stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules

Browse Source 
- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes.
- Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes.
- Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables.
- Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.
This commit is contained in:
master
2025-10-30 00:09:39 +02:00
parent 3154c67978
commit 7b5bdcf4d3
503 changed files with 16136 additions and 54638 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
docs/modules/scanner/operations/entrypoint-lang-nginx.md Normal file
View File

@@ -0,0 +1,24 @@
# Entry-Point Runtime — Nginx
## Signals to gather
- `argv0` equals `nginx`.
- Config files: `/etc/nginx/nginx.conf`, `conf.d/*.conf`, `/usr/share/nginx/html`.
- Environment (`NGINX_ENTRYPOINT_QUIET_LOGS`, `NGINX_PORT`, `NGINX_ENVSUBST_TEMPLATE`).
- Listening sockets on 80/443 (dynamic mode) or `EXPOSE 80` (static).
- Modules or scripts shipped with the official Docker entrypoint (`docker-entrypoint.sh` collapsing to `nginx -g "daemon off;"`).
## Implementation notes
- Parse `nginx.conf` (basic directive traversal) to extract worker processes, include chains, upstream definitions.
- Handle official entrypoint idioms (`envsubst` templating) via ShellFlow.
- Distinguish pure reverse proxies from PHP-FPM combos; when both `nginx` and `php-fpm` run, classify container as `Supervisor`.
- Record static web content presence (`/usr/share/nginx/html/index.html`).
## Evidence & scoring
- Boost for confirmed config and workers.
- Add evidence for templating features, env substitution, or modules.
- Penalise if binary exists without config (likely not the entry point).
## Edge cases
- Alpine images may place configs under `/etc/nginx/conf.d`; include both.
- Custom builds might rename binary (`openresty`, `tengine`); consider aliases if common.
- Windows Nginx not supported; fall back to `Other`.