stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

wip: doctor/cli/docs/api to vector db consolidation; api hardening for descriptions, tenant, and scopes; migrations and conversions of all DALs to EF v10

Browse Source
This commit is contained in:
master
2026-02-23 15:30:50 +02:00
parent bd8fee6ed8
commit e746577380
1424 changed files with 81225 additions and 25251 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/modules/scanner/README.md
View File

@@ -2,7 +2,10 @@
Scanner analyses container images layer-by-layer, producing deterministic SBOM fragments, diffs, and signed reports.
## Latest updates (2025-12-12)
## Latest updates (2026-02-22)
- Unknowns API surface is now registered in Scanner (`/api/v1/unknowns`) with tenant-scoped query predicates and tenant conflict handling via shared request-context resolution.
- Tenant isolation hardening for triage/finding evidence APIs (Sprint `20260222.057`): triage query/status/rationale/replay services now require explicit tenant context, triage persistence includes `tenant_id`, and cross-tenant finding lookups resolve as deterministic misses. See `./endpoint-registration-matrix.md`.
- Tenant-argument parity hardening for API-backed tenant tables (Sprint `20260222.057`, `SCAN-TEN-13`): source-run and secret-exception APIs now enforce tenant-scoped repository lookups for `scanner.sbom_source_runs` and `secret_exception_pattern`.
- Deterministic SBOM composition fixture published at `docs/modules/scanner/fixtures/deterministic-compose/` with DSSE, `_composition.json`, BOM, and hashes; doc `deterministic-sbom-compose.md` promoted to Ready v1.0 with offline verification steps.
- Node analyzer now ingests npm/yarn/pnpm lockfiles, emitting `DeclaredOnly` components with lock provenance. The CLI companion command `stella node lock-validate` runs the collector offline, surfaces declared-only or missing-lock packages, and emits telemetry via `stellaops.cli.node.lock_validate.count`. See `docs/modules/scanner/analyzers-node.md` and bench scenario `node_detection_gaps_fixture`.
- Python analyzer picks up `requirements*.txt`, `Pipfile.lock`, and `poetry.lock`, tagging installed distributions with lock provenance and generating declared-only components for policy. Use `stella python lock-validate` to run the same checks locally before images are built.
@@ -37,6 +40,7 @@ Scanner analyses container images layer-by-layer, producing deterministic SBOM f
- ./operations/analyzers-grafana-dashboard.json
- ./operations/rustfs-migration.md
- ./operations/entrypoint.md
- ./endpoint-registration-matrix.md
- ./analyzers-node.md
- ./analyzers-go.md
- ./operations/secret-leak-detection.md