git.stella-ops.org/tests/fixtures/offline-bundle

Offline Bundle Test Fixtures

This directory contains test fixtures for offline/air-gap testing.

Structure

offline-bundle/
├── manifest.json           # Bundle manifest
├── feeds/                  # Vulnerability feed snapshots
│   ├── nvd-snapshot.json
│   ├── ghsa-snapshot.json
│   └── distro/
│       ├── alpine.json
│       ├── debian.json
│       └── rhel.json
├── policies/               # OPA/Rego policies
│   ├── default.rego
│   └── strict.rego
├── keys/                   # Test signing keys
│   ├── signing-key.pem
│   └── signing-key.pub
├── certs/                  # Test certificates
│   ├── trust-root.pem
│   └── intermediate.pem
├── vex/                    # Sample VEX documents
│   └── vendor-vex.json
└── images/                 # Test container image tarballs
    ├── test-image.tar
    ├── vuln-image.tar
    └── vuln-with-vex.tar

Usage

Set the STELLAOPS_OFFLINE_BUNDLE environment variable to point to this directory:

export STELLAOPS_OFFLINE_BUNDLE=/path/to/tests/fixtures/offline-bundle

Tests that extend NetworkIsolatedTestBase will automatically use this bundle.

Generating Test Images

To create test image tarballs:

# Pull and save test images
docker pull alpine:3.18
docker save alpine:3.18 -o images/test-image.tar

# For vulnerable images
docker pull vulnerables/web-dvwa:latest
docker save vulnerables/web-dvwa:latest -o images/vuln-image.tar

Feed Snapshots

Feed snapshots should be representative samples from real feeds, sufficient for testing but small enough to commit to the repo.

Test Keys

⚠️ WARNING: Keys in this directory are for testing only. Never use these in production.

To generate test keys:

# Generate test signing key
openssl genrsa -out keys/signing-key.pem 2048
openssl rsa -in keys/signing-key.pem -pubout -out keys/signing-key.pub

# Generate test CA
openssl req -new -x509 -key keys/signing-key.pem -out certs/trust-root.pem -days 3650