feat: Implement vulnerability token signing and verification utilities
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys. - Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries. - Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads. - Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options. - Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads. - Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features. - Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
This commit is contained in:
master
50
docs/benchmarks/scanner/windows-macos-interview-template.md
Normal file
50
docs/benchmarks/scanner/windows-macos-interview-template.md
Normal file
@@ -0,0 +1,50 @@
|
||||
# Windows / macOS Analyzer Demand — Interview Template
|
||||
|
||||
Use this template during customer interviews, SE discovery calls, or product advisory meetings. Copy the table into your meeting notes and fill in the responses. Summaries should be pushed back into `windows-macos-demand.md`.
|
||||
|
||||
## Interview metadata
|
||||
| Field | Notes |
|
||||
| --- | --- |
|
||||
| Date | `YYYY-MM-DD` |
|
||||
| Interviewer(s) | |
|
||||
| Customer / Account | |
|
||||
| Participant roles | (e.g., platform lead, security architect) |
|
||||
| Workload context | (container images, VMs, desktop fleets, CI pipelines, etc.) |
|
||||
|
||||
## Current state
|
||||
1. **Operating systems in scope**
|
||||
- Which Windows or macOS versions/images are mission critical?
|
||||
- Container vs VM vs bare-metal distribution?
|
||||
2. **Existing tooling**
|
||||
- What scanners or inventory tools are used today (e.g., SCCM, Tanium, Trivy, Snyk, custom scripts)?
|
||||
- Pain points / gaps they experience (offline support, provenance, coverage, explainability).
|
||||
3. **Regulatory / compliance drivers**
|
||||
- Any specific frameworks (PCI, FedRAMP, DISA, internal policies) mandating Windows/macOS SBOM or attestation?
|
||||
|
||||
## Desired capabilities (score 1–5 per feature)
|
||||
| Capability | Score | Notes |
|
||||
| --- | --- | --- |
|
||||
| MSI / WinSxS package inventory | | |
|
||||
| Chocolatey / third-party feed tracking | | |
|
||||
| macOS Homebrew / pkgutil receipts | | |
|
||||
| `.app` bundle inspection (signing, entitlements) | | |
|
||||
| Driver / service posture | | |
|
||||
| Authenticode / notarization verification | | |
|
||||
| Offline/air-gap parity | | |
|
||||
| Policy integration (e.g., block unsigned driver) | | |
|
||||
|
||||
## Operational requirements
|
||||
- **Offline expectations**: Do they require artefact mirroring? Which feeds?
|
||||
- **Performance**: Time budget for scans? Incremental vs full?
|
||||
- **Evidence formats**: Preferred SBOM types, attestation needs, API endpoints.
|
||||
- **Secrets / credentials**: Any constraints for registry/hive exports or feed mirrors?
|
||||
|
||||
## Success metrics
|
||||
- How will the customer judge success? (e.g., number of workloads covered, audit findings reduced, ability to prove provenance).
|
||||
- Timeline expectations for pilot vs GA?
|
||||
|
||||
## Follow-up actions
|
||||
- What next steps were promised (POC, roadmap update, integration with other guilds)?
|
||||
- Owners + due dates.
|
||||
|
||||
> After the interview: convert highlights into a concise row in `windows-macos-demand.md` and, if needed, create Jira/backlog items for SCANNER-ENG-0020..0027 or DOCS-SCANNER-BENCH-62-016 with the captured context.
|
||||
Reference in New Issue
Block a user