001` (2026-02-12 UTC).
+- Tier 0 source verification: `docs/qa/feature-checks/runs/scanner/auto-vex-generation-from-smart-diff/run-001/tier0-source-check.json`.
+- Tier 1 build/test evidence: `docs/qa/feature-checks/runs/scanner/auto-vex-generation-from-smart-diff/run-001/tier1-build-check.json`.
+- Tier 2 API verification: `docs/qa/feature-checks/runs/scanner/auto-vex-generation-from-smart-diff/run-001/tier2-e2e-check.json`.
--- a/docs/features/checked/scanner/base-image-detection-and-recommendations.md
+++ b/docs/features/checked/scanner/base-image-detection-and-recommendations.md
@@ -0,0 +1,49 @@
+# Base Image Detection and Recommendations
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Base image detection via layer diffID fingerprinting with PostgreSQL-backed fingerprint storage and deterministic in-memory matching. The detector now supports exact and fuzzy matching, ranked recommendations, and bulk recommendation queries for multiple image references.
+
+## Implementation Details
+- **Core detection contract**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/IBaseImageDetector.cs`
+    - `DetectBaseImageAsync` (single-layer lookup)
+    - `GetRecommendationsAsync` (ranked exact/fuzzy recommendations)
+    - `GetRecommendationsBulkAsync` (bulk recommendations)
+- **Detector implementation**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/BaseImageDetector.cs`
+    - PostgreSQL-backed fingerprint persistence and load
+    - deterministic in-memory index
+    - fuzzy fallback by nearest layer index + lexical tie-break
+- **Recommendation scoring engine**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/BaseImageMatchEngine.cs`
+    - deterministic exact/fuzzy scoring with confidence and rationale
+- **Layer resolution + reuse integration**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/ILayerDigestResolver.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/LayerDigestResolver.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/LayerProvenance.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Reuse/ILayerReuseDetector.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Reuse/LayerReuseDetector.cs`
+- **DI registration**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/ManifestServiceCollectionExtensions.cs`
+- **Behavioral tests**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/BaseImageRecommendationTests.cs`
+
+## E2E Test Plan
+- [x] Scan an image built on a known base image and verify exact base image attribution is returned.
+- [x] Verify exact layer prefix match identifies the correct base image with confidence `1.0`.
+- [x] Verify fuzzy matching returns ranked recommendations when base layers are partially modified.
+- [x] Verify bulk recommendations return deterministic per-image results for multiple image references.
+- [x] Verify non-overlapping layers return no recommendations (negative path).
+
+## Verification
+- Run ID: `run-001`
+- Date (UTC): 2026-02-12
+- Tier 0: Source files and symbols present (`tier0-source-check.json`).
+- Tier 1: `StellaOps.Scanner.Manifest` + `StellaOps.Scanner.Core.Tests` build passed; focused recommendation tests passed (`tier1-build-check.json`, `tier1-tests-base-image.log`).
+- Tier 2: Behavioral integration checks passed via targeted class run (`tier2-e2e-check.json`).
--- a/docs/features/checked/scanner/secret-detection-and-credential-leak-guard.md
+++ b/docs/features/checked/scanner/secret-detection-and-credential-leak-guard.md
@@ -0,0 +1,46 @@
+# Secret Detection and Credential Leak Guard
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Secret detection analyzer with leak evidence capture, alert emission, and integration into the scanner worker pipeline. Compatible with Grype credential leak test scenarios.
+
+## Implementation Details
+- **Secrets Analyzer**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzer.cs` - `SecretsAnalyzer` detecting exposed secrets (API keys, tokens, passwords, private keys) in container image layers using regex-based detection rules
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerHost.cs` - `SecretsAnalyzerHost` managing the lifecycle and execution of the secrets analyzer
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerOptions.cs` - Configuration options for detection rules, severity thresholds, and enabled categories
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/ServiceCollectionExtensions.cs` - DI registration for secrets analysis
+- **Pipeline Integration**:
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/Secrets/SecretsAnalyzerStageExecutor.cs` - `SecretsAnalyzerStageExecutor` scanner worker pipeline stage executing secrets analysis
+- **Alert Emission**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/SecretAlertEmitter.cs` - `SecretAlertEmitter` emitting alerts for discovered credential leaks
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/ISecretAlertEmitter.cs` - Interface for alert emission
+- **Exception Matching**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretExceptionMatcher.cs` - `SecretExceptionMatcher` matching findings against allowlist patterns to suppress known-safe secrets
+- **Tests**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerTests.cs` - Unit tests for secret detection
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerIntegrationTests.cs` - Integration tests
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerHostTests.cs` - Host lifecycle tests
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/RegexDetectorTests.cs` - Regex detection rule tests
+
+## E2E Test Plan
+- [ ] Scan a container image containing known test secrets and verify `SecretsAnalyzer` detects API keys, tokens, and passwords with correct file paths and line numbers
+- [ ] Verify `SecretAlertEmitter` emits alerts for each detected secret with severity classification
+- [ ] Verify `SecretExceptionMatcher` suppresses findings matching allowlist patterns (e.g., placeholder values, test credentials)
+- [ ] Verify the `SecretsAnalyzerStageExecutor` integrates into the scanner worker pipeline and produces findings in the unified finding format
+- [ ] Verify the analyzer handles large files and binary content without performance degradation or false positives
+- [ ] Verify compatibility with Grype credential leak test scenarios by running against the same test fixtures
+
+## Verification
+- Run ID: `run-002`
+- Verified at: `2026-02-12T06:04:37.4704947Z`
+- Evidence:
+  - `docs/qa/feature-checks/runs/scanner/secret-detection-and-credential-leak-guard/run-002/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/scanner/secret-detection-and-credential-leak-guard/run-002/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/scanner/secret-detection-and-credential-leak-guard/run-002/tier2-e2e-check.json`
+  - `docs/qa/feature-checks/runs/scanner/secret-detection-and-credential-leak-guard/run-002/retest-result.json`