stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
5d5f4de2e18f411dfd530c95da09759249d5f8f2
git.stella-ops.org/docs/features/checked/scanner/delta-layer-scanning-engine.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.5 KiB
Raw Blame History

Delta Layer Scanning Engine

Module

Scanner

Status

VERIFIED

Description

Container image delta scanning engine that scans only changed layers between image versions by diffID comparison, reusing cached per-layer SBOMs for unchanged layers. Produces DSSE-wrapped delta evidence with Rekor anchoring. Targets 70%+ CVE churn reduction on minor base image bumps.

Implementation Details

  • Core Delta Scanner:
    • src/Scanner/__Libraries/StellaOps.Scanner.Delta/IDeltaLayerScanner.cs - Interface for delta layer scanning
    • src/Scanner/__Libraries/StellaOps.Scanner.Delta/DeltaLayerScanner.cs - Scans only changed layers by diffID comparison, reuses cached per-layer SBOMs
  • Delta Evidence:
    • src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/IDeltaEvidenceComposer.cs - Interface for composing delta evidence
    • src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/DeltaEvidenceComposer.cs - Composes DSSE-wrapped delta evidence with Rekor anchoring
    • src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/DeltaScanPredicate.cs - Delta scan predicate model
  • WebService Integration:
    • src/Scanner/StellaOps.Scanner.WebService/Services/IDeltaScanRequestHandler.cs - Delta scan request handler interface
    • src/Scanner/StellaOps.Scanner.WebService/Services/DeltaScanRequestHandler.cs - Handles delta scan API requests
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaCompareEndpoints.cs - Delta comparison API endpoints
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaEvidenceEndpoints.cs - Delta evidence API endpoints
    • src/Scanner/StellaOps.Scanner.WebService/Contracts/DeltaCompareContracts.cs - API contracts

E2E Test Plan

  • Scan two versions of the same image with minor base image changes
  • Verify only changed layers are scanned (unchanged layers reuse cached SBOMs)
  • Verify delta evidence is DSSE-wrapped and includes Rekor anchoring reference
  • Call GET /api/v1/delta/{baselineScanId}/{currentScanId} and verify delta comparison results
  • Call GET /api/v1/delta/{scanId}/evidence and verify delta evidence bundle
  • Verify CVE churn is reduced (only changed-layer CVEs appear as new findings)
  • Verify the delta scan completes significantly faster than a full scan

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z