git.stella-ops.org/tests/fixtures/offline-bundle/README.md

# Offline Bundle Test Fixtures

This directory contains test fixtures for offline/air-gap testing.

## Structure

```
offline-bundle/
├── manifest.json           # Bundle manifest
├── feeds/                  # Vulnerability feed snapshots
│   ├── nvd-snapshot.json
│   ├── ghsa-snapshot.json
│   └── distro/
│       ├── alpine.json
│       ├── debian.json
│       └── rhel.json
├── policies/               # OPA/Rego policies
│   ├── default.rego
│   └── strict.rego
├── keys/                   # Test signing keys
│   ├── signing-key.pem
│   └── signing-key.pub
├── certs/                  # Test certificates
│   ├── trust-root.pem
│   └── intermediate.pem
├── vex/                    # Sample VEX documents
│   └── vendor-vex.json
└── images/                 # Test container image tarballs
    ├── test-image.tar
    ├── vuln-image.tar
    └── vuln-with-vex.tar
```

## Usage

Set the `STELLAOPS_OFFLINE_BUNDLE` environment variable to point to this directory:

```bash
export STELLAOPS_OFFLINE_BUNDLE=/path/to/tests/fixtures/offline-bundle
```

Tests that extend `NetworkIsolatedTestBase` will automatically use this bundle.

## Generating Test Images

To create test image tarballs:

```bash
# Pull and save test images
docker pull alpine:3.18
docker save alpine:3.18 -o images/test-image.tar

# For vulnerable images
docker pull vulnerables/web-dvwa:latest
docker save vulnerables/web-dvwa:latest -o images/vuln-image.tar
```

## Feed Snapshots

Feed snapshots should be representative samples from real feeds, sufficient for testing but small enough to commit to the repo.

## Test Keys

⚠️ **WARNING:** Keys in this directory are for **testing only**. Never use these in production.

To generate test keys:

```bash
# Generate test signing key
openssl genrsa -out keys/signing-key.pem 2048
openssl rsa -in keys/signing-key.pem -pubout -out keys/signing-key.pub

# Generate test CA
openssl req -new -x509 -key keys/signing-key.pem -out certs/trust-root.pem -days 3650
```