stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6be4a25d178319a8f79ecea48434cff0174482d3
git.stella-ops.org/docs/features/checked/scanner/service-endpoint-security-analysis.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.6 KiB
Raw Blame History

Service Endpoint Security Analysis (Scanner)

Module

Scanner

Status

VERIFIED

Description

Scanner analyzes service endpoints declared in CycloneDX 1.7 SBOMs for security issues including missing authentication, trust boundary violations, and unsafe data flows. Produces ServiceSecurityReport with findings and dependency chains.

Implementation Details

  • Security Analyzer:
    • src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/ServiceSecurityAnalyzer.cs - ServiceSecurityAnalyzer analyzing service endpoints from CycloneDX 1.7 SBOMs for authentication, authorization, trust boundary, and data flow security issues
    • src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/ServiceSecurityServiceCollectionExtensions.cs - DI registration for service security analysis
  • Models:
    • src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Models/ServiceSecurityModels.cs - ServiceSecurityReport, ServiceSecurityFinding, and related models for security analysis results
  • Report Formatting:
    • src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Reporting/ServiceSecurityReportFormatter.cs - ServiceSecurityReportFormatter formatting security reports for output
  • Pipeline Integration:
    • src/Scanner/StellaOps.Scanner.Worker/Processing/ServiceSecurity/ServiceSecurityStageExecutor.cs - ServiceSecurityStageExecutor scanner worker pipeline stage for service security analysis
  • Tests:
    • src/Scanner/__Tests/StellaOps.Scanner.ServiceSecurity.Tests/ServiceSecurityAnalyzerTests.cs - Unit tests for the analyzer
    • src/Scanner/__Tests/StellaOps.Scanner.ServiceSecurity.Tests/ServiceSecurityIntegrationTests.cs - Integration tests

E2E Test Plan

  • Analyze a CycloneDX 1.7 SBOM with service endpoint declarations and verify ServiceSecurityAnalyzer produces a ServiceSecurityReport with findings
  • Verify findings include missing authentication detection for endpoints that lack auth configuration
  • Verify trust boundary violations are detected when services cross security zones without proper controls
  • Verify unsafe data flow patterns (e.g., user input directly to database) are flagged with dependency chains
  • Verify the ServiceSecurityStageExecutor integrates into the scanner worker pipeline and processes service sections from SBOMs
  • Verify the report formatter produces both human-readable and machine-parseable output formats

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z