# Delta Layer Scanning Engine

## Module
Scanner

## Status
IMPLEMENTED

## Description
Container image delta scanning engine that scans only changed layers between image versions by diffID comparison, reusing cached per-layer SBOMs for unchanged layers. Produces DSSE-wrapped delta evidence with Rekor anchoring. Targets 70%+ CVE churn reduction on minor base image bumps.

## Implementation Details
- **Core Delta Scanner**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Delta/IDeltaLayerScanner.cs` - Interface for delta layer scanning
  - `src/Scanner/__Libraries/StellaOps.Scanner.Delta/DeltaLayerScanner.cs` - Scans only changed layers by diffID comparison, reuses cached per-layer SBOMs
- **Delta Evidence**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/IDeltaEvidenceComposer.cs` - Interface for composing delta evidence
  - `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/DeltaEvidenceComposer.cs` - Composes DSSE-wrapped delta evidence with Rekor anchoring
  - `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/DeltaScanPredicate.cs` - Delta scan predicate model
- **WebService Integration**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/IDeltaScanRequestHandler.cs` - Delta scan request handler interface
  - `src/Scanner/StellaOps.Scanner.WebService/Services/DeltaScanRequestHandler.cs` - Handles delta scan API requests
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaCompareEndpoints.cs` - Delta comparison API endpoints
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaEvidenceEndpoints.cs` - Delta evidence API endpoints
  - `src/Scanner/StellaOps.Scanner.WebService/Contracts/DeltaCompareContracts.cs` - API contracts

## E2E Test Plan
- [ ] Scan two versions of the same image with minor base image changes
- [ ] Verify only changed layers are scanned (unchanged layers reuse cached SBOMs)
- [ ] Verify delta evidence is DSSE-wrapped and includes Rekor anchoring reference
- [ ] Call `GET /api/v1/delta/{baselineScanId}/{currentScanId}` and verify delta comparison results
- [ ] Call `GET /api/v1/delta/{scanId}/evidence` and verify delta evidence bundle
- [ ] Verify CVE churn is reduced (only changed-layer CVEs appear as new findings)
- [ ] Verify the delta scan completes significantly faster than a full scan