stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

Restructure solution layout by module

Browse Source
This commit is contained in:
master
2025-10-28 15:10:40 +02:00
parent 95daa159c4
commit d870da18ce
4103 changed files with 192899 additions and 187024 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
samples/api/scheduler/graph-build-job.json
View File

@@ -1,19 +1,19 @@
{
"schemaVersion": "scheduler.graph-build-job@1",
"id": "gbj_20251026a",
"tenantId": "tenant-alpha",
"sbomId": "sbom_20251026",
"sbomVersionId": "sbom_ver_20251026",
"sbomDigest": "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
"graphSnapshotId": "graph_snap_20251026",
"status": "running",
"trigger": "sbom-version",
"attempts": 1,
"cartographerJobId": "carto_job_42",
"correlationId": "evt_svc_987",
"createdAt": "2025-10-26T12:00:00+00:00",
"startedAt": "2025-10-26T12:00:05+00:00",
"metadata": {
"sbomEventId": "sbom_evt_20251026"
}
}
{
"schemaVersion": "scheduler.graph-build-job@1",
"id": "gbj_20251026a",
"tenantId": "tenant-alpha",
"sbomId": "sbom_20251026",
"sbomVersionId": "sbom_ver_20251026",
"sbomDigest": "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
"graphSnapshotId": "graph_snap_20251026",
"status": "running",
"trigger": "sbom-version",
"attempts": 1,
"cartographerJobId": "carto_job_42",
"correlationId": "evt_svc_987",
"createdAt": "2025-10-26T12:00:00+00:00",
"startedAt": "2025-10-26T12:00:05+00:00",
"metadata": {
"sbomEventId": "sbom_evt_20251026"
}
}

42
samples/api/scheduler/graph-overlay-job.json
View File

@@ -1,21 +1,21 @@
{
"schemaVersion": "scheduler.graph-overlay-job@1",
"id": "goj_20251026a",
"tenantId": "tenant-alpha",
"graphSnapshotId": "graph_snap_20251026",
"buildJobId": "gbj_20251026a",
"overlayKind": "policy",
"overlayKey": "policy@2025-10-01",
"subjects": [
"artifact:service-api",
"artifact:service-worker"
],
"status": "queued",
"trigger": "policy",
"attempts": 0,
"correlationId": "policy_run_321",
"createdAt": "2025-10-26T12:05:00+00:00",
"metadata": {
"policyRunId": "policy_run_321"
}
}
{
"schemaVersion": "scheduler.graph-overlay-job@1",
"id": "goj_20251026a",
"tenantId": "tenant-alpha",
"graphSnapshotId": "graph_snap_20251026",
"buildJobId": "gbj_20251026a",
"overlayKind": "policy",
"overlayKey": "policy@2025-10-01",
"subjects": [
"artifact:service-api",
"artifact:service-worker"
],
"status": "queued",
"trigger": "policy",
"attempts": 0,
"correlationId": "policy_run_321",
"createdAt": "2025-10-26T12:05:00+00:00",
"metadata": {
"policyRunId": "policy_run_321"
}
}

62
samples/api/scheduler/policy-diff-summary.json
View File

@@ -1,31 +1,31 @@
{
"schemaVersion": "scheduler.policy-diff-summary@1",
"added": 12,
"removed": 8,
"unchanged": 657,
"bySeverity": {
"critical": {
"up": 1
},
"high": {
"up": 3,
"down": 4
},
"medium": {
"up": 2,
"down": 1
}
},
"ruleHits": [
{
"ruleId": "rule-block-critical",
"ruleName": "Block Critical Findings",
"up": 1
},
{
"ruleId": "rule-quiet-low",
"ruleName": "Quiet Low Risk",
"down": 2
}
]
}
{
"schemaVersion": "scheduler.policy-diff-summary@1",
"added": 12,
"removed": 8,
"unchanged": 657,
"bySeverity": {
"critical": {
"up": 1
},
"high": {
"up": 3,
"down": 4
},
"medium": {
"up": 2,
"down": 1
}
},
"ruleHits": [
{
"ruleId": "rule-block-critical",
"ruleName": "Block Critical Findings",
"up": 1
},
{
"ruleId": "rule-quiet-low",
"ruleName": "Quiet Low Risk",
"down": 2
}
]
}

