# Scanner Analyzers (Language-Specific and Binary) ## Module Scanner ## Status IMPLEMENTED ## Description Extensive analyzer ecosystem covering language-specific (Ruby, Java), OS-specific (Windows WinSxS, MSI, Chocolatey, macOS Homebrew, pkgutil), and secrets analyzers. ## Implementation Details - **Ruby Language Analyzer**: - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/RubyLanguageAnalyzer.cs` - `RubyLanguageAnalyzer` parsing Gemfile.lock, .gemspec, and gem metadata for Ruby dependency analysis - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/RubyAnalyzerPlugin.cs` - `RubyAnalyzerPlugin` registering the Ruby analyzer in the scanner pipeline - **Windows WinSxS Analyzer**: - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/WinSxSPackageAnalyzer.cs` - `WinSxSPackageAnalyzer` discovering side-by-side assemblies in Windows images - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/WinSxSManifestParser.cs` - `WinSxSManifestParser` parsing WinSxS assembly manifests - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/WinSxSAssemblyMetadata.cs` - Metadata model for WinSxS assemblies - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/WinSxSAnalyzerPlugin.cs` - Plugin registration - **Windows MSI Analyzer**: - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.Msi/MsiAnalyzerPlugin.cs` - `MsiAnalyzerPlugin` analyzing MSI installer packages - **Windows Chocolatey Analyzer**: - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey/ChocolateyAnalyzerPlugin.cs` - `ChocolateyAnalyzerPlugin` discovering packages installed via Chocolatey - **Secrets Analyzer**: - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzer.cs` - `SecretsAnalyzer` detecting exposed secrets (API keys, tokens, passwords) in image layers - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerHost.cs` - `SecretsAnalyzerHost` managing analyzer lifecycle - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerOptions.cs` - Configuration options for secret detection rules - `src/Scanner/StellaOps.Scanner.Worker/Processing/Secrets/SecretsAnalyzerStageExecutor.cs` - `SecretsAnalyzerStageExecutor` scanner pipeline stage for secrets analysis - **Secret Alert Emitter**: - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/SecretAlertEmitter.cs` - `SecretAlertEmitter` emitting alerts for discovered secrets - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/ISecretAlertEmitter.cs` - Interface for secret alerts - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretExceptionMatcher.cs` - `SecretExceptionMatcher` for allowlisting known-safe patterns - **Tests**: - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests/RubyLanguageAnalyzerTests.cs` - Ruby analyzer tests - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerTests.cs` - Secrets analyzer tests - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey.Tests/ChocolateyAnalyzerPluginTests.cs` - Chocolatey analyzer tests ## E2E Test Plan - [ ] Scan a container image with a Ruby application and verify `RubyLanguageAnalyzer` discovers all gems from Gemfile.lock with correct versions - [ ] Scan a Windows container image and verify `WinSxSPackageAnalyzer` discovers side-by-side assemblies with correct version and architecture metadata - [ ] Scan a Windows image with Chocolatey packages and verify `ChocolateyAnalyzerPlugin` lists all installed packages - [ ] Scan an image containing embedded secrets (test fixtures) and verify `SecretsAnalyzer` detects API keys, tokens, and passwords with correct file locations - [ ] Verify the `SecretExceptionMatcher` correctly suppresses findings that match allowlisted patterns - [ ] Verify all analyzer plugins register correctly and execute as pipeline stages in the scanner worker