# Image Security Release-Backed UI ## Module Web ## Status VERIFIED ## Description Mounted `/security/images` workspace that derives scope from live releases, release components, environments, findings, and SBOM explorer data. The page now renders truthful empty states when no release is selected and explicit unavailable-state messaging where the current backend contracts expose metadata only. ## Implementation Details - **Feature directory**: `src/Web/StellaOps.Web/src/app/features/image-security/` - **Canonical route**: `/security/images` - **Components**: - `image-security-shell` (`src/Web/StellaOps.Web/src/app/features/image-security/image-security-shell.component.ts`) - `image-summary-tab` (`src/Web/StellaOps.Web/src/app/features/image-security/tabs/image-summary-tab.component.ts`) - `image-findings-tab` (`src/Web/StellaOps.Web/src/app/features/image-security/tabs/image-findings-tab.component.ts`) - `image-sbom-tab` (`src/Web/StellaOps.Web/src/app/features/image-security/tabs/image-sbom-tab.component.ts`) - `image-vex-tab` (`src/Web/StellaOps.Web/src/app/features/image-security/tabs/image-vex-tab.component.ts`) - `image-evidence-tab` (`src/Web/StellaOps.Web/src/app/features/image-security/tabs/image-evidence-tab.component.ts`) - **Services**: - `image-security-data` (`src/Web/StellaOps.Web/src/app/features/image-security/image-security-data.service.ts`) - **Source**: `docs/implplan/SPRINT_20260415_008_FE_ui_truthful_state_cutover_and_todo_wiring.md` ## E2E Test Plan - **Setup**: - [ ] Log in with a user that has appropriate permissions - [ ] Navigate to `/security/images` - [ ] Ensure at least one release exists so the scope selector can populate - **Core verification**: - [ ] Verify the empty state teaches the operator to select a release instead of showing fake image data - [ ] Select a release and verify live release images populate - [ ] Verify VEX and Evidence tabs show truthful metadata-only copy when deeper contracts are unavailable ## Verification - Date (UTC): 2026-04-15T17:03:18Z - Tier 1 note: focused Angular suite `src/Web/StellaOps.Web/src/tests/image_security/image-security-truthful-state.spec.ts` passed 8/8 during the truthful-state cutover. - Tier 2 evidence: `docs/qa/feature-checks/runs/web/image-security-release-backed-ui/run-001/tier2-ui-check.json` - Replay scope: - Open `/security/images` and verify the mounted empty state renders `No image security scope selected`. - Select a live release and verify `Release images` renders from real release-scoped data. - Open `VEX` and `Evidence` tabs and verify the mounted page reports metadata-only or release-level limitations explicitly instead of showing fake tab content.