166
samples/api/scheduler/policy-explain-trace.json
View File

@@ -1,83 +1,83 @@
{
"schemaVersion": "scheduler.policy-explain-trace@1",
"findingId": "finding:sbom:S-42/pkg:npm/lodash@4.17.21",
"policyId": "P-7",
"policyVersion": 4,
"tenantId": "default",
"runId": "run:P-7:2025-10-26:auto",
"evaluatedAt": "2025-10-26T14:06:01+00:00",
"verdict": {
"status": "blocked",
"severity": "critical",
"score": 19.5,
"rationale": "Matches rule-block-critical"
},
"ruleChain": [
{
"ruleId": "rule-allow-known",
"ruleName": "Allow Known Vendors",
"action": "allow",
"decision": "skipped",
"condition": "when vendor == \"trusted\""
},
{
"ruleId": "rule-block-critical",
"ruleName": "Block Critical Findings",
"action": "block",
"decision": "matched",
"score": 19.5,
"condition": "when severity >= Critical"
}
],
"evidence": [
{
"type": "advisory",
"reference": "CVE-2025-12345",
"source": "nvd",
"status": "affected",
"weight": 1,
"justification": "Vendor advisory",
"metadata": {}
},
{
"type": "vex",
"reference": "vex:ghsa-2025-0001",
"source": "vendor",
"status": "not_affected",
"weight": 0.5,
"justification": "Runtime unreachable",
"metadata": {
"justificationid": "csaf:justification/123"
}
}
],
"vexImpacts": [
{
"statementId": "vex:ghsa-2025-0001",
"provider": "vendor",
"status": "not_affected",
"accepted": true,
"justification": "Runtime unreachable",
"confidence": "medium"
}
],
"history": [
{
"status": "blocked",
"occurredAt": "2025-10-26T14:06:01+00:00",
"actor": "policy-engine",
"note": "Initial evaluation"
},
{
"status": "blocked",
"occurredAt": "2025-10-26T14:16:01+00:00",
"actor": "policy-engine",
"note": "Replay verification"
}
],
"metadata": {
"componentpurl": "pkg:npm/lodash@4.17.21",
"sbomid": "sbom:S-42",
"traceid": "01HE0BJX5S4T9YCN6ZT0"
}
}
{
"schemaVersion": "scheduler.policy-explain-trace@1",
"findingId": "finding:sbom:S-42/pkg:npm/lodash@4.17.21",
"policyId": "P-7",
"policyVersion": 4,
"tenantId": "default",
"runId": "run:P-7:2025-10-26:auto",
"evaluatedAt": "2025-10-26T14:06:01+00:00",
"verdict": {
"status": "blocked",
"severity": "critical",
"score": 19.5,
"rationale": "Matches rule-block-critical"
},
"ruleChain": [
{
"ruleId": "rule-allow-known",
"ruleName": "Allow Known Vendors",
"action": "allow",
"decision": "skipped",
"condition": "when vendor == \"trusted\""
},
{
"ruleId": "rule-block-critical",
"ruleName": "Block Critical Findings",
"action": "block",
"decision": "matched",
"score": 19.5,
"condition": "when severity >= Critical"
}
],
"evidence": [
{
"type": "advisory",
"reference": "CVE-2025-12345",
"source": "nvd",
"status": "affected",
"weight": 1,
"justification": "Vendor advisory",
"metadata": {}
},
{
"type": "vex",
"reference": "vex:ghsa-2025-0001",
"source": "vendor",
"status": "not_affected",
"weight": 0.5,
"justification": "Runtime unreachable",
"metadata": {
"justificationid": "csaf:justification/123"
}
}
],
"vexImpacts": [
{
"statementId": "vex:ghsa-2025-0001",
"provider": "vendor",
"status": "not_affected",
"accepted": true,
"justification": "Runtime unreachable",
"confidence": "medium"
}
],
"history": [
{
"status": "blocked",
"occurredAt": "2025-10-26T14:06:01+00:00",
"actor": "policy-engine",
"note": "Initial evaluation"
},
{
"status": "blocked",
"occurredAt": "2025-10-26T14:16:01+00:00",
"actor": "policy-engine",
"note": "Replay verification"
}
],
"metadata": {
"componentpurl": "pkg:npm/lodash@4.17.21",
"sbomid": "sbom:S-42",
"traceid": "01HE0BJX5S4T9YCN6ZT0"
}
}

58
samples/api/scheduler/policy-run-request.json
View File

@@ -1,29 +1,29 @@
{
"schemaVersion": "scheduler.policy-run-request@1",
"tenantId": "default",
"policyId": "P-7",
"policyVersion": 4,
"mode": "incremental",
"priority": "normal",
"runId": "run:P-7:2025-10-26:auto",
"queuedAt": "2025-10-26T14:05:00+00:00",
"requestedBy": "user:cli",
"correlationId": "req-20251026T140500Z",
"metadata": {
"source": "stella policy run",
"trigger": "cli"
},
"inputs": {
"sbomSet": [
"sbom:S-318",
"sbom:S-42"
],
"advisoryCursor": "2025-10-26T13:59:00+00:00",
"vexCursor": "2025-10-26T13:58:30+00:00",
"environment": {
"exposure": "internet",
"sealed": false
},
"captureExplain": true
}
}
{
"schemaVersion": "scheduler.policy-run-request@1",
"tenantId": "default",
"policyId": "P-7",
"policyVersion": 4,
"mode": "incremental",
"priority": "normal",
"runId": "run:P-7:2025-10-26:auto",
"queuedAt": "2025-10-26T14:05:00+00:00",
"requestedBy": "user:cli",
"correlationId": "req-20251026T140500Z",
"metadata": {
"source": "stella policy run",
"trigger": "cli"
},
"inputs": {
"sbomSet": [
"sbom:S-318",
"sbom:S-42"
],
"advisoryCursor": "2025-10-26T13:59:00+00:00",
"vexCursor": "2025-10-26T13:58:30+00:00",
"environment": {
"exposure": "internet",
"sealed": false
},
"captureExplain": true
}
}

