# Audit - StellaOps.Scanner.WebService ## Project - Path: `src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj` - Module: `Scanner` - Kind: `WebService` - SDK: `Microsoft.NET.Sdk.Web` - TargetFramework: `net10.0` - Audit date (UTC): 2026-01-30 ## Coding Standards Findings - Status: FAIL - Nullable: enable - TreatWarningsAsErrors: explicit true - Deterministic: inherited true - 100-line rule violations: 128 - Service locator usage (BuildServiceProvider/GetService): 0 - Analyzer enforcement: missing repo-wide (see summary). ### Details - 100-line files: - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaEvidenceEndpoints.cs` (831 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/ReportEventDispatcher.cs` (819 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceBundleExporter.cs` (777 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ScanEndpoints.cs` (766 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SourcesEndpoints.cs` (758 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/OfflineAttestationVerifier.cs` (741 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/SignedSbomArchiveBuilder.cs` (727 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/OfflineKitImportService.cs` (686 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/RuntimeInventoryReconciler.cs` (681 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/AttestationChainVerifier.cs` (670 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/WebhookEndpoints.cs` (668 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/OrchestratorEventContracts.cs` (662 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/SbomByosUploadService.cs` (651 lines) - `src/Scanner/StellaOps.Scanner.WebService/Program.cs` (647 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/CounterfactualEndpoints.cs` (610 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationWebhookHandler.cs` (590 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationService.cs` (589 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/PolicyEndpoints.cs` (586 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ApprovalEndpoints.cs` (549 lines) - `src/Scanner/StellaOps.Scanner.WebService/Options/ScannerWebServiceOptions.cs` (537 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/RuntimePolicyService.cs` (533 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/UnifiedEvidenceContracts.cs` (523 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/SecretDetectionSettingsService.cs` (497 lines) - `src/Scanner/StellaOps.Scanner.WebService/Options/ScannerWebServiceOptionsValidator.cs` (494 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ExportEndpoints.cs` (487 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/IOfflineAttestationVerifier.cs` (481 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceCompositionService.cs` (468 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/TriageContracts.cs` (464 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SmartDiffEndpoints.cs` (463 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/FindingRationaleService.cs` (449 lines) - `src/Scanner/StellaOps.Scanner.WebService/Controllers/TriageController.cs` (444 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/DeltaCompareContracts.cs` (440 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/ReplayCommandService.cs` (435 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ReachabilityEndpoints.cs` (421 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SliceEndpoints.cs` (386 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SecretDetectionSettingsEndpoints.cs` (373 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/GitHubCodeScanningEndpoints.cs` (371 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/AttestationChain.cs` (366 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/TriageStatusService.cs` (365 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/UnifiedEvidenceService.cs` (363 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/PolicyDtoMapper.cs` (356 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/FeedChangeRescoreJob.cs` (354 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ValidationEndpoints.cs` (346 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/OfflineKitEndpoints.cs` (341 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/SliceQueryService.cs` (336 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/LayerSbomEndpoints.cs` (336 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/RuntimeEndpoints.cs` (332 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ReachabilityEvidenceEndpoints.cs` (328 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/EpssEndpoints.cs` (324 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/UnknownsEndpoints.cs` (323 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/RationaleContracts.cs` (322 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/SecretDetectionConfigContracts.cs` (319 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/HumanApprovalAttestationService.cs` (316 lines) - `src/Scanner/StellaOps.Scanner.WebService/Replay/RecordModeService.cs` (315 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/GatingReasonService.cs` (312 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ActionablesEndpoints.cs` (309 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/OfflineKitManifestService.cs` (307 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ReachabilityDriftEndpoints.cs` (307 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ManifestEndpoints.cs` (306 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/TriageStatusEndpoints.cs` (301 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ReportEndpoints.cs` (301 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/OfflineKitMetricsStore.cs` (294 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/SurfacePointerService.cs` (293 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/BaselineEndpoints.cs` (292 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ReachabilityStackEndpoints.cs` (292 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaCompareEndpoints.cs` (291 