stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
40e7f827da764e39ca67fc27a74813a98e9a38d2
git.stella-ops.org/docs/forensics/provenance-attestation.md
master 66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add guild charters and task boards for various components 
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
2025-11-01 02:21:46 +02:00

1.7 KiB
Raw Blame History

Provenance & Attestation Reference

This guide explains how StellaOps generates, signs, verifies, and distributes DSSE attestations for SBOMs, policy evaluations, and runtime evidence.

1. Attestation Workflow

  1. Scanner produces signed payload requests (SBOM, report metadata).
  2. Signer authenticates the caller, verifies release integrity, and issues DSSE bundles (keyless or KMS-backed).
  3. Attestor submits bundles to Rekor v2, caches inclusion proofs, and serves verification packages.
  4. Consumers (Export Center, Evidence Locker, CLI, Policy Engine) fetch bundles for verification.

2. DSSE Payload Types

  • StellaOps.BuildProvenance@1
  • StellaOps.SBOMAttestation@1
  • StellaOps.ScanResults@1
  • StellaOps.PolicyEvaluation@1
  • StellaOps.VEXAttestation@1
  • StellaOps.RiskProfileEvidence@1

Schemas live under src/Attestor/StellaOps.Attestor.Types and are documented in module architecture guides.

3. Verification

  • CLI command stella attest verify requests proofs from Attestor.
  • Services embed Rekor UUID/index and DSSE digests in their APIs for downstream verification.
  • Verification pipeline checks signature trust roots, Rekor inclusion proofs, and transparency witness endorsements when enabled.

4. Offline/air-gap considerations

  • Export Center bundles incorporate attestations and proofs for offline verification.
  • Evidence Locker stores immutable attestation bundles with retention policies.

5. References

  • docs/modules/signer/architecture.md
  • docs/modules/attestor/architecture.md
  • docs/modules/export-center/architecture.md
  • docs/modules/policy/architecture.md
  • docs/modules/telemetry/architecture.md
  • src/Provenance/StellaOps.Provenance.Attestation