82
samples/api/scheduler/policy-run-status.json
View File

@@ -1,41 +1,41 @@
{
"schemaVersion": "scheduler.policy-run-status@1",
"runId": "run:P-7:2025-10-26:auto",
"tenantId": "default",
"policyId": "P-7",
"policyVersion": 4,
"mode": "incremental",
"status": "succeeded",
"priority": "normal",
"queuedAt": "2025-10-26T14:05:00+00:00",
"startedAt": "2025-10-26T14:05:11+00:00",
"finishedAt": "2025-10-26T14:06:01+00:00",
"determinismHash": "sha256:e3c2b2f3b1aa4567890abcdef1234567890abcdef1234567890abcdef123456",
"traceId": "01HE0BJX5S4T9YCN6ZT0",
"explainUri": "blob://policy/P-7/runs/2025-10-26T14-06-01Z.json",
"metadata": {
"orchestrator": "scheduler",
"sbombatchhash": "sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
},
"stats": {
"components": 1742,
"rulesFired": 68023,
"findingsWritten": 4321,
"vexOverrides": 210,
"quieted": 12,
"durationSeconds": 50.8
},
"inputs": {
"sbomSet": [
"sbom:S-318",
"sbom:S-42"
],
"advisoryCursor": "2025-10-26T13:59:00+00:00",
"vexCursor": "2025-10-26T13:58:30+00:00",
"environment": {
"exposure": "internet",
"sealed": false
},
"captureExplain": true
}
}
{
"schemaVersion": "scheduler.policy-run-status@1",
"runId": "run:P-7:2025-10-26:auto",
"tenantId": "default",
"policyId": "P-7",
"policyVersion": 4,
"mode": "incremental",
"status": "succeeded",
"priority": "normal",
"queuedAt": "2025-10-26T14:05:00+00:00",
"startedAt": "2025-10-26T14:05:11+00:00",
"finishedAt": "2025-10-26T14:06:01+00:00",
"determinismHash": "sha256:e3c2b2f3b1aa4567890abcdef1234567890abcdef1234567890abcdef123456",
"traceId": "01HE0BJX5S4T9YCN6ZT0",
"explainUri": "blob://policy/P-7/runs/2025-10-26T14-06-01Z.json",
"metadata": {
"orchestrator": "scheduler",
"sbombatchhash": "sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
},
"stats": {
"components": 1742,
"rulesFired": 68023,
"findingsWritten": 4321,
"vexOverrides": 210,
"quieted": 12,
"durationSeconds": 50.8
},
"inputs": {
"sbomSet": [
"sbom:S-318",
"sbom:S-42"
],
"advisoryCursor": "2025-10-26T13:59:00+00:00",
"vexCursor": "2025-10-26T13:58:30+00:00",
"environment": {
"exposure": "internet",
"sealed": false
},
"captureExplain": true
}
}

202
samples/api/scheduler/run-summary.json
View File

@@ -1,101 +1,101 @@
{
"tenantId": "tenant-alpha",
"scheduleId": "sch_20251018a",
"updatedAt": "2025-10-18T22:10:10Z",
"lastRun": {
"runId": "run_20251018_0001",
"trigger": "feedser",
"state": "completed",
"createdAt": "2025-10-18T22:03:14Z",
"startedAt": "2025-10-18T22:03:20Z",
"finishedAt": "2025-10-18T22:08:45Z",
"stats": {
"candidates": 1280,
"deduped": 910,
"queued": 0,
"completed": 910,
"deltas": 42,
"newCriticals": 7,
"newHigh": 11,
"newMedium": 18,
"newLow": 6
},
"error": null
},
"recent": [
{
"runId": "run_20251018_0001",
"trigger": "feedser",
"state": "completed",
"createdAt": "2025-10-18T22:03:14Z",
"startedAt": "2025-10-18T22:03:20Z",
"finishedAt": "2025-10-18T22:08:45Z",
"stats": {
"candidates": 1280,
"deduped": 910,
"queued": 0,
"completed": 910,
"deltas": 42,
"newCriticals": 7,
"newHigh": 11,
"newMedium": 18,
"newLow": 6
},
"error": null
},
{
"runId": "run_20251017_0003",
"trigger": "cron",
"state": "error",
"createdAt": "2025-10-17T22:01:02Z",
"startedAt": "2025-10-17T22:01:08Z",
"finishedAt": "2025-10-17T22:04:11Z",
"stats": {
"candidates": 1040,
"deduped": 812,
"queued": 0,
"completed": 640,
"deltas": 18,
"newCriticals": 2,
"newHigh": 4,
"newMedium": 7,
"newLow": 3
},
"error": "scanner timeout"
},
{
"runId": "run_20251016_0007",
"trigger": "manual",
"state": "cancelled",
"createdAt": "2025-10-16T20:00:00Z",
"startedAt": "2025-10-16T20:00:04Z",
"finishedAt": null,
"stats": {
"candidates": 820,
"deduped": 640,
"queued": 0,
"completed": 0,
"deltas": 0,
"newCriticals": 0,
"newHigh": 0,
"newMedium": 0,
"newLow": 0
},
"error": null
}
],
"counters": {
"total": 3,
"planning": 0,
"queued": 0,
"running": 0,
"completed": 1,
"error": 1,
"cancelled": 1,
"totalDeltas": 60,
"totalNewCriticals": 9,
"totalNewHigh": 15,
"totalNewMedium": 25,
"totalNewLow": 9
}
}
{
"tenantId": "tenant-alpha",
"scheduleId": "sch_20251018a",
"updatedAt": "2025-10-18T22:10:10Z",
"lastRun": {
"runId": "run_20251018_0001",
"trigger": "feedser",
"state": "completed",
"createdAt": "2025-10-18T22:03:14Z",
"startedAt": "2025-10-18T22:03:20Z",
"finishedAt": "2025-10-18T22:08:45Z",
"stats": {
"candidates": 1280,
"deduped": 910,
"queued": 0,
"completed": 910,
"deltas": 42,
"newCriticals": 7,
"newHigh": 11,
"newMedium": 18,
"newLow": 6
},
"error": null
},
"recent": [
{
"runId": "run_20251018_0001",
"trigger": "feedser",
"state": "completed",
"createdAt": "2025-10-18T22:03:14Z",
"startedAt": "2025-10-18T22:03:20Z",
"finishedAt": "2025-10-18T22:08:45Z",
"stats": {
"candidates": 1280,
"deduped": 910,
"queued": 0,
"completed": 910,
"deltas": 42,
"newCriticals": 7,
"newHigh": 11,
"newMedium": 18,
"newLow": 6
},
"error": null
},
{
"runId": "run_20251017_0003",
"trigger": "cron",
"state": "error",
"createdAt": "2025-10-17T22:01:02Z",
"startedAt": "2025-10-17T22:01:08Z",
"finishedAt": "2025-10-17T22:04:11Z",
"stats": {
"candidates": 1040,
"deduped": 812,
"queued": 0,
"completed": 640,
"deltas": 18,
"newCriticals": 2,
"newHigh": 4,
"newMedium": 7,
"newLow": 3
},
"error": "scanner timeout"
},
{
"runId": "run_20251016_0007",
"trigger": "manual",
"state": "cancelled",
"createdAt": "2025-10-16T20:00:00Z",
"startedAt": "2025-10-16T20:00:04Z",
"finishedAt": null,
"stats": {
"candidates": 820,
"deduped": 640,
"queued": 0,
"completed": 0,
"deltas": 0,
"newCriticals": 0,
"newHigh": 0,
"newMedium": 0,
"newLow": 0
},
"error": null
}
],
"counters": {
"total": 3,
"planning": 0,
"queued": 0,
"running": 0,
"completed": 1,
"error": 1,
"cancelled": 1,
"totalDeltas": 60,
"totalNewCriticals": 9,
"totalNewHigh": 15,
"totalNewMedium": 25,
"totalNewLow": 9
}
}

