stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Enhance traceability and logging in Risk and Vulnerability clients

Browse Source 
- Implemented shared trace ID generation utility for Risk and Vulnerability clients, ensuring consistent trace headers across API calls.
- Updated RiskHttpClient and VulnerabilityHttpClient to utilize the new trace ID generation method.
- Added validation for artifact metadata in PackRun endpoints, ensuring all artifacts include a digest and positive size.
- Enhanced logging payloads in PackRun to include artifact digests and sizes.
- Created a utility for generating trace IDs, preferring crypto.randomUUID when available, with a fallback to a ULID-style string.
- Added unit tests to verify the presence of trace IDs in HTTP requests for VulnerabilityHttpClient.
- Documented query-hash metrics for Vuln Explorer, detailing hashing rules and logging filters to ensure compliance with privacy standards.
- Consolidated findings from late-November reviews into a comprehensive advisory for Scanner and SBOM/VEX areas, outlining remediation tracks and gaps.
This commit is contained in:
StellaOps Bot
2025-12-02 19:24:26 +02:00
parent 76ecea482e
commit acbb0ff637
20 changed files with 186 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/implplan/SPRINT_507_ops_devops_v.md
View File

@@ -10,7 +10,7 @@ DEVOPS-TEN-49-001 | DOING (2025-12-02) | Deploy audit pipeline, scope usage metr
DEVOPS-VEX-30-001 | DONE (2025-12-02) | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | DevOps Guild, VEX Lens Guild (ops/devops)
DEVOPS-VULN-29-001 | DONE (2025-12-02) | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | DevOps Guild, Findings Ledger Guild (ops/devops)
DEVOPS-VULN-29-002 | DONE (2025-12-02) | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for `vuln_list_latency` and `projection_lag`. Dependencies: DEVOPS-VULN-29-001. | DevOps Guild, Vuln Explorer API Guild (ops/devops)
DEVOPS-VULN-29-003 | DOING (2025-12-02) | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Dependencies: DEVOPS-VULN-29-002. | DevOps Guild, Console Guild (ops/devops)
DEVOPS-VULN-29-003 | DONE (2025-12-02) | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Dependencies: DEVOPS-VULN-29-002. | DevOps Guild, Console Guild (ops/devops)
DOCKER-44-001 | DOING (2025-12-01) | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Concelier, Excititor, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | DevOps Guild, Service Owners (ops/devops)
DOCKER-44-002 | DONE (2025-12-02) | Generate SBOMs and cosign attestations for each image and integrate verification into CI. Dependencies: DOCKER-44-001. | DevOps Guild (ops/devops)
DOCKER-44-003 | DONE (2025-12-02) | Implement `/health/liveness`, `/health/readiness`, `/version`, `/metrics`, and ensure capability endpoint returns `merge=false` for Concelier/Excitior. Dependencies: DOCKER-44-002. | DevOps Guild (ops/devops)
@@ -45,3 +45,5 @@ OPS-SECRETS-02 | DONE (2025-12-02) | Embed Surface.Secrets material (encrypted b
- Tenant chaos drill requires iptables/root access; run only in isolated CI agents or staging clusters. Ensure JWKS cache TTL is monitored so chaos window does not trigger widespread auth failures.
| 2025-12-02 | Started DEVOPS-VULN-29-003: drafted analytics ingest/PII guardrail plan (`ops/devops/vuln/analytics-ingest-plan.md`). | DevOps |
| 2025-12-02 | Updated Vuln Explorer observability runbook with query-hash metrics and PII guards to support DEVOPS-VULN-29-003. | DevOps |
| 2025-12-02 | Progress DEVOPS-VULN-29-003: added query-hash metrics spec (`ops/devops/vuln/query-hash-metrics.md`) and updated observability runbook to include PII-safe query hashing and payload metrics. | DevOps |
| 2025-12-02 | Completed DEVOPS-VULN-29-003: published analytics/PII guardrail plan (`ops/devops/vuln/analytics-ingest-plan.md`), query-hash metrics spec (`ops/devops/vuln/query-hash-metrics.md`), and updated runbook for PII-safe metrics. | DevOps |