{ "$id": "https://stella.ops/schema/audit-bundle-index.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "AuditBundleIndex", "description": "Root manifest for an immutable audit bundle containing vulnerability reports, VEX decisions, policy evaluations, and attestations", "type": "object", "required": ["apiVersion", "kind", "bundleId", "createdAt", "createdBy", "subject", "artifacts"], "properties": { "apiVersion": { "type": "string", "const": "stella.ops/v1", "description": "API version for this bundle format" }, "kind": { "type": "string", "const": "AuditBundleIndex", "description": "Resource kind identifier" }, "bundleId": { "type": "string", "description": "Unique identifier for this bundle", "examples": ["bndl-6f6b0c94-9c5b-4bbf-9a77-a5d8a83da4a2"] }, "createdAt": { "type": "string", "format": "date-time", "description": "ISO-8601 timestamp when bundle was created" }, "createdBy": { "$ref": "#/$defs/BundleActorRef", "description": "User who created this bundle" }, "subject": { "$ref": "#/$defs/BundleSubjectRef", "description": "Primary artifact this bundle documents" }, "timeWindow": { "type": "object", "properties": { "from": { "type": "string", "format": "date-time", "description": "Start of time window for included artifacts" }, "to": { "type": "string", "format": "date-time", "description": "End of time window for included artifacts" } }, "description": "Optional time window filter for included content" }, "artifacts": { "type": "array", "items": { "$ref": "#/$defs/BundleArtifact" }, "description": "List of artifacts included in this bundle" }, "vexDecisions": { "type": "array", "items": { "$ref": "#/$defs/BundleVexDecisionEntry" }, "description": "Summary of VEX decisions included in this bundle" }, "integrity": { "$ref": "#/$defs/BundleIntegrity", "description": "Integrity verification data for the entire bundle" } }, "$defs": { "BundleActorRef": { "type": "object", "required": ["id", "displayName"], "properties": { "id": { "type": "string", "description": "User identifier" }, "displayName": { "type": "string", "description": "Human-readable display name" } } }, "BundleSubjectRef": { "type": "object", "required": ["type", "name", "digest"], "properties": { "type": { "type": "string", "enum": ["IMAGE", "REPO", "SBOM", "OTHER"], "description": "Type of subject artifact" }, "name": { "type": "string", "description": "Human-readable subject name" }, "digest": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Algorithm -> digest map" } } }, "BundleArtifact": { "type": "object", "required": ["id", "type", "source", "path", "mediaType", "digest"], "properties": { "id": { "type": "string", "description": "Internal identifier for this artifact within the bundle" }, "type": { "type": "string", "enum": ["VULN_REPORT", "SBOM", "VEX", "POLICY_EVAL", "OTHER"], "description": "Type of artifact" }, "source": { "type": "string", "description": "Tool/service that produced this artifact", "examples": ["Trivy@0.53.0", "Syft@1.0.0", "StellaOps", "StellaPolicyEngine@2.1.0"] }, "path": { "type": "string", "description": "Relative path within the bundle", "examples": ["reports/trivy/app-service-7d9c-vulns.json"] }, "mediaType": { "type": "string", "description": "Media type of the artifact", "examples": ["application/json", "application/vnd.cyclonedx+json"] }, "digest": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Content digest of the artifact" }, "attestation": { "$ref": "#/$defs/BundleArtifactAttestationRef", "description": "Optional reference to attestation for this artifact" } } }, "BundleArtifactAttestationRef": { "type": "object", "required": ["path", "digest"], "properties": { "path": { "type": "string", "description": "Relative