save checkpoint
This commit is contained in:
master
45
docs/features/checked/scanner/delta-layer-scanning-engine.md
Normal file
45
docs/features/checked/scanner/delta-layer-scanning-engine.md
Normal file
@@ -0,0 +1,45 @@
|
||||
# Delta Layer Scanning Engine
|
||||
|
||||
## Module
|
||||
Scanner
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Container image delta scanning engine that scans only changed layers between image versions by diffID comparison, reusing cached per-layer SBOMs for unchanged layers. Produces DSSE-wrapped delta evidence with Rekor anchoring. Targets 70%+ CVE churn reduction on minor base image bumps.
|
||||
|
||||
## Implementation Details
|
||||
- **Core Delta Scanner**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Delta/IDeltaLayerScanner.cs` - Interface for delta layer scanning
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Delta/DeltaLayerScanner.cs` - Scans only changed layers by diffID comparison, reuses cached per-layer SBOMs
|
||||
- **Delta Evidence**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/IDeltaEvidenceComposer.cs` - Interface for composing delta evidence
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/DeltaEvidenceComposer.cs` - Composes DSSE-wrapped delta evidence with Rekor anchoring
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/DeltaScanPredicate.cs` - Delta scan predicate model
|
||||
- **WebService Integration**:
|
||||
- `src/Scanner/StellaOps.Scanner.WebService/Services/IDeltaScanRequestHandler.cs` - Delta scan request handler interface
|
||||
- `src/Scanner/StellaOps.Scanner.WebService/Services/DeltaScanRequestHandler.cs` - Handles delta scan API requests
|
||||
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaCompareEndpoints.cs` - Delta comparison API endpoints
|
||||
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaEvidenceEndpoints.cs` - Delta evidence API endpoints
|
||||
- `src/Scanner/StellaOps.Scanner.WebService/Contracts/DeltaCompareContracts.cs` - API contracts
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Scan two versions of the same image with minor base image changes
|
||||
- [ ] Verify only changed layers are scanned (unchanged layers reuse cached SBOMs)
|
||||
- [ ] Verify delta evidence is DSSE-wrapped and includes Rekor anchoring reference
|
||||
- [ ] Call `GET /api/v1/delta/{baselineScanId}/{currentScanId}` and verify delta comparison results
|
||||
- [ ] Call `GET /api/v1/delta/{scanId}/evidence` and verify delta evidence bundle
|
||||
- [ ] Verify CVE churn is reduced (only changed-layer CVEs appear as new findings)
|
||||
- [ ] Verify the delta scan completes significantly faster than a full scan
|
||||
|
||||
---
|
||||
|
||||
## Verification
|
||||
|
||||
| Check | Result |
|
||||
|-------|--------|
|
||||
| Tier 0 - Source files exist | PASS |
|
||||
| Tier 1 - Build + code review | PASS |
|
||||
| Tier 2 - Integration tests | PASS |
|
||||
| Verified | 2026-02-13T18:10:00Z |
|
||||
Reference in New Issue
Block a user