4042fc2184
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
release-manifest-verify / verify (push) Has been cancelled
- Implement comprehensive tests for PackRunAttestationService, covering attestation generation, verification, and event emission. - Add tests for SealedInstallEnforcer to validate sealed install requirements and enforcement logic. - Introduce a MonacoLoaderService stub for testing purposes to prevent Monaco workers/styles from loading during Karma runs.
517 lines
14 KiB
JSON
517 lines
14 KiB
JSON
{
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"$id": "https://stella-ops.org/schemas/orchestrator-envelope.schema.json",
|
|
"title": "StellaOps Orchestrator Event Envelope Schema",
|
|
"description": "Schema for orchestrator-compatible event envelopes used by Scanner and other services. Unblocks SCANNER-EVENTS-16-301.",
|
|
"type": "object",
|
|
"definitions": {
|
|
"EventEnvelope": {
|
|
"type": "object",
|
|
"description": "Standard event envelope for orchestrator event bus",
|
|
"required": ["envelope_id", "event_type", "timestamp", "source", "payload"],
|
|
"properties": {
|
|
"envelope_id": {
|
|
"type": "string",
|
|
"format": "uuid",
|
|
"description": "Unique identifier for this event envelope"
|
|
},
|
|
"event_type": {
|
|
"type": "string",
|
|
"pattern": "^[a-z]+\\.[a-z_]+\\.[a-z_]+$",
|
|
"description": "Dot-notation event type (e.g., scanner.scan.completed)",
|
|
"examples": [
|
|
"scanner.scan.started",
|
|
"scanner.scan.completed",
|
|
"scanner.scan.failed",
|
|
"scanner.sbom.generated",
|
|
"scanner.vulnerability.detected",
|
|
"notifier.alert.sent",
|
|
"policy.evaluation.completed"
|
|
]
|
|
},
|
|
"timestamp": {
|
|
"type": "string",
|
|
"format": "date-time",
|
|
"description": "ISO 8601 timestamp when event was created"
|
|
},
|
|
"source": {
|
|
"$ref": "#/definitions/EventSource"
|
|
},
|
|
"correlation_id": {
|
|
"type": "string",
|
|
"format": "uuid",
|
|
"description": "Correlation ID for tracing related events"
|
|
},
|
|
"causation_id": {
|
|
"type": "string",
|
|
"format": "uuid",
|
|
"description": "ID of the event that caused this event"
|
|
},
|
|
"tenant_id": {
|
|
"type": "string",
|
|
"format": "uuid"
|
|
},
|
|
"project_id": {
|
|
"type": "string",
|
|
"format": "uuid"
|
|
},
|
|
"payload": {
|
|
"type": "object",
|
|
"description": "Event-specific payload",
|
|
"additionalProperties": true
|
|
},
|
|
"metadata": {
|
|
"$ref": "#/definitions/EventMetadata"
|
|
},
|
|
"version": {
|
|
"type": "string",
|
|
"default": "1.0",
|
|
"description": "Event schema version"
|
|
}
|
|
}
|
|
},
|
|
"EventSource": {
|
|
"type": "object",
|
|
"description": "Source of the event",
|
|
"required": ["service", "instance_id"],
|
|
"properties": {
|
|
"service": {
|
|
"type": "string",
|
|
"description": "Service name (e.g., scanner, notifier, policy-engine)"
|
|
},
|
|
"version": {
|
|
"type": "string",
|
|
"description": "Service version"
|
|
},
|
|
"instance_id": {
|
|
"type": "string",
|
|
"description": "Instance identifier (hostname, pod name, etc.)"
