up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
sdk-generator-smoke / sdk-smoke (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
sdk-generator-smoke / sdk-smoke (push) Has been cancelled
This commit is contained in:
StellaOps Bot
@@ -19,6 +19,77 @@ stella attest list --tenant default --issuer dev-kms --format table
|
||||
stella attest show --id a1b2c3 --output json
|
||||
```
|
||||
|
||||
## CI/CD Integration
|
||||
|
||||
### GitHub Actions
|
||||
|
||||
```yaml
|
||||
# .github/workflows/verify-attestation.yml
|
||||
name: Verify Attestation
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
artifact_path:
|
||||
description: 'Path to artifact with attestation'
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
verify:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Download artifact
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
name: signed-artifact
|
||||
path: ./artifacts
|
||||
|
||||
- name: Install StellaOps CLI
|
||||
run: |
|
||||
dotnet tool install --global StellaOps.Cli
|
||||
|
||||
- name: Verify attestation
|
||||
run: |
|
||||
stella attest verify \
|
||||
--envelope ./artifacts/attestation.dsse.json \
|
||||
--policy ./policy/verify-policy.json \
|
||||
--root ./keys/trusted-root.pem \
|
||||
--output ./verification-report.json
|
||||
|
||||
- name: Upload verification report
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: verification-report
|
||||
path: ./verification-report.json
|
||||
```
|
||||
|
||||
### GitLab CI
|
||||
|
||||
```yaml
|
||||
# .gitlab-ci.yml
|
||||
verify-attestation:
|
||||
stage: verify
|
||||
image: mcr.microsoft.com/dotnet/sdk:10.0
|
||||
before_script:
|
||||
- dotnet tool install --global StellaOps.Cli
|
||||
- export PATH="$PATH:$HOME/.dotnet/tools"
|
||||
script:
|
||||
- |
|
||||
stella attest verify \
|
||||
--envelope ./artifacts/attestation.dsse.json \
|
||||
--policy ./policy/verify-policy.json \
|
||||
--root ./keys/trusted-root.pem \
|
||||
--output ./verification-report.json
|
||||
artifacts:
|
||||
paths:
|
||||
- verification-report.json
|
||||
expire_in: 1 week
|
||||
rules:
|
||||
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
||||
```
|
||||
|
||||
## Notes
|
||||
- No network access required in sealed mode.
|
||||
- All commands emit deterministic JSON; timestamps in UTC.
|
||||
|
||||
@@ -10,6 +10,7 @@ This note collects the invariants required for reproducible Scanner runs and rep
|
||||
- Concurrency cap: `scanner:determinism:concurrencyLimit=1` (worker clamps `MaxConcurrentJobs` to this) or `SCANNER__DETERMINISM__CONCURRENCYLIMIT=1`.
|
||||
- Feed/policy pins: `scanner:determinism:feedSnapshotId=<frozen-feed>` and `scanner:determinism:policySnapshotId=<rev>` to stamp submissions and reject mismatched runtime policies.
|
||||
- Log filtering: `scanner:determinism:filterLogs=true` to strip timestamps/PIDs before hashing.
|
||||
- Evidence: worker emits `determinism.json` into the surface manifest (view `replay`) summarising fixed clock, seed, concurrency cap, feed/policy pins, and per-payload hashes so replay kits can assert settings.
|
||||
|
||||
## Ordering
|
||||
- Sort inputs (images, layers, files, findings) deterministically before processing/serialization.
|
||||
|
||||
Reference in New Issue
Block a user