18f28168f0
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added ScannerSurfaceSecretConfigurator to configure ScannerWebServiceOptions using surface secrets. - Integrated ISurfaceSecretProvider to fetch and apply secrets for artifact store configuration. - Enhanced logging for secret retrieval and application processes. feat: Implement ScannerStorageSurfaceSecretConfigurator for worker options - Introduced ScannerStorageSurfaceSecretConfigurator to configure ScannerStorageOptions with surface secrets. - Utilized ISurfaceSecretProvider to retrieve and apply secrets for object store settings. - Improved logging for secret handling and configuration. feat: Create SurfaceManifestPublisher for publishing surface manifests - Developed SurfaceManifestPublisher to handle the creation and storage of surface manifests. - Implemented methods for serializing manifest documents and storing payloads in the object store. - Added dual write functionality for mirror storage of manifests. feat: Add SurfaceManifestStageExecutor for processing scan stages - Created SurfaceManifestStageExecutor to execute the manifest publishing stage in scan jobs. - Integrated with SurfaceManifestPublisher to publish manifests based on collected payloads. - Enhanced logging for job processing and manifest storage. feat: Define SurfaceManifest models for manifest structure - Established SurfaceManifestDocument, SurfaceManifestSource, SurfaceManifestArtifact, and SurfaceManifestStorage records. - Implemented serialization attributes for JSON handling of manifest models. feat: Implement CasAccessSecret and SurfaceSecretParser for secret handling - Created CasAccessSecret record to represent surface access secrets. - Developed SurfaceSecretParser to parse and validate surface secrets from JSON payloads. test: Add unit tests for CasAccessSecretParser - Implemented tests for parsing CasAccessSecret from JSON payloads and metadata fallbacks. - Verified expected values and behavior for secret parsing logic. test: Add unit tests for ScannerSurfaceSecretConfigurator - Created tests for ScannerSurfaceSecretConfigurator to ensure correct application of surface secrets to web service options. - Validated artifact store settings after configuration. test: Add unit tests for ScannerStorageSurfaceSecretConfigurator - Implemented tests for ScannerStorageSurfaceSecretConfigurator to verify correct application of surface secrets to storage options. - Ensured accurate configuration of object store settings.
StellaOps Concelier & CLI
This repository hosts the StellaOps Concelier service, its plug-in ecosystem, and the
first-party CLI (stellaops-cli). Concelier ingests vulnerability advisories from
authoritative sources, stores them in MongoDB, and exports deterministic JSON and
Trivy DB artefacts. The CLI drives scanner distribution, scan execution, and job
control against the Concelier API.
Quickstart
- Prepare a MongoDB instance and (optionally) install
trivy-db/oras. - Copy
etc/concelier.yaml.sampletoetc/concelier.yamland update the storage + telemetry settings. - Copy
etc/authority.yaml.sampletoetc/authority.yaml, review the issuer, token lifetimes, and plug-in descriptors, then edit the companion manifests underetc/authority.plugins/*.yamlto match your deployment. - Start the web service with
dotnet run --project src/Concelier/StellaOps.Concelier.WebService. - Configure the CLI via environment variables (e.g.
STELLAOPS_BACKEND_URL) and trigger jobs withdotnet run --project src/Cli/StellaOps.Cli -- db merge.
Detailed operator guidance is available in docs/10_CONCELIER_CLI_QUICKSTART.md. API and
command reference material lives in docs/09_API_CLI_REFERENCE.md.
Pipeline note: deployment workflows should template etc/concelier.yaml during CI/CD,
injecting environment-specific Mongo credentials and telemetry endpoints. Upcoming
releases will add Microsoft OAuth (Entra ID) authentication support—track the quickstart
for integration steps once available.
Documentation
docs/README.mdnow consolidates the platform index and points to the updated high-level architecture.- Module architecture dossiers now live under
docs/modules/<module>/. The most relevant here aredocs/modules/concelier/ARCHITECTURE.md(service layout, merge engine, exports) anddocs/modules/cli/ARCHITECTURE.md(command surface, AOT packaging, auth flows). Related services such as the Signer, Attestor, Authority, Scanner, UI, Excititor, Zastava, and DevOps pipeline each have their own dossier in the same hierarchy. - Offline operation guidance moved to
docs/24_OFFLINE_KIT.md, which details bundle composition, verification, and delta workflows. Concelier-specific connector operations stay indocs/modules/concelier/operations/connectors/*.mdwith companion runbooks indocs/modules/concelier/operations/.