stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
536f6249a62721494f9735dafa8b9e53db7754ea
git.stella-ops.org/docs/modules/scanner
History
master 515975edc5
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Implement Advisory Canonicalization and Backfill Migration 
- Added AdvisoryCanonicalizer for canonicalizing advisory identifiers.
- Created EnsureAdvisoryCanonicalKeyBackfillMigration to populate advisory_key and links in advisory_raw documents.
- Introduced FileSurfaceManifestStore for managing surface manifests with file system backing.
- Developed ISurfaceManifestReader and ISurfaceManifestWriter interfaces for reading and writing manifests.
- Implemented SurfaceManifestPathBuilder for constructing paths and URIs for surface manifests.
- Added tests for FileSurfaceManifestStore to ensure correct functionality and deterministic behavior.
- Updated documentation for new features and migration steps.
2025-11-07 19:54:02 +02:00
..
design
Implement Advisory Canonicalization and Backfill Migration
2025-11-07 19:54:02 +02:00
operations
Implement MongoDB-based storage for Pack Run approval, artifact, log, and state management
2025-11-07 10:01:47 +02:00
AGENTS.md
Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations.
2025-11-05 11:58:32 +02:00
architecture.md
feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules
2025-10-30 00:09:39 +02:00
implementation_plan.md
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00
README.md
feat: Implement approvals workflow and notifications integration
2025-11-06 08:48:13 +02:00
TASKS.md
feat: Implement approvals workflow and notifications integration
2025-11-06 08:48:13 +02:00

README.md

StellaOps Scanner

Scanner analyses container images layer-by-layer, producing deterministic SBOM fragments, diffs, and signed reports.

Latest updates (2025-11-06)

  • Worker/WebService now resolve cache roots and feature flags via StellaOps.Scanner.Surface.Env; misconfiguration warnings are documented in docs/modules/scanner/design/surface-env.md and surfaced through startup validation.
  • Platform events rollout (2025-10-19) continues to publish scanner.report.ready@1 and scanner.scan.completed@1 envelopes with embedded DSSE payloads (see docs/updates/2025-10-19-scanner-policy.md and docs/updates/2025-10-19-platform-events.md). Service and consumer tests should round-trip the canonical samples under docs/events/samples/.

Responsibilities

  • Expose APIs (WebService) for scan orchestration, diffing, and artifact retrieval.
  • Run Worker analyzers for OS, language, and native ecosystems with restart-only plug-ins.
  • Store SBOM fragments and artifacts in RustFS/object storage.
  • Publish DSSE-ready metadata for Signer/Attestor and downstream policy evaluation.

Key components

  • StellaOps.Scanner.WebService minimal API host.
  • StellaOps.Scanner.Worker analyzer executor.
  • Analyzer libraries under StellaOps.Scanner.Analyzers.*.

Integrations & dependencies

  • Scheduler for job intake and retries.
  • Policy Engine for evidence handoff.
  • Export Center / Offline Kit for artifact packaging.

Operational notes

  • CAS caches, bounded retries, DSSE integration.
  • Monitoring dashboards (see ./operations/analyzers-grafana-dashboard.json).
  • RustFS migration playbook.

Related resources

  • ./operations/analyzers.md
  • ./operations/analyzers-grafana-dashboard.json
  • ./operations/rustfs-migration.md
  • ./operations/entrypoint.md
  • ./operations/secret-leak-detection.md
  • ./design/macos-analyzer.md
  • ./design/windows-analyzer.md
  • ../benchmarks/scanner/deep-dives/macos.md
  • ../benchmarks/scanner/deep-dives/windows.md
  • ../benchmarks/scanner/windows-macos-demand.md
  • ../benchmarks/scanner/windows-macos-interview-template.md
  • ./operations/field-engagement.md
  • ./design/README.md

Backlog references

  • DOCS-SCANNER updates tracked in ../../TASKS.md.
  • Analyzer parity work in src/Scanner/**/TASKS.md.

Epic alignment

  • Epic 6 Vulnerability Explorer: provide policy-aware scan outputs, explain traces, and findings ledger hooks for triage workflows.
  • Epic 10 Export Center: generate export-ready artefacts, manifests, and DSSE metadata for bundles.