5146204f1b
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
97 lines
2.8 KiB
Plaintext
97 lines
2.8 KiB
Plaintext
# Substitutions for docker-compose.prod.yaml
|
|
# WARNING: Replace all placeholder secrets with values sourced from your secret manager.
|
|
|
|
# PostgreSQL Database
|
|
POSTGRES_USER=stellaops-prod
|
|
POSTGRES_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
|
|
POSTGRES_DB=stellaops_platform
|
|
POSTGRES_PORT=5432
|
|
|
|
# Valkey (Redis-compatible cache and messaging)
|
|
VALKEY_PORT=6379
|
|
|
|
# RustFS Object Storage
|
|
RUSTFS_HTTP_PORT=8080
|
|
|
|
# Authority (OAuth2/OIDC)
|
|
AUTHORITY_ISSUER=https://authority.prod.stella-ops.org
|
|
AUTHORITY_PORT=8440
|
|
AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
|
|
|
|
# Signer
|
|
SIGNER_POE_INTROSPECT_URL=https://licensing.prod.stella-ops.org/introspect
|
|
SIGNER_PORT=8441
|
|
|
|
# Attestor
|
|
ATTESTOR_PORT=8442
|
|
|
|
# Issuer Directory
|
|
ISSUER_DIRECTORY_PORT=8447
|
|
ISSUER_DIRECTORY_SEED_CSAF=true
|
|
|
|
# Concelier
|
|
CONCELIER_PORT=8445
|
|
|
|
# Scanner
|
|
SCANNER_WEB_PORT=8444
|
|
SCANNER_QUEUE_BROKER=valkey://valkey:6379
|
|
# `true` enables signed scanner events for Notify ingestion.
|
|
SCANNER_EVENTS_ENABLED=true
|
|
SCANNER_EVENTS_DRIVER=valkey
|
|
SCANNER_EVENTS_DSN=
|
|
SCANNER_EVENTS_STREAM=stella.events
|
|
SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
|
|
SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
|
|
|
|
# Surface.Env configuration
|
|
SCANNER_SURFACE_FS_ENDPOINT=https://surfacefs.prod.stella-ops.org/api/v1
|
|
SCANNER_SURFACE_FS_BUCKET=surface-cache
|
|
SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
|
|
SCANNER_SURFACE_CACHE_QUOTA_MB=4096
|
|
SCANNER_SURFACE_PREFETCH_ENABLED=false
|
|
SCANNER_SURFACE_TENANT=default
|
|
SCANNER_SURFACE_FEATURES=
|
|
SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
|
|
SCANNER_SURFACE_SECRETS_NAMESPACE=
|
|
SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
|
|
SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
|
|
SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
|
|
SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
|
|
|
|
# Offline Kit configuration
|
|
SCANNER_OFFLINEKIT_ENABLED=false
|
|
SCANNER_OFFLINEKIT_REQUIREDSSE=true
|
|
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
|
|
SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
|
|
SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
|
|
SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
|
|
SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
|
|
|
|
# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
|
|
ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
|
|
ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
|
|
|
|
# Scheduler
|
|
SCHEDULER_QUEUE_KIND=Valkey
|
|
SCHEDULER_QUEUE_VALKEY_URL=valkey:6379
|
|
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
|
|
|
|
# Notify
|
|
NOTIFY_WEB_PORT=8446
|
|
|
|
# Advisory AI
|
|
ADVISORY_AI_WEB_PORT=8448
|
|
ADVISORY_AI_SBOM_BASEADDRESS=https://scanner-web:8444
|
|
ADVISORY_AI_INFERENCE_MODE=Local
|
|
ADVISORY_AI_REMOTE_BASEADDRESS=
|
|
ADVISORY_AI_REMOTE_APIKEY=
|
|
|
|
# Web UI
|
|
UI_PORT=8443
|
|
|
|
# NATS
|
|
NATS_CLIENT_PORT=4222
|
|
|
|
# External reverse proxy (Traefik, Envoy, etc.) that terminates TLS.
|
|
FRONTDOOR_NETWORK=stellaops_frontdoor
|