stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
git.stella-ops.org/docs/22_RECIPES_PIPELINES_LIBRARY.md

246 lines
6.6 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#22 · PipelineRecipes Library— **StellaOps**
#Recipes & Pipeline Library
> *Readytocopy snippets for CI/CD engines, local shells, and K8s jobs.*
> Each recipe honours the **sub5s pledge**: SBOMfirst when possible, ΔSBOM when layers are cached, and imageunpack only as a fallback.
---
##0RegistryPrimer
All agent images and helper tools are published to a **private, anonymous registry**
```
registry.git.stella-ops.ru
```
* **Pulls are readonly & unauthenticated.**
* Cosign signatures are embedded (`*.sig`) and verified at runtime when the host has `cosign` installed.
* To mirror for airgapped OUK installs, export with:
```
oras pull registry.git.stella-ops.ru/library/santech:1.0 --output ./ouk-bundle
```
---
##1Shell Quickstarts
###1.1Scan a Local Image (SBOMfirst)
```bash
# Free tier: 333 scans/day without large delay added
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
https://stella.local/registry/santech:1.0 \
scan \
--image python:3.12-slim \
--endpoint https://stella.local \
--sbom-type spdx-json \
--threshold High
```
* `--sbom-type` enumerates **`trivy-json-v2 | spdx-json | cyclonedx-json`**; defaults to autodetect when omitted.
* Exitcode maps to policy (nonzero if blocked).
###1.2Delta SBOM Path
```bash
# Free tier: 333 scans/day without large delay added
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-e STELLA_DELTA=1 \
https://stella.local/registry/santech:1.0 \
scan \
--image myapp:latest \
--delta \
--endpoint https://stella.local
```
`--delta` triggers the `/layers/missing` fast check; observed P951s on cached bases.
---
##2GitHub Actions
```yaml
# .github/workflows/stella-scan.yml
name: Stella Scan
on:
push:
branches: [main]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build Image
run: docker build -t ${{ github.repository }}:${{ github.sha }} .
- name: Scan with StellaOps (ΔSBOM + YAML policies)
run: |
# Free tier: 333 scans/day without large delay added
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $GITHUB_WORKSPACE/policy:/policy:ro \
https://stella.local/registry/santech:1.0 \
scan \
--image ${{ github.repository }}:${{ github.sha }} \
--delta \
--policy-file /policy/scan-policy.yaml \
--endpoint ${{ secrets.STELLA_API }}
```
*Stores SARIF to `$RUNNER_TEMP/stella-report.sarif`; upload via `actions/upload-artifact` if desired.*
---
##3GitLab CI
```yaml
stella_scan:
image:
name: ttps://stella.local/registry/santech:1.0
entrypoint: [""]
stage: test
variables:
STELLA_ENDPOINT: "https://stella.local/api"
script:
- docker build -t myapp:$CI_COMMIT_SHORT_SHA .
- >
# Free tier: 333 scans/day without large delay added
./santech scan
--image myapp:$CI_COMMIT_SHORT_SHA
--sbom-type cyclonedx-json
--threshold Critical
--endpoint $STELLA_ENDPOINT
allow_failure: false
artifacts:
when: always
paths:
- stella-report.html
```
*`allow_failure:false` enforces gate by failing the stage on Critical findings.*
---
##4Tekton Pipelines (K8s)
```yaml
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: stella-scan
spec:
workspaces:
- name: dockerconfig
steps:
- name: scan
image: https://stella.local/registry/santech:1.0
script: |
#!/usr/bin/env sh
# Free tier: 333 scans/day without large delay added
santech scan \
--image $(params.image) \
--delta \
--threshold High \
--endpoint $(params.endpoint)
```
---
##5Policy Import / Export
###5.1Import YAML Policy via CLI
```bash
curl -X POST https://stella.local/api/v1/policy/import \
-H "Authorization: Bearer $TOKEN" \
-F "file=@scan-policy.yaml"
```
###5.2Export & Commit to Git
```bash
curl -s -H "Authorization: Bearer $TOKEN" \
https://stella.local/api/v1/policy/export \
> policy-backup-$(date +%F).yaml
git add policy-backup-*.yaml && git commit -m "Policy snapshot"
```
---
##6Offline OUK Example
Inside an **airgapped** cluster:
1. Run `ouk-fetch.sh` from the admin node.
2. Load images into the internal registry:
```bash
ctr -n k8s.io images import ./ouk-bundle/*.tar
```
3. Use the same pipeline snippets; DNS points to `registry.git.stella-ops.ru` via local CoreDNS override.
---
##7VariantD Enforce Gate in Prod
```bash
# Free tier: 333 scans/day without large delay added
santech scan \
--image registry.prod.corp/app:${TAG} \
--delta \
--policy-file prod.rego \
--enforce \
--endpoint https://stella.prod \
|| { echo "Security gate blocked release!"; exit 1; }
```
*`--enforce` turns warnings into nonzero exit codes.*
---
##8CheatSheet (CLI Flags)
| Flag / Env | Meaning | Default |
|----------------------------|---------------------------------------------------|---------|
| `--sbom-type` | Force SBOM output format (`trivyjson-v2` …) | *Auto* |
| `--delta` `STELLA_DELTA=1` | Enable layer diff / `/layers/missing` fast path. | Off |
| `--policy-file` | Import YAML/Rego before scan. | None |
| `--threshold` | Fails scan if sev ≥ threshold. | High |
| `--enforce` | Exit nonzero on policy block. | Off |
| `--endpoint` | API base URL. | `http://localhost:8080` |
| `--insecure` | Skip TLS verify (test only!). | Off |
---
##9FAQ
**Q  I need Syft+SPDX, what changes?**
A Set `--sbom-type spdx-json`; Trivy is bypassed and the scanner plugin selects Syft.
**Q  Can I run Santech as rootless?**
A Yes; mount the hosts Docker socket via `--userns=keep-id` or use `--context host` with nerdctl.
**Q  Does ΔSBOM work for multiarch manifests?**
A Today it only checks `linux/amd64` layers; roadmap item *Q12026* widens support.
---
##10Change Log
| Date | Note |
|------------|--------------------------------------------------------------|
| 20250714 | Added internal registry, ΔSBOM, multiformat & policy flows |
| 20250712 | Initial public recipe set (GitHub, GitLab, Tekton, shell). |
---
Reference in New Issue View Git Blame Copy Permalink