113 lines
2.8 KiB
Markdown
113 lines
2.8 KiB
Markdown
# Runbook Coverage Tracking
|
|
|
|
This document tracks operational runbook coverage across Stella Ops modules.
|
|
|
|
**Target:** 80% coverage of critical failure modes before declaring operability moat achieved.
|
|
|
|
---
|
|
|
|
## Coverage Summary
|
|
|
|
| Module | Critical Failures | Runbooks | Coverage | Status |
|
|
|--------|-------------------|----------|----------|--------|
|
|
| Scanner | 5 | 0 | 0% | 🔴 Gap |
|
|
| Policy Engine | 5 | 0 | 0% | 🔴 Gap |
|
|
| Release Orchestrator | 5 | 0 | 0% | 🔴 Gap |
|
|
| Attestor | 5 | 0 | 0% | 🔴 Gap |
|
|
| Feed Connectors | 4 | 0 | 0% | 🔴 Gap |
|
|
| **Database (Postgres)** | 4 | 4 | 100% | ✅ Complete |
|
|
| **Crypto Subsystem** | 4 | 4 | 100% | ✅ Complete |
|
|
| **Evidence Locker** | 4 | 4 | 100% | ✅ Complete |
|
|
| **Backup/Restore** | 4 | 4 | 100% | ✅ Complete |
|
|
| Authority (OAuth/OIDC) | 3 | 0 | 0% | 🔴 Gap |
|
|
| **Overall** | **43** | **16** | **37%** | 🟡 In Progress |
|
|
|
|
---
|
|
|
|
## Available Runbooks
|
|
|
|
### Database Operations
|
|
- [postgres-ops.md](postgres-ops.md) - PostgreSQL database operations
|
|
|
|
### Crypto Subsystem
|
|
- [crypto-ops.md](crypto-ops.md) - Regional crypto operations (FIPS, eIDAS, GOST, SM)
|
|
|
|
### Evidence Locker
|
|
- [evidence-locker-ops.md](evidence-locker-ops.md) - Evidence locker operations
|
|
|
|
### Backup/Restore
|
|
- [backup-restore-ops.md](backup-restore-ops.md) - Backup and restore procedures
|
|
|
|
### Vulnerability Operations
|
|
- [vuln-ops.md](vuln-ops.md) - Vulnerability management operations
|
|
|
|
### VEX Operations
|
|
- [vex-ops.md](vex-ops.md) - VEX statement operations
|
|
|
|
### Policy Incidents
|
|
- [policy-incident.md](policy-incident.md) - Policy-related incident response
|
|
|
|
---
|
|
|
|
## Gap Analysis
|
|
|
|
### High Priority Gaps (Critical modules without runbooks)
|
|
|
|
1. **Scanner** - Core scanning functionality
|
|
- Worker stuck
|
|
- OOM on large images
|
|
- Registry auth failures
|
|
|
|
2. **Policy Engine** - Policy evaluation
|
|
- Slow evaluation
|
|
- OPA crashes
|
|
- Compilation failures
|
|
|
|
3. **Release Orchestrator** - Promotion workflow
|
|
- Stuck promotions
|
|
- Gate timeouts
|
|
- Missing evidence
|
|
|
|
### Medium Priority Gaps
|
|
|
|
4. **Attestor** - Signing and verification
|
|
- Signing failures
|
|
- Key expiration
|
|
- Rekor unavailability
|
|
|
|
5. **Feed Connectors** - Advisory feeds
|
|
- NVD failures
|
|
- Rate limiting
|
|
- Offline bundle issues
|
|
|
|
### Lower Priority Gaps
|
|
|
|
6. **Authority** - Authentication
|
|
- Token validation failures
|
|
- OIDC provider issues
|
|
|
|
---
|
|
|
|
## Template
|
|
|
|
New runbooks should use the template: [_template.md](_template.md)
|
|
|
|
---
|
|
|
|
## Doctor Check Integration
|
|
|
|
Runbooks should be linked from Doctor check output. Current integration status:
|
|
|
|
| Module | Doctor Checks | Linked to Runbook |
|
|
|--------|---------------|-------------------|
|
|
| Postgres | 4 | 0 |
|
|
| Crypto | 8 | 0 |
|
|
| Storage | 3 | 0 |
|
|
| Evidence | 4 | 0 |
|
|
|
|
**Next step:** Update Doctor check implementations to include runbook links in remediation output.
|
|
|
|
---
|
|
|
|
_Last updated: 2026-01-17 (UTC)_
|