stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules

Browse Source 
- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes.
- Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes.
- Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables.
- Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.
This commit is contained in:
master
2025-10-30 00:09:39 +02:00
parent 3154c67978
commit 7b5bdcf4d3
503 changed files with 16136 additions and 54638 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
docs/modules/scanner/operations/entrypoint-lang-phpfpm.md Normal file
View File

@@ -0,0 +1,24 @@
# Entry-Point Runtime — PHP-FPM
## Signals to gather
- `argv0` equals `php-fpm` or `php-fpm8*` variants; master process often invoked with `-F` or `--nodaemonize`.
- Configuration files: `/usr/local/etc/php-fpm.conf`, `www.conf`, pool definitions under `php-fpm.d`.
- PHP runtime artefacts: `composer.json`, `public/index.php`, `artisan`, `wp-config.php`.
- Environment variables such as `PHP_FPM_CONFIG`, `PHP_INI_DIR`, `APP_ENV`.
- Socket or port exposure (`listen = 9000`, `/run/php-fpm.sock`).
## Implementation notes
- Verify master process vs worker processes (master stays PID 1, workers forked).
- Inspect pool configuration to extract listening endpoint and process manager mode.
- If `docker-php-entrypoint` is involved, ShellFlow must expand to `php-fpm`.
- Distinguish FPM from CLI invocations (`php script.php`) to avoid misclassification.
## Evidence & scoring
- Reward confirmed config files and listening sockets.
- Add evidence for application artefacts (Composer lockfile, framework directories).
- Penalise when only the binary is present without config (could be CLI usage).
## Edge cases
- Images bundling Apache/Nginx front-ends should end up as `Supervisor` with PHP-FPM as a child service.
- Some Alpine packages install `php-fpm7` naming—include aliases in detector.
- When `php-fpm` is launched via `s6` or supervisor, rely on child detection to avoid double counting.