84
samples/ci/buildx-demo/README.md
View File

@@ -1,42 +1,42 @@
# Buildx SBOM Demo Workflow
This sample GitHub Actions workflow shows how to run the StellaOps BuildX generator alongside a container build.
## What it does
1. Publishes the `StellaOps.Scanner.Sbomer.BuildXPlugin` with the manifest copied beside the binaries.
2. Calls the plug-in `handshake` command to verify the local CAS directory.
3. Builds a tiny Alpine-based image via `docker buildx`.
4. Generates a CycloneDX SBOM from the built image with `docker sbom`.
5. Emits a descriptor + provenance placeholder referencing the freshly generated SBOM with the `descriptor` command.
6. Sends the placeholder to a mock Attestor endpoint and uploads the descriptor, SBOM, and captured request as artefacts. (Swap the mock step with your real Attestor URL + `STELLAOPS_ATTESTOR_TOKEN` secret when ready.)
## Files
- `github-actions-buildx-demo.yml` workflow definition (`workflow_dispatch` + `demo/buildx` branch trigger).
- `Dockerfile` minimal demo image.
- `github-actions-buildx-demo.yml` now captures a real SBOM via `docker sbom`.
## Running locally
```bash
dotnet publish src/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj -c Release -o out/buildx
dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll handshake \
--manifest out/buildx \
--cas out/cas
docker buildx build --load -t stellaops/buildx-demo:ci samples/ci/buildx-demo
DIGEST=$(docker image inspect stellaops/buildx-demo:ci --format '{{index .RepoDigests 0}}')
docker sbom stellaops/buildx-demo:ci --format cyclonedx-json > out/buildx-sbom.cdx.json
dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll descriptor \
--manifest out/buildx \
--image "$DIGEST" \
--sbom out/buildx-sbom.cdx.json \
--sbom-name buildx-sbom.cdx.json \
> out/buildx-descriptor.json
```
The descriptor JSON contains deterministic annotations and provenance placeholders ready for the Attestor.
# Buildx SBOM Demo Workflow
This sample GitHub Actions workflow shows how to run the StellaOps BuildX generator alongside a container build.
## What it does
1. Publishes the `StellaOps.Scanner.Sbomer.BuildXPlugin` with the manifest copied beside the binaries.
2. Calls the plug-in `handshake` command to verify the local CAS directory.
3. Builds a tiny Alpine-based image via `docker buildx`.
4. Generates a CycloneDX SBOM from the built image with `docker sbom`.
5. Emits a descriptor + provenance placeholder referencing the freshly generated SBOM with the `descriptor` command.
6. Sends the placeholder to a mock Attestor endpoint and uploads the descriptor, SBOM, and captured request as artefacts. (Swap the mock step with your real Attestor URL + `STELLAOPS_ATTESTOR_TOKEN` secret when ready.)
## Files
- `github-actions-buildx-demo.yml` workflow definition (`workflow_dispatch` + `demo/buildx` branch trigger).
- `Dockerfile` minimal demo image.
- `github-actions-buildx-demo.yml` now captures a real SBOM via `docker sbom`.
## Running locally
```bash
dotnet publish src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj -c Release -o out/buildx
dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll handshake \
--manifest out/buildx \
--cas out/cas
docker buildx build --load -t stellaops/buildx-demo:ci samples/ci/buildx-demo
DIGEST=$(docker image inspect stellaops/buildx-demo:ci --format '{{index .RepoDigests 0}}')
docker sbom stellaops/buildx-demo:ci --format cyclonedx-json > out/buildx-sbom.cdx.json
dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll descriptor \
--manifest out/buildx \
--image "$DIGEST" \
--sbom out/buildx-sbom.cdx.json \
--sbom-name buildx-sbom.cdx.json \
> out/buildx-descriptor.json
```
The descriptor JSON contains deterministic annotations and provenance placeholders ready for the Attestor.

