{ "$id": "https://stella.ops/schema/attestation-vuln-scan.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "VulnScanAttestation", "description": "In-toto style attestation for vulnerability scan results", "type": "object", "required": ["_type", "predicateType", "subject", "predicate", "attestationMeta"], "properties": { "_type": { "type": "string", "const": "https://in-toto.io/Statement/v0.1", "description": "In-toto statement type URI" }, "predicateType": { "type": "string", "const": "https://stella.ops/predicates/vuln-scan/v1", "description": "Predicate type URI for Stella Ops vulnerability scans" }, "subject": { "type": "array", "items": { "$ref": "#/$defs/AttestationSubject" }, "minItems": 1, "description": "Artifacts that were scanned" }, "predicate": { "$ref": "#/$defs/VulnScanPredicate", "description": "Vulnerability scan result predicate" }, "attestationMeta": { "$ref": "#/$defs/AttestationMeta", "description": "Attestation metadata including signer info" } }, "$defs": { "AttestationSubject": { "type": "object", "required": ["name", "digest"], "properties": { "name": { "type": "string", "description": "Subject name (e.g. image reference)", "examples": ["registry.internal/stella/app-service@sha256:7d9c..."] }, "digest": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Algorithm -> digest map", "examples": [{"sha256": "7d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aee"}] } } }, "VulnScanPredicate": { "type": "object", "required": ["scanner", "scanStartedAt", "scanCompletedAt", "severityCounts", "findingReport"], "properties": { "scanner": { "$ref": "#/$defs/ScannerInfo", "description": "Scanner that produced this result" }, "scannerDb": { "$ref": "#/$defs/ScannerDbInfo", "description": "Vulnerability database info" }, "scanStartedAt": { "type": "string", "format": "date-time", "description": "ISO-8601 timestamp when scan started" }, "scanCompletedAt": { "type": "string", "format": "date-time", "description": "ISO-8601 timestamp when scan completed" }, "severityCounts": { "type": "object", "properties": { "CRITICAL": { "type": "integer", "minimum": 0 }, "HIGH": { "type": "integer", "minimum": 0 }, "MEDIUM": { "type": "integer", "minimum": 0 }, "LOW": { "type": "integer", "minimum": 0 } }, "description": "Count of findings by severity" }, "findingReport": { "$ref": "#/$defs/FindingReport", "description": "Reference to the full findings report" } } }, "ScannerInfo": { "type": "object", "required": ["name", "version"], "properties": { "name": { "type": "string", "description": "Scanner name", "examples": ["Trivy", "Snyk", "Grype"] }, "version": { "type": "string", "description": "Scanner version", "examples": ["0.53.0"] } } }, "ScannerDbInfo": { "type": "object", "properties": { "lastUpdatedAt": { "type": "string", "format": "date-time", "description": "ISO-8601 timestamp when vulnerability DB was last updated" } } }, "FindingReport": { "type": "object", "required": ["mediaType", "location", "digest"], "properties": { "mediaType": { "type": "string", "default": "application/json", "description": "Media type of the report", "examples": ["application/json", "application/vnd.cyclonedx+json"] }, "location": { "type": "string", "description": "Path or URI to the report file", "examples": ["reports/trivy/app-service-7d9c-vulns.json"] }, "digest": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Content digest of the report" } } }, "AttestationMeta": { "type": "object", "required": ["statementId", "createdAt", "signer"], "properties": { "statementId": { "type": "string", "description": "Unique identifier for this attestation statement" }, "createdAt": { "type": "string", "format": "date-time", "description": "ISO-8601 timestamp when attestation was created" }, "signer": { "$ref": "#/$defs/AttestationSigner", "description": "Entity that signed this attestation" } } }, "AttestationSigner": { "type": "object", "required": ["name", "keyId"], "properties": { "name": { "type": "string", "description": "Signer name/identity", "examples": ["ci/trivy-signer"] }, "keyId": { "type": "string", "description": "Key identifier (fingerprint)", "examples": ["SHA256:ae12c8d1..."] } } } }, "examples": [ { "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://stella.ops/predicates/vuln-scan/v1", "subject": [ { "name": "registry.internal/stella/app-service@sha256:7d9c...", "digest": { "sha256": "7d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aee" } } ], "predicate": { "scanner": { "name": "Trivy", "version": "0.53.0" }, "scannerDb": { "lastUpdatedAt": "2025-11-20T09:32:00Z" }, "scanStartedAt": "2025-11-21T09:00:00Z", "scanCompletedAt": "2025-11-21T09:01:05Z", "severityCounts": { "CRITICAL": 1, "HIGH": 7, "MEDIUM": 13, "LOW": 4 }, "findingReport": { "mediaType": "application/json", "location": "reports/trivy/app-service-7d9c-vulns.json", "digest": { "sha256": "db569aa8a1b847a922b7d61d276cc2a0ccf99efad0879500b56854b43265c09a" } } }, "attestationMeta": { "statementId": "att-vuln-trivy-app-service-7d9c", "createdAt": "2025-11-21T09:01:05Z", "signer": { "name": "ci/trivy-signer", "keyId": "SHA256:ae12c8d1..." } } } ] }