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ScoreReplayEndpoints.cs` (283 lines) - `src/Scanner/StellaOps.Scanner.WebService/Middleware/IdempotencyMiddleware.cs` (271 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/OciAttestationPublisher.cs` (270 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/ReportSigner.cs` (267 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/VexGateContracts.cs` (264 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/GatingContracts.cs` (264 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/SbomExportService.cs` (264 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/LayerSbomService.cs` (262 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/RuntimeEventRateLimiter.cs` (261 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/DeltaScanRequestHandler.cs` (260 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/WitnessEndpoints.cs` (253 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/EvidenceEndpoints.cs` (253 lines) - `src/Scanner/StellaOps.Scanner.WebService/Options/ScannerSurfaceSecretConfigurator.cs` (246 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/HumanApprovalStatement.cs` (244 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/CallGraphEndpoints.cs` (244 lines) - `src/Scanner/StellaOps.Scanner.WebService/Serialization/OrchestratorEventSerializer.cs` (239 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/RuntimeEventIngestionService.cs` (234 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/CallGraphIngestionService.cs` (232 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/SbomContracts.cs` (231 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/BaselineContracts.cs` (228 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/ReachabilityContracts.cs` (225 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/ReportContracts.cs` (222 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/ScoreReplayService.cs` (221 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/RuntimePolicyContracts.cs` (216 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/RichGraphAttestationService.cs` (216 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/ReplayCommandContracts.cs` (212 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/VexGateQueryService.cs` (208 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/IHumanApprovalAttestationService.cs` (206 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/PolicyDecisionAttestationService.cs` (204 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/ManifestContracts.cs` (201 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/PolicyDecisionStatement.cs` (200 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/FindingEvidenceContracts.cs` (198 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/InMemoryScanCoordinator.cs` (197 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ProofSpineEndpoints.cs` (196 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/PolicyPreviewContracts.cs` (195 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/SbomIngestionService.cs` (192 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/ScanFindingsSarifExportService.cs` (187 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/LinksetResolver.cs` (181 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/IEvidenceBundleExporter.cs` (180 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SbomEndpoints.cs` (174 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/IRichGraphAttestationService.cs` (174 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/ConcelierHttpLinksetQueryService.cs` (172 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/RichGraphStatement.cs` (166 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/ProofBundleEndpoints.cs` (164 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/HealthEndpoints.cs` (160 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/ProofSpineContracts.cs` (158 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/IPolicyDecisionAttestationService.cs` (157 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/RedisPlatformEventPublisher.cs` (155 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/ScanProgressStream.cs` (150 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/InMemoryScanManifestRepository.cs` (148 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/ILayerSbomService.cs` (146 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/OfflineKitContracts.cs` (143 lines) - `src/Scanner/StellaOps.Scanner.WebService/Controllers/VexGateController.cs` (143 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/TestManifestRepository.cs` (142 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/LayerSbomContracts.cs` (141 lines) - `src/Scanner/StellaOps.Scanner.WebService/Extensions/RateLimitingExtensions.cs` (127 lines) - `src/Scanner/StellaOps.Scanner.WebService/Services/IVexGateQueryService.cs` (126 lines) - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/TriageInboxEndpoints.cs` (123 lines) - `src/Scanner/StellaOps.Scanner.WebService/Options/ScannerStorageOptionsPostConfigurator.cs` (118 lines) - `src/Scanner/StellaOps.Scanner.WebService/Contracts/RuntimeEventsContracts.cs` (110 lines) - `src/Scanner/StellaOps.Scanner.WebService/Options/ScannerWebServiceOptionsPostConfigure.cs` (110 lines) - `src/Scanner/StellaOps.Scanner.WebService/Serialization/DeterministicCborSerializer.cs` (108 lines) - Service locator matches: - none ### Fix Guidance - Split files over 100 lines into smaller types or partials. ## Testing Fullness Findings - Status: FAIL - Expected layers: Unit, Integration, Security, Offline, Performance - Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj [Unit] - Missing layers: Integration, Security, Offline, Performance ### Manual checks required - Observability contract tests for WebService/Worker. - Offline execution (tests must run without network access). ### Fix Guidance - Add integration tests for cross-component flows. - Add security tests for authn/authz or input validation. - Add offline/airgap coverage with fixtures only. - Add performance regression coverage for scanner/export/release paths.