186
samples/ci/buildx-demo/github-actions-buildx-demo.yml
View File

@@ -1,85 +1,85 @@
name: Buildx SBOM Demo
on:
workflow_dispatch:
push:
branches: [ demo/buildx ]
jobs:
buildx-sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set up .NET 10 preview
uses: actions/setup-dotnet@v4
with:
dotnet-version: '10.0.x'
- name: Publish StellaOps BuildX generator
run: |
dotnet publish src/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj \
-c Release \
-o out/buildx
- name: Handshake CAS
run: |
dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll handshake \
--manifest out/buildx \
--cas out/cas
- name: Build demo container image
run: |
docker buildx build --load -t stellaops/buildx-demo:ci samples/ci/buildx-demo
- name: Capture image digest
id: digest
run: |
DIGEST=$(docker image inspect stellaops/buildx-demo:ci --format '{{index .RepoDigests 0}}')
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Generate SBOM from built image
run: |
mkdir -p out
docker sbom stellaops/buildx-demo:ci --format cyclonedx-json > out/buildx-sbom.cdx.json
- name: Start mock Attestor
id: attestor
run: |
mkdir -p out
cat <<'PY' > out/mock-attestor.py
import json
import os
from http.server import BaseHTTPRequestHandler, HTTPServer
class Handler(BaseHTTPRequestHandler):
def do_POST(self):
length = int(self.headers.get('Content-Length') or 0)
body = self.rfile.read(length)
with open(os.path.join('out', 'provenance-request.json'), 'wb') as fp:
fp.write(body)
self.send_response(202)
self.end_headers()
self.wfile.write(b'accepted')
def log_message(self, format, *args):
return
if __name__ == '__main__':
server = HTTPServer(('127.0.0.1', 8085), Handler)
try:
server.serve_forever()
except KeyboardInterrupt:
pass
finally:
server.server_close()
PY
touch out/provenance-request.json
python3 out/mock-attestor.py &
echo $! > out/mock-attestor.pid
name: Buildx SBOM Demo
on:
workflow_dispatch:
push:
branches: [ demo/buildx ]
jobs:
buildx-sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set up .NET 10 preview
uses: actions/setup-dotnet@v4
with:
dotnet-version: '10.0.x'
- name: Publish StellaOps BuildX generator
run: |
dotnet publish src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj \
-c Release \
-o out/buildx
- name: Handshake CAS
run: |
dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll handshake \
--manifest out/buildx \
--cas out/cas
- name: Build demo container image
run: |
docker buildx build --load -t stellaops/buildx-demo:ci samples/ci/buildx-demo
- name: Capture image digest
id: digest
run: |
DIGEST=$(docker image inspect stellaops/buildx-demo:ci --format '{{index .RepoDigests 0}}')
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Generate SBOM from built image
run: |
mkdir -p out
docker sbom stellaops/buildx-demo:ci --format cyclonedx-json > out/buildx-sbom.cdx.json
- name: Start mock Attestor
id: attestor
run: |
mkdir -p out
cat <<'PY' > out/mock-attestor.py
import json
import os
from http.server import BaseHTTPRequestHandler, HTTPServer
class Handler(BaseHTTPRequestHandler):
def do_POST(self):
length = int(self.headers.get('Content-Length') or 0)
body = self.rfile.read(length)
with open(os.path.join('out', 'provenance-request.json'), 'wb') as fp:
fp.write(body)
self.send_response(202)
self.end_headers()
self.wfile.write(b'accepted')
def log_message(self, format, *args):
return
if __name__ == '__main__':
server = HTTPServer(('127.0.0.1', 8085), Handler)
try:
server.serve_forever()
except KeyboardInterrupt:
pass
finally:
server.server_close()
PY
touch out/provenance-request.json
python3 out/mock-attestor.py &
echo $! > out/mock-attestor.pid
- name: Emit descriptor with provenance placeholder
env:
IMAGE_DIGEST: ${{ steps.digest.outputs.digest }}
@@ -135,19 +135,19 @@ PY
if: always()
run: |
if [ -f out/mock-attestor.pid ]; then
kill $(cat out/mock-attestor.pid)
fi
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: stellaops-buildx-demo
kill $(cat out/mock-attestor.pid)
fi
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: stellaops-buildx-demo
path: |
out/buildx-descriptor.json
out/buildx-sbom.cdx.json
out/provenance-request.json
out/buildx-descriptor-repeat.json
- name: Show descriptor summary
run: |
cat out/buildx-descriptor.json
- name: Show descriptor summary
run: |
cat out/buildx-descriptor.json

