Files
git.stella-ops.org/src/Scanner
master e60d5e0fce feat(findings,sbomservice,scanner): runtime data plane cutover
Sprint SPRINT_20260415_004_DOCS_runtime_data_plane_real_backend_cutover.

- Findings.Ledger: Postgres-backed endpoints (runtime timeline/traces,
  scoring, vuln-explorer, webhook), unsupported-compat shim, ledger data
  source, vulnerability detail service.
- RiskEngine.WebService: web application factory + runtime wiring tests.
- SbomService: rename InMemory -> ManifestBacked metadata repo, add
  Postgres registry source/ledger/lineage/event/watermark repos +
  migrations 001 initial schema and 002 runtime durable state.
- Scanner: SBOM uploads store + migration 026, scan runtime state +
  migration 027, persisted scan coordinator, Postgres policy repos,
  VEX gate query service + controller, reachability evidence migration 022.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 14:36:40 +03:00
..
2026-02-01 21:37:40 +02:00
2026-02-11 01:32:14 +02:00
2026-01-02 15:52:55 +02:00

Scanner

Container(s): stellaops-scanner-web, stellaops-scanner-worker Slot: 8 (web + worker) | Port: 8444 (web) | Consumer Group: scanner (web) Resource Tier: heavy (web + worker)

Note: Cartographer (Slot 21) has been retired and merged into graph-api (Slot 20). See src/Graph/README.md for the merged service.

Purpose

The Scanner module performs SBOM generation, vulnerability analysis, reachability mapping, and supply-chain security scanning of container images. The web service exposes scan APIs (triage, SBOM queries, offline-kit management, replay commands), while the worker processes scan jobs from Valkey queues through a multi-stage pipeline (analyzers, EPSS enrichment, secrets detection, crypto analysis, build provenance, PoE generation, verdict push).

API Surface

  • scanner (via Router) — SBOM queries, scan submissions, triage, reachability slices, offline-kit import/export, smart-diff, policy gate evaluation
  • cartographer — RETIRED; merged into graph-api (Slot 20)

Storage

PostgreSQL schema scanner (via ScannerStorage:Postgres); RustFS object store for artifacts (scanner-artifacts bucket)

Background Workers

  • ScannerWorkerHostedService — processes scan jobs from Valkey queue
  • EpssIngestJob — EPSS score ingestion
  • EpssEnrichmentJob — live EPSS enrichment of scan results
  • EpssSignalJob — EPSS signal emission
  • FnDriftMetricsExporter — function drift metrics