stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat: Add new provenance and crypto registry documentation
Some checks failed
api-governance / spectral-lint (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Introduced attestation inventory and subject-rekor mapping files for tracking Docker packages.
- Added a comprehensive crypto registry decision document outlining defaults and required follow-ups.
- Created an offline feeds manifest for bundling air-gap resources.
- Implemented a script to generate and update binary manifests for curated binaries.
- Added a verification script to ensure binary artefacts are located in approved directories.
- Defined new schemas for AdvisoryEvidenceBundle, OrchestratorEnvelope, ScannerReportReadyPayload, and ScannerScanCompletedPayload.
- Established project files for StellaOps.Orchestrator.Schemas and StellaOps.PolicyAuthoritySignals.Contracts.
- Updated vendor manifest to track pinned binaries for integrity.
This commit is contained in:
master
2025-11-18 23:47:13 +02:00
parent d3ecd7f8e6
commit e91da22836
44 changed files with 6793 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
docs/events/advisoryai.evidence.bundle@0.json Normal file
View File

@@ -0,0 +1,58 @@
{
"$id": "https://stella-ops.org/schemas/events/advisoryai.evidence.bundle@0.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "AdvisoryAI evidence bundle (draft v0)",
"type": "object",
"additionalProperties": false,
"required": ["bundleId", "advisoryId", "tenant", "generatedAt", "observations"],
"properties": {
"bundleId": {"type": "string", "description": "Deterministic bundle identifier (UUID or ULID)."},
"advisoryId": {"type": "string", "description": "Upstream advisory identifier (vendor or CVE-style)."},
"tenant": {"type": "string", "description": "Owning tenant."},
"generatedAt": {"type": "string", "format": "date-time", "description": "UTC timestamp when bundle was assembled."},
"schemaVersion": {"type": "integer", "default": 0},
"observations": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"required": ["observationId", "source"],
"properties": {
"observationId": {"type": "string"},
"source": {"type": "string", "description": "Publisher or feed name."},
"purl": {"type": "string", "description": "Optional package URL."},
"cve": {"type": "string"},
"severity": {"type": "string", "description": "Publisher-reported severity label."},
"cvss": {
"type": "object",
"additionalProperties": false,
"properties": {
"vector": {"type": "string"},
"score": {"type": "number"}
}
},
"summary": {"type": "string"},
"evidence": {
"type": "object",
"description": "Raw upstream statement or excerpt.",
"additionalProperties": true
}
}
}
},
"signatures": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": ["signature", "keyId"],
"properties": {
"signature": {"type": "string", "description": "Base64 signature over canonical JSON."},
"keyId": {"type": "string"},
"algorithm": {"type": "string"}
}
}
}
}
}

32
docs/events/samples/advisoryai.evidence.bundle@0.sample.json Normal file
View File

@@ -0,0 +1,32 @@
{
"bundleId": "19bd7cf7-c7a6-4c1c-9b9c-6f2f794e9b1a",
"advisoryId": "CVE-2025-12345",
"tenant": "demo-tenant",
"generatedAt": "2025-11-18T12:00:00Z",
"schemaVersion": 0,
"observations": [
{
"observationId": "obs-001",
"source": "vendor.psirt",
"purl": "pkg:maven/org.example/app@1.2.3",
"cve": "CVE-2025-12345",
"severity": "critical",
"cvss": {
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"score": 9.8
},
"summary": "Remote code execution via deserialization of untrusted data.",
"evidence": {
"statement": "Vendor confirms unauthenticated RCE in versions <1.2.4",
"references": ["https://example.com/advisory"]
}
}
],
"signatures": [
{
"signature": "MEQCID...==",
"keyId": "authority-root-1",
"algorithm": "ecdsa-p256-sha256"
}
]
}