path to attestation within the bundle" }, "digest": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Content digest of the attestation" } } }, "BundleVexDecisionEntry": { "type": "object", "required": ["decisionId", "vulnerabilityId", "status", "path", "digest"], "properties": { "decisionId": { "type": "string", "format": "uuid", "description": "VEX decision ID" }, "vulnerabilityId": { "type": "string", "description": "CVE or vulnerability identifier" }, "status": { "type": "string", "enum": ["NOT_AFFECTED", "UNDER_INVESTIGATION", "AFFECTED_MITIGATED", "AFFECTED_UNMITIGATED", "FIXED"], "description": "VEX status" }, "path": { "type": "string", "description": "Relative path to VEX decision file" }, "digest": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Content digest of the decision file" } } }, "BundleIntegrity": { "type": "object", "required": ["rootHash", "hashAlgorithm"], "properties": { "rootHash": { "type": "string", "description": "Root hash covering all artifacts in the bundle" }, "hashAlgorithm": { "type": "string", "default": "sha256", "description": "Hash algorithm used for integrity verification" } } } }, "examples": [ { "apiVersion": "stella.ops/v1", "kind": "AuditBundleIndex", "bundleId": "bndl-6f6b0c94-9c5b-4bbf-9a77-a5d8a83da4a2", "createdAt": "2025-11-21T09:05:30Z", "createdBy": { "id": "user-123", "displayName": "Alice Johnson" }, "subject": { "type": "IMAGE", "name": "registry.internal/stella/app-service@sha256:7d9c...", "digest": { "sha256": "7d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aee" } }, "timeWindow": { "from": "2025-11-14T00:00:00Z", "to": "2025-11-21T09:05:00Z" }, "artifacts": [ { "id": "vuln-report-trivy", "type": "VULN_REPORT", "source": "Trivy@0.53.0", "path": "reports/trivy/app-service-7d9c-vulns.json", "mediaType": "application/json", "digest": { "sha256": "db569aa8a1b847a922b7d61d276cc2a0ccf99efad0879500b56854b43265c09a" }, "attestation": { "path": "attestations/vuln-scan-trivy.dsse.json", "digest": { "sha256": "2e613df97fe2aa9baf7a8dac9cfaa407e60c808a8af8e7d5e50c029f6c51a54b" } } }, { "id": "sbom-cyclonedx", "type": "SBOM", "source": "Syft@1.0.0", "path": "sbom/app-service-7d9c-cyclonedx.json", "mediaType": "application/vnd.cyclonedx+json", "digest": { "sha256": "9477b3a9410423b37c39076678a936d5854aa2d905e72a2222c153e3e51ab150" }, "attestation": { "path": "attestations/sbom-syft.dsse.json", "digest": { "sha256": "3ebf5dc03f862b4b2fdef201130f5c6a9bde7cb0bcf4f57e7686adbc83c9c897" } } }, { "id": "vex-decisions", "type": "VEX", "source": "StellaOps", "path": "vex/app-service-7d9c-vex.json", "mediaType": "application/json", "digest": { "sha256": "b56f0d05af5dc4ba79ccc1d228dba27a0d9607eef17fa7faf569e3020c39da83" } }, { "id": "policy-eval-prod-admission", "type": "POLICY_EVAL", "source": "StellaPolicyEngine@2.1.0", "path": "policy-evals/prod-admission.json", "mediaType": "application/json", "digest": { "sha256": "cf8617dd3a63b953f31501045bb559c7095fa2b6965643b64a4b463756cfa9c3" }, "attestation": { "path": "attestations/policy-prod-admission.dsse.json", "digest": { "sha256": "a7ea883ffa1100a62f0f89f455b659017864c65a4fad0af0ac3d8b989e1a6ff3" } } } ], "vexDecisions": [ { "decisionId": "8a3d0b5a-1e07-4b57-b6a1-1a29ce6c889e", "vulnerabilityId": "CVE-2023-12345", "status": "NOT_AFFECTED", "path": "vex/CVE-2023-12345-app-service.json", "digest": { "sha256": "b56f0d05af5dc4ba79ccc1d228dba27a0d9607eef17fa7faf569e3020c39da83" } } ], "integrity": { "rootHash": "f4ede91c4396f9dfdacaf15fe0293c6349f467701f4ef7af6a2ecd4f5bf42254", "hashAlgorithm": "sha256" } } ] }