stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6be4a25d178319a8f79ecea48434cff0174482d3
git.stella-ops.org/docs/features/checked/scanner/scanner-pr-mr-evidence-annotations.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.1 KiB
Raw Blame History

Scanner PR/MR Evidence Annotations (Webhook-Driven)

Module

Scanner

Status

VERIFIED

Description

Webhook-driven PR/MR annotation generation with evidence anchors (attestation digest, policy verdict, verify command), ASCII-only output, and posting via SCM annotation clients with retry/backoff.

Implementation Details

  • PR Annotation Service:
    • src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationService.cs - PrAnnotationService generates PR/MR annotations with evidence anchors including attestation digest, policy verdict, and verify command
  • Webhook Handler:
    • src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationWebhookHandler.cs - PrAnnotationWebhookHandler processes incoming webhook events from SCM providers and triggers annotation generation
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/WebhookEndpoints.cs - Webhook endpoints receiving SCM events for PR/MR annotation
  • Reachability Gate:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/PrReachabilityGate.cs - PrReachabilityGate evaluating reachability status for PR annotations
  • Tests:
    • src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/PrAnnotationServiceTests.cs - Unit tests for annotation generation
    • src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/PrReachabilityGateTests.cs - PR reachability gate tests

E2E Test Plan

  • Send a webhook event for a PR/MR and verify PrAnnotationWebhookHandler triggers annotation generation
  • Verify the generated annotation includes attestation digest, policy verdict, and a stella verify command
  • Verify annotation output is ASCII-only (no unicode characters that might break SCM rendering)
  • Verify annotations are posted to the SCM provider (Gitea, GitHub, GitLab) with retry/backoff on failure
  • Verify PrReachabilityGate integrates reachability status into the PR annotation (showing which vulnerabilities are reachable)

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z