50
samples/policy/README.md
View File

@@ -1,25 +1,25 @@
# Policy Samples
Curated fixtures used by CI smoke/determinism checks and example documentation.
| Scenario | Policy | Findings | Expected Diff | UI/CLI Diff Fixture |
|----------|--------|----------|---------------|---------------------|
| `baseline` | `docs/examples/policies/baseline.yaml` | `samples/policy/baseline/findings.json` | `samples/policy/baseline/diffs.json` | `samples/policy/simulations/baseline/diff.json` |
| `serverless` | `docs/examples/policies/serverless.yaml` | `samples/policy/serverless/findings.json` | `samples/policy/serverless/diffs.json` | `samples/policy/simulations/serverless/diff.json` |
| `internal-only` | `docs/examples/policies/internal-only.yaml` | `samples/policy/internal-only/findings.json` | `samples/policy/internal-only/diffs.json` | `samples/policy/simulations/internal-only/diff.json` |
Run the simulation harness locally:
```bash
dotnet run \
--project tools/PolicySimulationSmoke/PolicySimulationSmoke.csproj \
-- \
--scenario-root samples/policy/simulations \
--output out/policy-simulations
```
Then inspect `out/policy-simulations/policy-simulation-summary.json` for verdict changes.
---
*Last updated: 2025-10-26.*
# Policy Samples
Curated fixtures used by CI smoke/determinism checks and example documentation.
| Scenario | Policy | Findings | Expected Diff | UI/CLI Diff Fixture |
|----------|--------|----------|---------------|---------------------|
| `baseline` | `docs/examples/policies/baseline.yaml` | `samples/policy/baseline/findings.json` | `samples/policy/baseline/diffs.json` | `samples/policy/simulations/baseline/diff.json` |
| `serverless` | `docs/examples/policies/serverless.yaml` | `samples/policy/serverless/findings.json` | `samples/policy/serverless/diffs.json` | `samples/policy/simulations/serverless/diff.json` |
| `internal-only` | `docs/examples/policies/internal-only.yaml` | `samples/policy/internal-only/findings.json` | `samples/policy/internal-only/diffs.json` | `samples/policy/simulations/internal-only/diff.json` |
Run the simulation harness locally:
```bash
dotnet run \
--project tools/PolicySimulationSmoke/PolicySimulationSmoke.csproj \
-- \
--scenario-root samples/policy/simulations \
--output out/policy-simulations
```
Then inspect `out/policy-simulations/policy-simulation-summary.json` for verdict changes.
---
*Last updated: 2025-10-26.*

24
samples/policy/baseline/diffs.json
View File

@@ -1,12 +1,12 @@
[
{
"findingId": "library:pkg/openssl@1.1.1w",
"status": "Blocked",
"rule": "block_critical"
},
{
"findingId": "library:pkg/internal-runtime@1.0.0",
"status": "Warned",
"rule": "alert_warn_eol_runtime"
}
]
[
{
"findingId": "library:pkg/openssl@1.1.1w",
"status": "Blocked",
"rule": "block_critical"
},
{
"findingId": "library:pkg/internal-runtime@1.0.0",
"status": "Warned",
"rule": "alert_warn_eol_runtime"
}
]

28
samples/policy/baseline/findings.json
View File

@@ -1,14 +1,14 @@
[
{
"findingId": "library:pkg/openssl@1.1.1w",
"severity": "Critical",
"source": "NVD",
"environment": "internet"
},
{
"findingId": "library:pkg/internal-runtime@1.0.0",
"severity": "Low",
"source": "NVD",
"tags": ["runtime:eol"]
}
]
[
{
"findingId": "library:pkg/openssl@1.1.1w",
"severity": "Critical",
"source": "NVD",
"environment": "internet"
},
{
"findingId": "library:pkg/internal-runtime@1.0.0",
"severity": "Low",
"source": "NVD",
"tags": ["runtime:eol"]
}
]

24
samples/policy/internal-only/diffs.json
View File

@@ -1,12 +1,12 @@
[
{
"findingId": "library:pkg/internal-app@2.0.0",
"status": "RequiresVex",
"rule": "accept_vendor_vex"
},
{
"findingId": "library:pkg/kev-component@3.1.4",
"status": "RequiresVex",
"rule": "accept_vendor_vex"
}
]
[
{
"findingId": "library:pkg/internal-app@2.0.0",
"status": "RequiresVex",
"rule": "accept_vendor_vex"
},
{
"findingId": "library:pkg/kev-component@3.1.4",
"status": "RequiresVex",
"rule": "accept_vendor_vex"
}
]

30
samples/policy/internal-only/findings.json
View File

@@ -1,15 +1,15 @@
[
{
"findingId": "library:pkg/internal-app@2.0.0",
"severity": "Medium",
"source": "GHSA",
"environment": "internal"
},
{
"findingId": "library:pkg/kev-component@3.1.4",
"severity": "High",
"source": "NVD",
"tags": ["kev"],
"environment": "internal"
}
]
[
{
"findingId": "library:pkg/internal-app@2.0.0",
"severity": "Medium",
"source": "GHSA",
"environment": "internal"
},
{
"findingId": "library:pkg/kev-component@3.1.4",
"severity": "High",
"source": "NVD",
"tags": ["kev"],
"environment": "internal"
}
]