|
|
},
|
|
"region": {
|
|
"type": "string",
|
|
"description": "Deployment region"
|
|
}
|
|
}
|
|
},
|
|
"EventMetadata": {
|
|
"type": "object",
|
|
"description": "Additional metadata for the event",
|
|
"properties": {
|
|
"trace_id": {
|
|
"type": "string",
|
|
"description": "OpenTelemetry trace ID"
|
|
},
|
|
"span_id": {
|
|
"type": "string",
|
|
"description": "OpenTelemetry span ID"
|
|
},
|
|
"priority": {
|
|
"type": "string",
|
|
"enum": ["low", "normal", "high", "critical"],
|
|
"default": "normal"
|
|
},
|
|
"ttl_seconds": {
|
|
"type": "integer",
|
|
"minimum": 0,
|
|
"description": "Time-to-live for the event"
|
|
},
|
|
"retry_count": {
|
|
"type": "integer",
|
|
"minimum": 0,
|
|
"default": 0
|
|
},
|
|
"idempotency_key": {
|
|
"type": "string",
|
|
"description": "Key for idempotent processing"
|
|
},
|
|
"content_type": {
|
|
"type": "string",
|
|
"default": "application/json"
|
|
},
|
|
"compression": {
|
|
"type": "string",
|
|
"enum": ["none", "gzip", "lz4"],
|
|
"default": "none"
|
|
}
|
|
}
|
|
},
|
|
"ScannerEventPayload": {
|
|
"type": "object",
|
|
"description": "Base payload for scanner events",
|
|
"properties": {
|
|
"scan_id": {
|
|
"type": "string",
|
|
"format": "uuid"
|
|
},
|
|
"job_id": {
|
|
"type": "string",
|
|
"format": "uuid"
|
|
},
|
|
"target": {
|
|
"$ref": "#/definitions/ScanTarget"
|
|
},
|
|
"status": {
|
|
"type": "string",
|
|
"enum": ["started", "in_progress", "completed", "failed", "cancelled"]
|
|
},
|
|
"started_at": {
|
|
"type": "string",
|
|
"format": "date-time"
|
|
},
|
|
"completed_at": {
|
|
"type": "string",
|
|
"format": "date-time"
|
|
},
|
|
"duration_ms": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"results_summary": {
|
|
"$ref": "#/definitions/ScanResultsSummary"
|
|
},
|
|
"error": {
|
|
"$ref": "#/definitions/ErrorInfo"
|
|
}
|
|
}
|
|
},
|
|
"ScanTarget": {
|
|
"type": "object",
|
|
"description": "Target being scanned",
|
|
"required": ["type", "identifier"],
|
|
"properties": {
|
|
"type": {
|
|
"type": "string",
|
|
"enum": ["container_image", "repository", "filesystem", "sbom", "package"]
|
|
},
|
|
"identifier": {
|
|
"type": "string",
|
|
"description": "Target identifier (image name, repo URL, path)"
|
|
},
|
|
"digest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$"
|
|
},
|
|
"tag": {
|
|
"type": "string"
|
|
},
|
|
"platform": {
|
|
"type": "string",
|
|
"description": "Platform (e.g., linux/amd64)"
|
|
}
|
|
}
|
|
},
|
|
"ScanResultsSummary": {
|
|
"type": "object",
|
|
"description": "Summary of scan results",
|
|
"properties": {
|
|
"total_vulnerabilities": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"by_severity": {
|
|
"type": "object",
|
|
"properties": {
|
|
"critical": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"high": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"medium": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"low": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"info": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
}
|
|
}
|
|
},
|
|
"components_scanned": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"sbom_generated": {
|
|
"type": "boolean"
|
|
},
|
|
"sbom_ref": {
|
|
"type": "string",
|
|
"description": "Reference to generated SBOM"
|
|
}
|
|
}
|
|
},
|
|
"ErrorInfo": {
|
|
"type": "object",
|
|
"description": "Error information for failed events",
|
|
"required": ["code", "message"],
|
|
"properties": {
|
|
"code": {
|
|
"type": "string"
|
|
},
|
|
"message": {
|
|
"type": "string"
|
|
},
|
|
"details": {
|
|
"type": "object",
|
|
"additionalProperties": true
|
|
},
|
|
"stack_trace": {
|
|
"type": "string"
|
|
},
|
|
"recoverable": {
|
|
"type": "boolean",
|
|
"default": false
|
|
}
|
|
}
|
|
},
|
|
"VulnerabilityDetectedPayload": {
|
|
"type": "object",
|
|
"description": "Payload for vulnerability detection events",
|
|
"required": ["scan_id", "vulnerability"],
|
|
"properties": {
|
|
"scan_id": {
|
|
"type": "string",
|
|
"format": "uuid"
|
|
},
|
|
"vulnerability": {
|
|
"$ref": "#/definitions/VulnerabilityInfo"
|
|
},
|
|
"affected_component": {
|
|
"$ref": "#/definitions/ComponentInfo"
|
|
},
|
|
"reachability": {
|
|
"type": "string",
|
|
"enum": ["reachable", "unreachable", "potentially_reachable", "unknown"]
|
|
}
|
|
}
|
|
},
|
|
"VulnerabilityInfo": {
|
|
"type": "object",
|
|
"required": ["id", "severity"],
|
|
"properties": {
|
|
"id": {
|
|
"type": "string",
|
|
"description": "CVE ID or vulnerability identifier"
|
|
},
|
|
"severity": {
|
|
"type": "string",
|
|
"enum": ["critical", "high", "medium", "low", "info"]
|
|
},
|
|
"cvss_score": {
|
|
