stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity
Files
691028fe6982aa129aebb8ad201da450b8df0a10
git.stella-ops.org/docs/evaluate/checklist.md
Vladimir Moushkov 691028fe69
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Document completed tasks across multiple components 
- Added completed tasks documentation for Scheduler WebService, ImpactIndex, Models, Queue, Storage.Mongo, Worker, Signals, Signer, UI, Zastava.Observer, Zastava.Webhook, Zastava.Core, Cryptography.Kms, Cryptography, and Plugin.
- Each task includes ID, status, owners, dependencies, descriptions, and exit criteria to ensure clarity and traceability.
- Enhanced integration and unit testing coverage across various components to validate functionality and compliance with specifications.
2025-10-30 18:20:31 +02:00

2.4 KiB
Raw Blame History

Evaluation Checklist 30-Day Adoption Plan

Day 01: Kick the Tires

  • Follow the Quickstart to run the first scan and confirm quota headers (X-Stella-Quota-Remaining).
  • Capture the deterministic replay bundle (stella replay export) to verify SRM evidence.
  • Log into the Console, review the explain trace for the latest scan, and test policy waiver creation.

Day 27: Prove Fit

  • Import the Offline Update Kit and confirm feeds refresh with no Internet access.
  • Apply a sovereign CryptoProfile matching your regulatory environment (FIPS, eIDAS, GOST, SM).
  • Run policy simulations with your SBOMs using stella policy simulate --input <sbom>; log explain outcomes for review.
  • Validate attestation workflows by exporting DSSE bundles and replaying them on a secondary host.

Day 814: Integrate

  • Wire the CLI into CI/CD to gate images using exit codes and X-Stella-Quota-Remaining telemetry.
  • Configure StellaOps.Notify with at least one channel (email/webhook) and confirm digest delivery.
  • Map existing advisory/VEX sources to Concelier connectors; note any feeds requiring custom plug-ins.
  • Review StellaOps.Policy.Engine audit logs to ensure waiver ownership and expiry meet governance needs.

Day 1530: Harden & Measure

  • Follow the Security Hardening Guide to rotate keys and enable mTLS across modules.
  • Enable observability pipelines (metrics + OpenTelemetry) to capture scan throughput and policy outcomes.
  • Run performance checks against the Performance Workbook targets; note P95 latencies.
  • Document operational runbooks (install, upgrade, rollback) referencing Release Engineering Playbook.

Decision Gates

Question Evidence to collect Source
Can we operate fully offline? Offline kit import logs, quota JWT validation without Internet Quickstart, Offline Kit guide
Are findings explainable and reproducible? SRM replay results, policy explain traces Key features, Policy Engine UI
Does it meet regional compliance? CryptoProfile application, Attestor/Rekor mirror configuration Sovereign crypto docs, Attestor guide

Next step: once the checklist is green, plan production rollout with module-specific architecture docs under docs/modules/.