24
samples/policy/serverless/diffs.json
View File

@@ -1,12 +1,12 @@
[
{
"findingId": "library:pkg/aws-lambda@1.0.0",
"status": "Blocked",
"rule": "block_any_high"
},
{
"findingId": "image:sha256:untrusted-base",
"status": "Blocked",
"rule": "forbid_unpinned_base"
}
]
[
{
"findingId": "library:pkg/aws-lambda@1.0.0",
"status": "Blocked",
"rule": "block_any_high"
},
{
"findingId": "image:sha256:untrusted-base",
"status": "Blocked",
"rule": "forbid_unpinned_base"
}
]

30
samples/policy/serverless/findings.json
View File

@@ -1,15 +1,15 @@
[
{
"findingId": "library:pkg/aws-lambda@1.0.0",
"severity": "High",
"source": "NVD",
"environment": "serverless"
},
{
"findingId": "image:sha256:untrusted-base",
"severity": "Medium",
"source": "NVD",
"tags": ["image:latest-tag"],
"environment": "serverless"
}
]
[
{
"findingId": "library:pkg/aws-lambda@1.0.0",
"severity": "High",
"source": "NVD",
"environment": "serverless"
},
{
"findingId": "image:sha256:untrusted-base",
"severity": "Medium",
"source": "NVD",
"tags": ["image:latest-tag"],
"environment": "serverless"
}
]

46
samples/policy/simulations/baseline/diff.json
View File

@@ -1,23 +1,23 @@
{
"summary": {
"policy": "baseline",
"policyDigest": "sha256:simulation-baseline",
"changed": 2
},
"diffs": [
{
"findingId": "library:pkg/openssl@1.1.1w",
"baselineStatus": "Pass",
"projectedStatus": "Blocked",
"rule": "block_critical",
"notes": "Critical severity must be remediated before deploy."
},
{
"findingId": "library:pkg/internal-runtime@1.0.0",
"baselineStatus": "Pass",
"projectedStatus": "Warned",
"rule": "alert_warn_eol_runtime",
"notes": "Runtime marked as EOL; upgrade recommended."
}
]
}
{
"summary": {
"policy": "baseline",
"policyDigest": "sha256:simulation-baseline",
"changed": 2
},
"diffs": [
{
"findingId": "library:pkg/openssl@1.1.1w",
"baselineStatus": "Pass",
"projectedStatus": "Blocked",
"rule": "block_critical",
"notes": "Critical severity must be remediated before deploy."
},
{
"findingId": "library:pkg/internal-runtime@1.0.0",
"baselineStatus": "Pass",
"projectedStatus": "Warned",
"rule": "alert_warn_eol_runtime",
"notes": "Runtime marked as EOL; upgrade recommended."
}
]
}

42
samples/policy/simulations/baseline/scenario.json
View File

@@ -1,21 +1,21 @@
{
"name": "baseline",
"policyPath": "docs/examples/policies/baseline.yaml",
"findings": [
{
"findingId": "library:pkg/openssl@1.1.1w",
"severity": "Critical",
"source": "NVD"
},
{
"findingId": "library:pkg/internal-runtime@1.0.0",
"severity": "Low",
"source": "NVD",
"tags": ["runtime:eol"]
}
],
"expectedDiffs": [
{ "findingId": "library:pkg/openssl@1.1.1w", "status": "Blocked" },
{ "findingId": "library:pkg/internal-runtime@1.0.0", "status": "Warned" }
]
}
{
"name": "baseline",
"policyPath": "docs/examples/policies/baseline.yaml",
"findings": [
{
"findingId": "library:pkg/openssl@1.1.1w",
"severity": "Critical",
"source": "NVD"
},
{
"findingId": "library:pkg/internal-runtime@1.0.0",
"severity": "Low",
"source": "NVD",
"tags": ["runtime:eol"]
}
],
"expectedDiffs": [
{ "findingId": "library:pkg/openssl@1.1.1w", "status": "Blocked" },
{ "findingId": "library:pkg/internal-runtime@1.0.0", "status": "Warned" }
]
}

46
samples/policy/simulations/internal-only/diff.json
View File

@@ -1,23 +1,23 @@
{
"summary": {
"policy": "internal-only",
"policyDigest": "sha256:simulation-internal-only",
"changed": 2
},
"diffs": [
{
"findingId": "library:pkg/internal-app@2.0.0",
"baselineStatus": "Pass",
"projectedStatus": "RequiresVex",
"rule": "accept_vendor_vex",
"notes": "Trust vendor VEX statements for internal scope."
},
{
"findingId": "library:pkg/kev-component@3.1.4",
"baselineStatus": "Pass",
"projectedStatus": "RequiresVex",
"rule": "accept_vendor_vex",
"notes": "Trust vendor VEX statements for internal scope."
}
]
}
{
"summary": {
"policy": "internal-only",
"policyDigest": "sha256:simulation-internal-only",
"changed": 2
},
"diffs": [
{
"findingId": "library:pkg/internal-app@2.0.0",
"baselineStatus": "Pass",
"projectedStatus": "RequiresVex",
"rule": "accept_vendor_vex",
"notes": "Trust vendor VEX statements for internal scope."
},
{
"findingId": "library:pkg/kev-component@3.1.4",
"baselineStatus": "Pass",
"projectedStatus": "RequiresVex",
"rule": "accept_vendor_vex",
"notes": "Trust vendor VEX statements for internal scope."
}
]
}

