stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
32f9581aa7cc68c2b1697e058efe5e05f9d54006
git.stella-ops.org/devops/vuln/vuln-explorer-ci-plan.md
StellaOps Bot c786faae84 CD/CD consolidation
2025-12-26 18:11:06 +02:00

2.9 KiB
Raw Blame History

Vuln Explorer CI + Ops Plan (DEVOPS-VULN-29-001)

Scope: CI jobs, backup/DR, Merkle anchoring monitoring, and verification automation for the Vuln Explorer ledger projector and API. Assumptions: Vuln Explorer API uses MongoDB + Redis; ledger projector performs replay into materialized views; Merkle tree anchoring to transparency log.

CI Jobs

  • build-vuln: dotnet restore/build for src/VulnExplorer/StellaOps.VulnExplorer.Api and projector; use DOTNET_DISABLE_BUILTIN_GRAPH=1 and local-nugets/.
  • test-vuln: focused tests with dotnet test src/VulnExplorer/__Tests/... and --filter Category!=GraphHeavy; publish TRX + coverage.
  • replay-smoke: run projector against fixture event log (samples/vuln/events/replay.ndjson) and assert deterministic materialized view hash; fail on divergence.
  • sbom+attest: reuse ops/devops/docker/sbom_attest.sh post-build.

Backup & DR

  • Mongo: enable point-in-time snapshots (if available) or nightly mongodump of vuln_explorer db; store in object storage with retention 30d.
  • Redis (if used for cache): not authoritative; no backup required.
  • Replay-first recovery: keep latest event log snapshot in release artifacts; replay task rehydrates materialized views.

Merkle Anchoring Verification

  • Monitor projector metrics: ledger_projection_lag_seconds, ledger_projection_errors_total.
  • Add periodic job verify-merkle: fetch latest Merkle root from projector state, cross-check against transparency log (rekor or configured log) using cosign verify-tree or custom verifier.
  • Alert when last anchored root age > 15m or mismatch detected.

Verification Automation

  • Script ops/devops/vuln/verify_projection.sh runs hash check:
    • Input projection export (samples/vuln/events/projection.json default) compared to ops/devops/vuln/expected_projection.sha256.
    • Exits non-zero on mismatch; use in CI after projector replay.

Fixtures

  • Store deterministic replay fixture under samples/vuln/events/replay.ndjson (generated offline, includes mixed tenants, disputed findings, remediation states).
  • Export canonical projection snapshot to samples/vuln/events/projection.json and hash to ops/devops/vuln/expected_projection.sha256.

Dashboards / Alerts (DEVOPS-VULN-29-002/003)

  • Dashboard JSON: ops/devops/vuln/dashboards/vuln-explorer.json (latency, projection lag, error rate, budget enforcement).
  • Alerts: ops/devops/vuln/alerts.yaml defining vuln_api_latency_p95_gt_300ms, vuln_projection_lag_gt_60s, vuln_projection_error_rate_gt_1pct, vuln_query_budget_enforced_gt_50_per_min.

Offline posture

  • CI and verification use in-repo fixtures; no external downloads.
  • Use mirrored images and local-nugets/ for all builds/tests.

Local run

DOTNET_DISABLE_BUILTIN_GRAPH=1 dotnet test src/VulnExplorer/__Tests/StellaOps.VulnExplorer.Api.Tests/StellaOps.VulnExplorer.Api.Tests.csproj --filter Category!=GraphHeavy