stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
65b15992292c4b4b3100430a80d289a461e7d16c
git.stella-ops.org/docs/modules/scanner
History
master 2e276d6676 feat: Enhance MongoDB storage with event publishing and outbox support 
- Added `MongoAdvisoryObservationEventPublisher` and `NatsAdvisoryObservationEventPublisher` for event publishing.
- Registered `IAdvisoryObservationEventPublisher` to choose between NATS and MongoDB based on configuration.
- Introduced `MongoAdvisoryObservationEventOutbox` for outbox pattern implementation.
- Updated service collection to include new event publishers and outbox.
- Added a new hosted service `AdvisoryObservationTransportWorker` for processing events.

feat: Update project dependencies

- Added `NATS.Client.Core` package to the project for NATS integration.

test: Add unit tests for AdvisoryLinkset normalization

- Created `AdvisoryLinksetNormalizationConfidenceTests` to validate confidence score calculations.

fix: Adjust confidence assertion in `AdvisoryObservationAggregationTests`

- Updated confidence assertion to allow a range instead of a fixed value.

test: Implement tests for AdvisoryObservationEventFactory

- Added `AdvisoryObservationEventFactoryTests` to ensure correct mapping and hashing of observation events.

chore: Configure test project for Findings Ledger

- Created `Directory.Build.props` for test project configuration.
- Added `StellaOps.Findings.Ledger.Exports.Unit.csproj` for unit tests related to findings ledger exports.

feat: Implement export contracts for findings ledger

- Defined export request and response contracts in `ExportContracts.cs`.
- Created various export item records for findings, VEX, advisories, and SBOMs.

feat: Add export functionality to Findings Ledger Web Service

- Implemented endpoints for exporting findings, VEX, advisories, and SBOMs.
- Integrated `ExportQueryService` for handling export logic and pagination.

test: Add tests for Node language analyzer phase 22

- Implemented `NodePhase22SampleLoaderTests` to validate loading of NDJSON fixtures.
- Created sample NDJSON file for testing.

chore: Set up isolated test environment for Node tests

- Added `node-isolated.runsettings` for isolated test execution.
- Created `node-tests-isolated.sh` script for running tests in isolation.
2025-11-20 23:08:45 +02:00
..
design
feat: Enhance MongoDB storage with event publishing and outbox support
2025-11-20 23:08:45 +02:00
operations
Add unit tests and implementations for MongoDB index models and OpenAPI metadata
2025-11-17 21:21:56 +02:00
prep
feat: Enhance MongoDB storage with event publishing and outbox support
2025-11-20 23:08:45 +02:00
AGENTS.md
Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations.
2025-11-05 11:58:32 +02:00
architecture.md
Implement ledger metrics for observability and add tests for Ruby packages endpoints
2025-11-13 09:29:09 +02:00
determinism-score.md
feat: Add Promotion-Time Attestations for Stella Ops
2025-11-11 15:30:22 +02:00
deterministic-sbom-compose.md
Add support for ГОСТ Р 34.10 digital signatures
2025-11-09 21:59:57 +02:00
entropy.md
feat: Add Promotion-Time Attestations for Stella Ops
2025-11-11 15:30:22 +02:00
implementation_plan.md
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00
README.md
feat: Implement Runtime Facts ingestion service and NDJSON reader
2025-11-10 07:56:15 +02:00

README.md

StellaOps Scanner

Scanner analyses container images layer-by-layer, producing deterministic SBOM fragments, diffs, and signed reports.

Latest updates (2025-11-09)

  • Node analyzer now ingests npm/yarn/pnpm lockfiles, emitting DeclaredOnly components with lock provenance. The CLI companion command stella node lock-validate runs the collector offline, surfaces declared-only or missing-lock packages, and emits telemetry via stellaops.cli.node.lock_validate.count.
  • Python analyzer picks up requirements*.txt, Pipfile.lock, and poetry.lock, tagging installed distributions with lock provenance and generating declared-only components for policy. Use stella python lock-validate to run the same checks locally before images are built.
  • Java analyzer now parses gradle.lockfile, gradle/dependency-locks/**/*.lockfile, and pom.xml dependencies via the new JavaLockFileCollector, merging lock metadata onto jar evidence and emitting declared-only components when jars are absent. The new CLI verb stella java lock-validate reuses that collector offline (table/JSON output) and records stellaops.cli.java.lock_validate.count{outcome} for observability.
  • Worker/WebService now resolve cache roots and feature flags via StellaOps.Scanner.Surface.Env; misconfiguration warnings are documented in docs/modules/scanner/design/surface-env.md and surfaced through startup validation.
  • Platform events rollout (2025-10-19) continues to publish scanner.report.ready@1 and scanner.scan.completed@1 envelopes with embedded DSSE payloads (see docs/updates/2025-10-19-scanner-policy.md and docs/updates/2025-10-19-platform-events.md). Service and consumer tests should round-trip the canonical samples under docs/events/samples/.

Responsibilities

  • Expose APIs (WebService) for scan orchestration, diffing, and artifact retrieval.
  • Run Worker analyzers for OS, language, and native ecosystems with restart-only plug-ins.
  • Store SBOM fragments and artifacts in RustFS/object storage.
  • Publish DSSE-ready metadata for Signer/Attestor and downstream policy evaluation.

Key components

  • StellaOps.Scanner.WebService minimal API host.
  • StellaOps.Scanner.Worker analyzer executor.
  • Analyzer libraries under StellaOps.Scanner.Analyzers.*.

Integrations & dependencies

  • Scheduler for job intake and retries.
  • Policy Engine for evidence handoff.
  • Export Center / Offline Kit for artifact packaging.

Operational notes

  • CAS caches, bounded retries, DSSE integration.
  • Monitoring dashboards (see ./operations/analyzers-grafana-dashboard.json).
  • RustFS migration playbook.

Related resources

  • ./operations/analyzers.md
  • ./operations/analyzers-grafana-dashboard.json
  • ./operations/rustfs-migration.md
  • ./operations/entrypoint.md
  • ./operations/secret-leak-detection.md
  • ./operations/dsse-rekor-operator-guide.md
  • ./design/macos-analyzer.md
  • ./design/windows-analyzer.md
  • ../benchmarks/scanner/deep-dives/macos.md
  • ../benchmarks/scanner/deep-dives/windows.md
  • ../benchmarks/scanner/windows-macos-demand.md
  • ../benchmarks/scanner/windows-macos-interview-template.md
  • ./operations/field-engagement.md
  • ./design/README.md

Backlog references

  • DOCS-SCANNER updates tracked in ../../TASKS.md.
  • Analyzer parity work in src/Scanner/**/TASKS.md.

Epic alignment

  • Epic 6 Vulnerability Explorer: provide policy-aware scan outputs, explain traces, and findings ledger hooks for triage workflows.
  • Epic 10 Export Center: generate export-ready artefacts, manifests, and DSSE metadata for bundles.