46
samples/policy/simulations/internal-only/scenario.json
View File

@@ -1,23 +1,23 @@
{
"name": "internal-only",
"policyPath": "docs/examples/policies/internal-only.yaml",
"findings": [
{
"findingId": "library:pkg/internal-app@2.0.0",
"severity": "Medium",
"source": "GHSA",
"environment": "internal"
},
{
"findingId": "library:pkg/kev-component@3.1.4",
"severity": "High",
"source": "NVD",
"tags": ["kev"],
"environment": "internal"
}
],
"expectedDiffs": [
{ "findingId": "library:pkg/internal-app@2.0.0", "status": "RequiresVex" },
{ "findingId": "library:pkg/kev-component@3.1.4", "status": "RequiresVex" }
]
}
{
"name": "internal-only",
"policyPath": "docs/examples/policies/internal-only.yaml",
"findings": [
{
"findingId": "library:pkg/internal-app@2.0.0",
"severity": "Medium",
"source": "GHSA",
"environment": "internal"
},
{
"findingId": "library:pkg/kev-component@3.1.4",
"severity": "High",
"source": "NVD",
"tags": ["kev"],
"environment": "internal"
}
],
"expectedDiffs": [
{ "findingId": "library:pkg/internal-app@2.0.0", "status": "RequiresVex" },
{ "findingId": "library:pkg/kev-component@3.1.4", "status": "RequiresVex" }
]
}

46
samples/policy/simulations/serverless/diff.json
View File

@@ -1,23 +1,23 @@
{
"summary": {
"policy": "serverless",
"policyDigest": "sha256:simulation-serverless",
"changed": 2
},
"diffs": [
{
"findingId": "library:pkg/aws-lambda@1.0.0",
"baselineStatus": "Pass",
"projectedStatus": "Blocked",
"rule": "block_any_high",
"notes": "Serverless workloads block High+ severities."
},
{
"findingId": "image:sha256:untrusted-base",
"baselineStatus": "Pass",
"projectedStatus": "Blocked",
"rule": "forbid_unpinned_base",
"notes": "Base image must be pinned (no :latest)."
}
]
}
{
"summary": {
"policy": "serverless",
"policyDigest": "sha256:simulation-serverless",
"changed": 2
},
"diffs": [
{
"findingId": "library:pkg/aws-lambda@1.0.0",
"baselineStatus": "Pass",
"projectedStatus": "Blocked",
"rule": "block_any_high",
"notes": "Serverless workloads block High+ severities."
},
{
"findingId": "image:sha256:untrusted-base",
"baselineStatus": "Pass",
"projectedStatus": "Blocked",
"rule": "forbid_unpinned_base",
"notes": "Base image must be pinned (no :latest)."
}
]
}

46
samples/policy/simulations/serverless/scenario.json
View File

@@ -1,23 +1,23 @@
{
"name": "serverless",
"policyPath": "docs/examples/policies/serverless.yaml",
"findings": [
{
"findingId": "library:pkg/aws-lambda@1.0.0",
"severity": "High",
"source": "NVD",
"environment": "serverless"
},
{
"findingId": "image:sha256:untrusted-base",
"severity": "Medium",
"source": "NVD",
"tags": ["image:latest-tag"],
"environment": "serverless"
}
],
"expectedDiffs": [
{ "findingId": "library:pkg/aws-lambda@1.0.0", "status": "Blocked" },
{ "findingId": "image:sha256:untrusted-base", "status": "Blocked" }
]
}
{
"name": "serverless",
"policyPath": "docs/examples/policies/serverless.yaml",
"findings": [
{
"findingId": "library:pkg/aws-lambda@1.0.0",
"severity": "High",
"source": "NVD",
"environment": "serverless"
},
{
"findingId": "image:sha256:untrusted-base",
"severity": "Medium",
"source": "NVD",
"tags": ["image:latest-tag"],
"environment": "serverless"
}
],
"expectedDiffs": [
{ "findingId": "library:pkg/aws-lambda@1.0.0", "status": "Blocked" },
{ "findingId": "image:sha256:untrusted-base", "status": "Blocked" }
]
}

10
samples/runtime/java-demo/README.md
View File

@@ -1,5 +1,5 @@
# Java Demo Fixture
Minimal archive tree that exercises the Java language analyzer during microbenchmarks. The `libs/demo.jar`
artefact ships `META-INF/MANIFEST.MF` and `META-INF/maven/com.example/demo/pom.properties` entries so the
analyzer can extract Maven coordinates and manifest metadata without pulling in large third-party jars.
# Java Demo Fixture
Minimal archive tree that exercises the Java language analyzer during microbenchmarks. The `libs/demo.jar`
artefact ships `META-INF/MANIFEST.MF` and `META-INF/maven/com.example/demo/pom.properties` entries so the
analyzer can extract Maven coordinates and manifest metadata without pulling in large third-party jars.