Delta Scan CLI Command

Module

Cli

Status

VERIFIED

Description

CLI command stella scan delta --old <image> --new <image> for delta scanning between container image versions. Supports JSON/text/summary output formats, exit codes for CVE status (0=clean, 1=new CVEs, 2=error), and flags for policy, platform, SBOM format, signing, Rekor submission, and timeout configuration.

Implementation Details

Command Group: src/Cli/StellaOps.Cli/Commands/DeltaCommandGroup.cs -- DeltaCommandGroup for stella delta / stella scan delta commands
Commands:
- stella scan delta --old <image> --new <image> -- delta scan between two image versions. Options: --format json|text|summary, --policy <file>, --platform <arch>, --sbom-format cdx|spdx, --sign, --rekor, --timeout <duration>
Exit codes: 0=no new CVEs, 1=new CVEs found, 2=error
Integration: Connects to Scanner module for diff computation

E2E Test Plan

Run stella scan delta --old app:v1.0 --new app:v2.0 and verify delta scan results
Run with --format json and verify structured delta output
Run with --format summary and verify summary output
Verify exit code 0 when no new CVEs introduced
Verify exit code 1 when new CVEs found in new image
Run with --sign --rekor and verify signed results with Rekor entry
Run with --policy ./policy.stella and verify policy evaluation against delta
Verify --timeout flag works for long-running scans

Verification

Verified: 2026-02-13T15:30:00Z
Tier 0 (Source): pass -- all referenced source files exist on disk
Tier 1 (Build): pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests
Tier 2d (Integration): pass -- targeted integration tests confirm behavioral correctness
Test Project: src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj
Evidence: docs/qa/feature-checks/runs/cli/delta-scan-cli-command/run-001/tier2-integration-check.json

2.0 KiB Raw Blame History