"type": "number",
|
|
"minimum": 0,
|
|
"maximum": 10
|
|
},
|
|
"cvss_vector": {
|
|
"type": "string"
|
|
},
|
|
"title": {
|
|
"type": "string"
|
|
},
|
|
"description": {
|
|
"type": "string"
|
|
},
|
|
"references": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"format": "uri"
|
|
}
|
|
},
|
|
"fix_available": {
|
|
"type": "boolean"
|
|
},
|
|
"fixed_version": {
|
|
"type": "string"
|
|
},
|
|
"kev_listed": {
|
|
"type": "boolean"
|
|
},
|
|
"epss_score": {
|
|
"type": "number",
|
|
"minimum": 0,
|
|
"maximum": 1
|
|
}
|
|
}
|
|
},
|
|
"ComponentInfo": {
|
|
"type": "object",
|
|
"required": ["purl"],
|
|
"properties": {
|
|
"purl": {
|
|
"type": "string"
|
|
},
|
|
"name": {
|
|
"type": "string"
|
|
},
|
|
"version": {
|
|
"type": "string"
|
|
},
|
|
"ecosystem": {
|
|
"type": "string"
|
|
},
|
|
"location": {
|
|
"type": "string",
|
|
"description": "Location in the target (e.g., layer, file path)"
|
|
}
|
|
}
|
|
},
|
|
"NotifierIngestionEvent": {
|
|
"type": "object",
|
|
"description": "Event structure for Notifier ingestion",
|
|
"required": ["envelope_id", "event_type", "severity_threshold_met"],
|
|
"properties": {
|
|
"envelope_id": {
|
|
"type": "string",
|
|
"format": "uuid"
|
|
},
|
|
"event_type": {
|
|
"type": "string"
|
|
},
|
|
"severity_threshold_met": {
|
|
"type": "boolean",
|
|
"description": "Whether event meets notification severity threshold"
|
|
},
|
|
"notification_channels": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"enum": ["email", "slack", "teams", "webhook", "pagerduty"]
|
|
}
|
|
},
|
|
"digest_eligible": {
|
|
"type": "boolean",
|
|
"description": "Whether event should be batched into digest"
|
|
},
|
|
"immediate_dispatch": {
|
|
"type": "boolean",
|
|
"description": "Whether event requires immediate dispatch"
|
|
}
|
|
}
|
|
},
|
|
"EventBatch": {
|
|
"type": "object",
|
|
"description": "Batch of events for bulk processing",
|
|
"required": ["batch_id", "events"],
|
|
"properties": {
|
|
"batch_id": {
|
|
"type": "string",
|
|
"format": "uuid"
|
|
},
|
|
"events": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/definitions/EventEnvelope"
|
|
},
|
|
"minItems": 1
|
|
},
|
|
"created_at": {
|
|
"type": "string",
|
|
"format": "date-time"
|
|
},
|
|
"total_count": {
|
|
"type": "integer",
|
|
"minimum": 1
|
|
}
|
|
}
|
|
},
|
|
"EventSubscription": {
|
|
"type": "object",
|
|
"description": "Subscription to event types",
|
|
"required": ["subscription_id", "event_patterns", "endpoint"],
|
|
"properties": {
|
|
"subscription_id": {
|
|
"type": "string",
|
|
"format": "uuid"
|
|
},
|
|
"event_patterns": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"description": "Glob pattern for event types (e.g., scanner.* or scanner.scan.completed)"
|
|
}
|
|
},
|
|
"endpoint": {
|
|
"type": "string",
|
|
"format": "uri",
|
|
"description": "Webhook endpoint for event delivery"
|
|
},
|
|
"filters": {
|
|
"type": "object",
|
|
"additionalProperties": true,
|
|
"description": "Additional filters on payload fields"
|
|
},
|
|
"enabled": {
|
|
"type": "boolean",
|
|
"default": true
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"properties": {
|
|
"events": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/definitions/EventEnvelope"
|
|
}
|
|
}
|
|
},
|
|
"examples": [
|
|
{
|
|
"events": [
|
|
{
|
|
"envelope_id": "550e8400-e29b-41d4-a716-446655440000",
|
|
"event_type": "scanner.scan.completed",
|
|
"timestamp": "2025-12-06T10:00:00Z",
|
|
"source": {
|
|
"service": "scanner",
|
|
"version": "2025.10.0",
|
|
"instance_id": "scanner-pod-abc123"
|
|
},
|
|
"correlation_id": "660e8400-e29b-41d4-a716-446655440001",
|
|
"tenant_id": "770e8400-e29b-41d4-a716-446655440002",
|
|
"project_id": "880e8400-e29b-41d4-a716-446655440003",
|
|
"payload": {
|
|
"scan_id": "990e8400-e29b-41d4-a716-446655440004",
|
|
"job_id": "aa0e8400-e29b-41d4-a716-446655440005",
|
|
"target": {
|
|
"type": "container_image",
|
|
"identifier": "myregistry.io/app:v1.0.0",
|
|
"digest": "sha256:abc123def456..."
|
|
},
|
|
"status": "completed",
|
|
"started_at": "2025-12-06T09:55:00Z",
|
|
"completed_at": "2025-12-06T10:00:00Z",
|
|
"duration_ms": 300000,
|
|
"results_summary": {
|
|
"total_vulnerabilities": 15,
|
|
"by_severity": {
|
|
"critical": 1,
|
|
"high": 3,
|
|
"medium": 7,
|
|
"low": 4,
|
|
"info": 0
|
|
},
|
|
"components_scanned": 127,
|
|
"sbom_generated": true,
|
|
"sbom_ref": "s3://sboms/990e8400.../sbom.json"
|
|
}
|
|
},
|
|
"metadata": {
|
|
"trace_id": "abc123trace",
|
|
"span_id": "def456span",
|
|
"priority": "normal"
|
|
},
|
|
"version": "1.0"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|