stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
69651212ec42ade25a9c7952b5655e9d4a5514c7
git.stella-ops.org/ops/devops/vuln/vuln-explorer-ci-plan.md
StellaOps Bot 2d08f52715 feat(zastava): add evidence locker plan and schema examples 
- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps.
- Added example JSON schemas for observer events and webhook admissions.
- Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control.
- Created alert rules for Vuln Explorer to monitor API latency and projection errors.
- Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails.
- Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization.
- Added expected projection SHA256 for vulnerability events.
- Created k6 load testing script for Vuln Explorer API.
- Added sample projection and replay event data for testing.
- Implemented ReplayInputsLock for deterministic replay inputs management.
- Developed tests for ReplayInputsLock to ensure stable hash computation.
- Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity.
- Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality.
- Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
2025-12-02 09:27:31 +02:00

43 lines
2.9 KiB
Markdown
Raw Blame History

# Vuln Explorer CI + Ops Plan (DEVOPS-VULN-29-001)
Scope: CI jobs, backup/DR, Merkle anchoring monitoring, and verification automation for the Vuln Explorer ledger projector and API.
Assumptions: Vuln Explorer API uses MongoDB + Redis; ledger projector performs replay into materialized views; Merkle tree anchoring to transparency log.
## CI Jobs
- `build-vuln`: dotnet restore/build for `src/VulnExplorer/StellaOps.VulnExplorer.Api` and projector; use `DOTNET_DISABLE_BUILTIN_GRAPH=1` and `local-nugets/`.
- `test-vuln`: focused tests with `dotnet test src/VulnExplorer/__Tests/...` and `--filter Category!=GraphHeavy`; publish TRX + coverage.
- `replay-smoke`: run projector against fixture event log (`samples/vuln/events/replay.ndjson`) and assert deterministic materialized view hash; fail on divergence.
- `sbom+attest`: reuse `ops/devops/docker/sbom_attest.sh` post-build.
## Backup & DR
- Mongo: enable point-in-time snapshots (if available) or nightly `mongodump` of `vuln_explorer` db; store in object storage with retention 30d.
- Redis (if used for cache): not authoritative; no backup required.
- Replay-first recovery: keep latest event log snapshot in `release artifacts`; replay task rehydrates materialized views.
## Merkle Anchoring Verification
- Monitor projector metrics: `ledger_projection_lag_seconds`, `ledger_projection_errors_total`.
- Add periodic job `verify-merkle`: fetch latest Merkle root from projector state, cross-check against transparency log (`rekor` or configured log) using `cosign verify-tree` or custom verifier.
- Alert when last anchored root age > 15m or mismatch detected.
## Verification Automation
- Script `ops/devops/vuln/verify_projection.sh` runs hash check:
- Input projection export (`samples/vuln/events/projection.json` default) compared to `ops/devops/vuln/expected_projection.sha256`.
- Exits non-zero on mismatch; use in CI after projector replay.
## Fixtures
- Store deterministic replay fixture under `samples/vuln/events/replay.ndjson` (generated offline, includes mixed tenants, disputed findings, remediation states).
- Export canonical projection snapshot to `samples/vuln/events/projection.json` and hash to `ops/devops/vuln/expected_projection.sha256`.
## Dashboards / Alerts (DEVOPS-VULN-29-002/003)
- Dashboard JSON: `ops/devops/vuln/dashboards/vuln-explorer.json` (latency, projection lag, error rate, budget enforcement).
- Alerts: `ops/devops/vuln/alerts.yaml` defining `vuln_api_latency_p95_gt_300ms`, `vuln_projection_lag_gt_60s`, `vuln_projection_error_rate_gt_1pct`, `vuln_query_budget_enforced_gt_50_per_min`.
## Offline posture
- CI and verification use in-repo fixtures; no external downloads.
- Use mirrored images and `local-nugets/` for all builds/tests.
## Local run
```
DOTNET_DISABLE_BUILTIN_GRAPH=1 dotnet test src/VulnExplorer/__Tests/StellaOps.VulnExplorer.Api.Tests/StellaOps.VulnExplorer.Api.Tests.csproj --filter Category!=GraphHeavy
```
Reference in New Issue View Git Blame Copy Permalink