stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
6e45066e371667ef96fbd4cc99a05223f151f12c
git.stella-ops.org/docs/modules/scanner
History
StellaOps Bot 6e45066e37
Some checks failed
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
up
2025-12-13 09:37:15 +02:00
..
benchmarks
Add draft skeletons for various documentation topics
2025-12-05 21:23:21 +02:00
design
up
2025-12-13 02:22:15 +02:00
fixtures
Add receipt input JSON and SHA256 hash for CVSS policy scoring tests
2025-12-04 07:30:42 +02:00
guides
up
2025-11-28 09:41:08 +02:00
operations
feat: Implement air-gap functionality with timeline impact and evidence snapshot services
2025-12-06 01:30:08 +02:00
prep
feat(api): Add Policy Registry API specification
2025-12-06 20:52:23 +02:00
AGENTS.md
Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations.
2025-11-05 11:58:32 +02:00
analyzers-bun.md
up
2025-12-13 09:37:15 +02:00
analyzers-java.md
up
2025-12-13 09:37:15 +02:00
analyzers-node.md
up
2025-12-13 09:37:15 +02:00
analyzers-python.md
up
2025-12-13 09:37:15 +02:00
architecture.md
up
2025-12-13 09:37:15 +02:00
bun-analyzer-gotchas.md
up
2025-12-09 09:38:09 +02:00
cli-node.md
up
2025-12-01 21:16:22 +02:00
determinism-score.md
up
2025-11-27 21:10:06 +02:00
deterministic-execution.md
up
2025-11-27 21:09:47 +02:00
deterministic-sbom-compose.md
Add tests and implement timeline ingestion options with NATS and Redis subscribers
2025-12-03 09:46:48 +02:00
dotnet-il.config.example.json
up
2025-12-09 00:20:52 +02:00
entropy.md
up
2025-11-26 20:23:28 +02:00
implementation_plan.md
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00
language-analyzers-contract.md
up
2025-12-13 09:37:15 +02:00
os-analyzers-evidence.md
up
2025-12-13 00:20:26 +02:00
php-analyzer-owner-manifest.md
feat: Add native binary analyzer test utilities and implement SM2 signing tests
2025-12-07 13:12:41 +02:00
readiness-checkpoints.md
up
2025-12-09 09:38:09 +02:00
README.md
up
2025-12-13 09:37:15 +02:00
runtime-evidence.example.ndjson
up
2025-12-09 00:20:52 +02:00
runtime-evidence.md
up
2025-12-01 21:16:22 +02:00
scanner-engine.md
Add draft skeletons for various documentation topics
2025-12-05 21:23:21 +02:00

README.md

StellaOps Scanner

Scanner analyses container images layer-by-layer, producing deterministic SBOM fragments, diffs, and signed reports.

Latest updates (2025-12-12)

  • Deterministic SBOM composition fixture published at docs/modules/scanner/fixtures/deterministic-compose/ with DSSE, _composition.json, BOM, and hashes; doc deterministic-sbom-compose.md promoted to Ready v1.0 with offline verification steps.
  • Node analyzer now ingests npm/yarn/pnpm lockfiles, emitting DeclaredOnly components with lock provenance. The CLI companion command stella node lock-validate runs the collector offline, surfaces declared-only or missing-lock packages, and emits telemetry via stellaops.cli.node.lock_validate.count. See docs/modules/scanner/analyzers-node.md and bench scenario node_detection_gaps_fixture.
  • Python analyzer picks up requirements*.txt, Pipfile.lock, and poetry.lock, tagging installed distributions with lock provenance and generating declared-only components for policy. Use stella python lock-validate to run the same checks locally before images are built.
  • Java analyzer now parses gradle.lockfile, gradle/dependency-locks/**/*.lockfile, and pom.xml dependencies via the new JavaLockFileCollector, merging lock metadata onto jar evidence and emitting declared-only components when jars are absent. The new CLI verb stella java lock-validate reuses that collector offline (table/JSON output) and records stellaops.cli.java.lock_validate.count{outcome} for observability.
  • Worker/WebService now resolve cache roots and feature flags via StellaOps.Scanner.Surface.Env; misconfiguration warnings are documented in docs/modules/scanner/design/surface-env.md and surfaced through startup validation.
  • Platform events rollout (2025-10-19) continues to publish scanner.report.ready@1 and scanner.scan.completed@1 envelopes with embedded DSSE payloads (see docs/updates/2025-10-19-scanner-policy.md and docs/updates/2025-10-19-platform-events.md). Service and consumer tests should round-trip the canonical samples under docs/events/samples/.
  • OS/non-language analyzers: evidence is rootfs-relative, warnings are structured/capped, hashing is bounded, and Linux OS analyzers support surface-cache reuse. See os-analyzers-evidence.md.

Responsibilities

  • Expose APIs (WebService) for scan orchestration, diffing, and artifact retrieval.
  • Run Worker analyzers for OS, language, and native ecosystems with restart-only plug-ins.
  • Store SBOM fragments and artifacts in RustFS/object storage.
  • Publish DSSE-ready metadata for Signer/Attestor and downstream policy evaluation.

Key components

  • StellaOps.Scanner.WebService minimal API host.
  • StellaOps.Scanner.Worker analyzer executor.
  • Analyzer libraries under StellaOps.Scanner.Analyzers.*.

Integrations & dependencies

  • Scheduler for job intake and retries.
  • Policy Engine for evidence handoff.
  • Export Center / Offline Kit for artifact packaging.

Operational notes

  • CAS caches, bounded retries, DSSE integration.
  • Monitoring dashboards (see ./operations/analyzers-grafana-dashboard.json).
  • RustFS migration playbook.

Related resources

  • ./operations/analyzers.md
  • ./operations/analyzers-grafana-dashboard.json
  • ./operations/rustfs-migration.md
  • ./operations/entrypoint.md
  • ./analyzers-node.md
  • ./operations/secret-leak-detection.md
  • ./operations/dsse-rekor-operator-guide.md
  • ./os-analyzers-evidence.md
  • ./design/macos-analyzer.md
  • ./design/windows-analyzer.md
  • ../benchmarks/scanner/deep-dives/macos.md
  • ../benchmarks/scanner/deep-dives/windows.md
  • ../benchmarks/scanner/windows-macos-demand.md
  • ../benchmarks/scanner/windows-macos-interview-template.md
  • ./operations/field-engagement.md
  • ./design/README.md

Backlog references

  • DOCS-SCANNER updates tracked in ../../TASKS.md.
  • Analyzer parity work in src/Scanner/**/TASKS.md.

Epic alignment

  • Epic 6 Vulnerability Explorer: provide policy-aware scan outputs, explain traces, and findings ledger hooks for triage workflows.
  • Epic 10 Export Center: generate export-ready artefacts, manifests, and DSSE metadata for bundles.