feat: Implement Policy Engine Evaluation Service and Cache with unit tests
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Temp commit to debug
This commit is contained in:
master
@@ -323,17 +323,40 @@ Accept: application/json
|
||||
**Response 200**:
|
||||
|
||||
```json
|
||||
{
|
||||
"scanId": "2f6c17f9b3f548e2a28b9c412f4d63f8",
|
||||
"status": "Pending",
|
||||
"image": {
|
||||
"reference": "registry.example.com/acme/app:1.2.3",
|
||||
"digest": null
|
||||
},
|
||||
"createdAt": "2025-10-18T20:15:12.482Z",
|
||||
"updatedAt": "2025-10-18T20:15:12.482Z",
|
||||
"failureReason": null
|
||||
}
|
||||
{
|
||||
"scanId": "2f6c17f9b3f548e2a28b9c412f4d63f8",
|
||||
"status": "Pending",
|
||||
"image": {
|
||||
"reference": "registry.example.com/acme/app:1.2.3",
|
||||
"digest": "sha256:cafecafecafecafecafecafecafecafecafecafecafecafecafecafecafecafe"
|
||||
},
|
||||
"createdAt": "2025-10-18T20:15:12.482Z",
|
||||
"updatedAt": "2025-10-18T20:15:12.482Z",
|
||||
"failureReason": null,
|
||||
"surface": {
|
||||
"tenant": "default",
|
||||
"generatedAt": "2025-10-18T20:15:12.482Z",
|
||||
"manifestDigest": "sha256:8b4ddf1a9d3565eb7c2b176a0a64a970795e5ec373dbea3aaebb4208f9759b44",
|
||||
"manifestUri": "cas://scanner-artifacts/scanner/surface/manifests/default/sha256/8b/4d/8b4ddf1a9d3565eb7c2b176a0a64a970795e5ec373dbea3aaebb4208f9759b44.json",
|
||||
"manifest": {
|
||||
"schema": "stellaops.surface.manifest@1",
|
||||
"tenant": "default",
|
||||
"imageDigest": "sha256:cafecafecafecafecafecafecafecafecafecafecafecafecafecafecafecafe",
|
||||
"generatedAt": "2025-10-18T20:15:12.482Z",
|
||||
"artifacts": [
|
||||
{
|
||||
"kind": "sbom-inventory",
|
||||
"uri": "cas://scanner-artifacts/scanner/images/cafecafecafecafecafecafecafecafecafecafecafecafecafecafecafecafe/sbom.cdx.json",
|
||||
"digest": "sha256:deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef",
|
||||
"mediaType": "application/vnd.cyclonedx+json; version=1.6; view=inventory",
|
||||
"format": "cdx-json",
|
||||
"sizeBytes": 2048,
|
||||
"view": "inventory"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Statuses: `Pending`, `Running`, `Succeeded`, `Failed`, `Cancelled`.
|
||||
@@ -445,8 +468,40 @@ Request body mirrors policy preview inputs (image digest plus findings). The ser
|
||||
"reachability": "runtime"
|
||||
}
|
||||
],
|
||||
"issues": []
|
||||
},
|
||||
"issues": [],
|
||||
"surface": {
|
||||
"tenant": "default",
|
||||
"generatedAt": "2025-10-23T15:32:22Z",
|
||||
"manifestDigest": "sha256:1f3c5d7a8e4b921a0c2f6b8de0bb5aa8f5aa51b62e7d7d1864f9c826bfb44d91",
|
||||
"manifestUri": "cas://scanner-artifacts/scanner/surface/manifests/default/sha256/1f/3c/1f3c5d7a8e4b921a0c2f6b8de0bb5aa8f5aa51b62e7d7d1864f9c826bfb44d91.json",
|
||||
"manifest": {
|
||||
"schema": "stellaops.surface.manifest@1",
|
||||
"tenant": "default",
|
||||
"imageDigest": "sha256:7dbe0c9a5d4f1c8184007e9d94dbe55928f8a2db5ab9c1c2d4a2f7bbcdfe1234",
|
||||
"generatedAt": "2025-10-23T15:32:22Z",
|
||||
"artifacts": [
|
||||
{
|
||||
"kind": "sbom-inventory",
|
||||
"uri": "cas://scanner-artifacts/scanner/images/7dbe0c9a5d4f1c8184007e9d94dbe55928f8a2db5ab9c1c2d4a2f7bbcdfe1234/sbom.cdx.json",
|
||||
"digest": "sha256:2b8ce7dd0037e59f0f93e4a5cff45b1eb305a511a1c9e2895d2f4ecdf616d3da",
|
||||
"mediaType": "application/vnd.cyclonedx+json; version=1.6; view=inventory",
|
||||
"format": "cdx-json",
|
||||
"sizeBytes": 3072,
|
||||
"view": "inventory"
|
||||
},
|
||||
{
|
||||
"kind": "sbom-usage",
|
||||
"uri": "cas://scanner-artifacts/scanner/images/7dbe0c9a5d4f1c8184007e9d94dbe55928f8a2db5ab9c1c2d4a2f7bbcdfe1234/sbom.cdx.pb",
|
||||
"digest": "sha256:74e4d9f8ab0f2a1772e5768e15a5a9d7b662b849b1f223c8d6f3b184e4ac7780",
|
||||
"mediaType": "application/vnd.cyclonedx+protobuf; version=1.6; view=usage",
|
||||
"format": "cdx-protobuf",
|
||||
"sizeBytes": 12800,
|
||||
"view": "usage"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"dsse": {
|
||||
"payloadType": "application/vnd.stellaops.report+json",
|
||||
"payload": "eyJyZXBvcnQiOnsicmVwb3J0SWQiOiJyZXBvcnQtOWY4Y2RlMjFhYWI1NDMyMSJ9fQ==",
|
||||
@@ -461,7 +516,7 @@ Request body mirrors policy preview inputs (image digest plus findings). The ser
|
||||
}
|
||||
```
|
||||
|
||||
- The `report` object omits null fields and is deterministic (ISO timestamps, sorted keys) while surfacing `unknownConfidence`, `confidenceBand`, and `unknownAgeDays` for auditability.
|
||||
- The `report` object omits null fields and is deterministic (ISO timestamps, sorted keys) while surfacing `unknownConfidence`, `confidenceBand`, `unknownAgeDays`, and a `surface` block containing the manifest digest and CAS URIs for downstream tooling.
|
||||
- `dsse` follows the DSSE (Dead Simple Signing Envelope) shape; `payload` is the canonical UTF-8 JSON and `signatures[0].signature` is the base64 HMAC/Ed25519 value depending on configuration.
|
||||
- Full offline samples live at `samples/policy/policy-report-unknown.json` (request + response) and `samples/api/reports/report-sample.dsse.json` (envelope fixture) for tooling tests or signature verification.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user