41 lines
1.4 KiB
Markdown
41 lines
1.4 KiB
Markdown
# Console Forensics and Evidence Review
|
|
|
|
This document describes how the Console supports forensic review of decisions: timelines, evidence viewing, attestation verification, and audit exports.
|
|
|
|
## Timeline Explorer
|
|
|
|
The timeline view should enable:
|
|
|
|
- Filtering by tenant, artifact, finding, and time window
|
|
- Drill-down from a verdict to its evidence objects (SBOM slice, VEX observation/linkset, reachability proof, policy explain trace)
|
|
- Visibility into operator actions (triage actions, exceptions, approvals) as append-only events
|
|
|
|
## Evidence Viewer
|
|
|
|
Evidence viewing should prioritize:
|
|
|
|
- Clear provenance (issuer identity, timestamps, digests)
|
|
- Verification state (signature verified/failed/unknown)
|
|
- Deterministic identifiers so auditors can replay and compare
|
|
|
|
## Attestation Verification
|
|
|
|
When presenting attestations (DSSE/in-toto):
|
|
|
|
- Display verification status and key identity
|
|
- Link to transparency log proof when configured
|
|
- Allow exporting the DSSE envelope and the referenced artifacts
|
|
|
|
## Export / Verify Workflows
|
|
|
|
Exports are the bridge between online and offline review:
|
|
|
|
- Exports should be deterministic (stable ordering, UTC timestamps).
|
|
- Export bundles should include integrity metadata (digests) so offline reviewers can verify without trusting a live service.
|
|
|
|
## References
|
|
|
|
- Console operator guide: `docs/UI_GUIDE.md`
|
|
- Offline Kit: `docs/OFFLINE_KIT.md`
|
|
- Vulnerability Explorer guide (triage model): `docs/VULNERABILITY_EXPLORER_GUIDE.md`
|