# Audit - StellaOps.Scanner.Sbomer.BuildXPlugin

## Project
- Path: `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj`
- Module: `Scanner`
- Kind: `Service`
- SDK: `Microsoft.NET.Sdk`
- TargetFramework: `net10.0`
- Audit date (UTC): 2026-01-30

## Coding Standards Findings
- Status: FAIL
- Nullable: enable
- TreatWarningsAsErrors: explicit true
- Deterministic: inherited true
- 100-line rule violations: 5
- Service locator usage (BuildServiceProvider/GetService): 9
- Analyzer enforcement: missing repo-wide (see summary).

### Details
- 100-line files:
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs` (627 lines)
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Surface/SurfaceManifestWriter.cs` (234 lines)
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Descriptor/DescriptorGenerator.cs` (198 lines)
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Manifest/BuildxPluginManifestLoader.cs` (189 lines)
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Surface/SurfaceCasLayout.cs` (112 lines)
- Service locator matches:
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`:397 using var provider = services.BuildServiceProvider();
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`:398 var env = provider.GetService<ISurfaceEnvironment>();
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`:434 using var provider = services.BuildServiceProvider();
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`:435 var secretProvider = provider.GetService<ISurfaceSecretProvider>();
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`:436 var env = provider.GetService<ISurfaceEnvironment>();
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`:487 using var provider = services.BuildServiceProvider();
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`:488 var secretProvider = provider.GetService<ISurfaceSecretProvider>();
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`:489 var env = provider.GetService<ISurfaceEnvironment>();
  - `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`:602 var provider = services.BuildServiceProvider();

### Fix Guidance
- Split files over 100 lines into smaller types or partials.
- Replace service locator usage with constructor injection.

## Testing Fullness Findings
- Status: FAIL
- Expected layers: Unit, Performance
- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj [Unit]
- Missing layers: Performance

### Manual checks required
- Observability contract tests for WebService/Worker.
- Offline execution (tests must run without network access).

### Fix Guidance
- Add performance regression coverage for scanner/export/release paths.