stabilize tests

devops/docker/Dockerfile.ci

@@ -1,9 +1,14 @@
 # Dockerfile.ci - Local CI testing container matching Gitea runner environment
-# Sprint: SPRINT_20251226_006_CICD
+# Sprint: SPRINT_20260201_002_QA_chaos_parity_enablement
 #
 # Usage:
 #   docker build -t stellaops-ci:local -f devops/docker/Dockerfile.ci .
 #   docker run --rm -v $(pwd):/src stellaops-ci:local ./devops/scripts/test-local.sh
+#
+# Parity tests (trivy/grype/syft require Docker socket for image scanning):
+#   docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
+#     -v $(pwd):/src -w /src stellaops-ci:local \
+#     -c "dotnet test src/__Tests/parity/StellaOps.Parity.Tests/"
 
 FROM ubuntu:22.04
 
@@ -136,10 +141,50 @@ RUN curl -fsSL https://github.com/sigstore/rekor/releases/download/v${REKOR_VERS
     && rekor-cli version
 
 # ===========================================================================
-# SYFT (SBOM generation)
+# SYFT (SBOM generation for parity tests)
 # ===========================================================================
 
-RUN curl -fsSL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+ENV SYFT_VERSION=1.9.0
+RUN curl -fsSL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v${SYFT_VERSION}
+
+# ===========================================================================
+# GRYPE (vulnerability scanning for parity tests)
+# ===========================================================================
+
+ENV GRYPE_VERSION=0.79.3
+RUN curl -fsSL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v${GRYPE_VERSION}
+
+# ===========================================================================
+# TRIVY (vulnerability scanning for parity tests)
+# ===========================================================================
+
+ENV TRIVY_VERSION=0.54.1
+RUN curl -fsSL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${TRIVY_VERSION}
+
+# ===========================================================================
+# DENO (for Scanner language analyzer runtime-trace tests)
+# ===========================================================================
+
+ENV DENO_VERSION=2.1.4
+RUN curl -fsSL https://github.com/denoland/deno/releases/download/v${DENO_VERSION}/deno-x86_64-unknown-linux-gnu.zip \
+    -o /tmp/deno.zip \
+    && unzip /tmp/deno.zip -d /usr/local/bin \
+    && chmod +x /usr/local/bin/deno \
+    && rm /tmp/deno.zip \
+    && deno --version
+
+# ===========================================================================
+# BUN (for Scanner language analyzer tests)
+# ===========================================================================
+
+ENV BUN_VERSION=1.1.38
+RUN curl -fsSL https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/bun-linux-x64.zip \
+    -o /tmp/bun.zip \
+    && unzip /tmp/bun.zip -d /tmp/bun \
+    && mv /tmp/bun/bun-linux-x64/bun /usr/local/bin/bun \
+    && chmod +x /usr/local/bin/bun \
+    && rm -rf /tmp/bun /tmp/bun.zip \
+    && bun --version
 
 # ===========================================================================
 # SETUP
@@ -164,6 +209,11 @@ RUN printf '%s\n' \
     'echo "Helm: $(helm version --short)"' \
     'echo "Cosign: $(cosign version 2>&1 | head -1)"' \
     'echo "Rekor CLI: $(rekor-cli version 2>&1 | head -1)"' \
+    'echo "Syft: $(syft version 2>&1 | head -1)"' \
+    'echo "Grype: $(grype version 2>&1 | head -1)"' \
+    'echo "Trivy: $(trivy --version 2>&1 | head -1)"' \
+    'echo "Deno: $(deno --version 2>&1 | head -1)"' \
+    'echo "Bun: $(bun --version 2>&1 | head -1)"' \
     'echo "Docker: $(docker --version 2>/dev/null || echo Not available)"' \
     'echo "PostgreSQL client: $(psql --version)"' \
     'echo "=== All checks passed ==="' \