2.8 KiB
2.8 KiB
Runbook Coverage Tracking
This document tracks operational runbook coverage across Stella Ops modules.
Target: 80% coverage of critical failure modes before declaring operability moat achieved.
Coverage Summary
| Module | Critical Failures | Runbooks | Coverage | Status |
|---|---|---|---|---|
| Scanner | 5 | 0 | 0% | 🔴 Gap |
| Policy Engine | 5 | 0 | 0% | 🔴 Gap |
| Release Orchestrator | 5 | 0 | 0% | 🔴 Gap |
| Attestor | 5 | 0 | 0% | 🔴 Gap |
| Feed Connectors | 4 | 0 | 0% | 🔴 Gap |
| Database (Postgres) | 4 | 4 | 100% | ✅ Complete |
| Crypto Subsystem | 4 | 4 | 100% | ✅ Complete |
| Evidence Locker | 4 | 4 | 100% | ✅ Complete |
| Backup/Restore | 4 | 4 | 100% | ✅ Complete |
| Authority (OAuth/OIDC) | 3 | 0 | 0% | 🔴 Gap |
| Overall | 43 | 16 | 37% | 🟡 In Progress |
Available Runbooks
Database Operations
- postgres-ops.md - PostgreSQL database operations
Crypto Subsystem
- crypto-ops.md - Regional crypto operations (FIPS, eIDAS, GOST, SM)
Evidence Locker
- evidence-locker-ops.md - Evidence locker operations
Backup/Restore
- backup-restore-ops.md - Backup and restore procedures
Vulnerability Operations
- vuln-ops.md - Vulnerability management operations
VEX Operations
- vex-ops.md - VEX statement operations
Policy Incidents
- policy-incident.md - Policy-related incident response
Gap Analysis
High Priority Gaps (Critical modules without runbooks)
-
Scanner - Core scanning functionality
- Worker stuck
- OOM on large images
- Registry auth failures
-
Policy Engine - Policy evaluation
- Slow evaluation
- OPA crashes
- Compilation failures
-
Release Orchestrator - Promotion workflow
- Stuck promotions
- Gate timeouts
- Missing evidence
Medium Priority Gaps
-
Attestor - Signing and verification
- Signing failures
- Key expiration
- Rekor unavailability
-
Feed Connectors - Advisory feeds
- NVD failures
- Rate limiting
- Offline bundle issues
Lower Priority Gaps
- Authority - Authentication
- Token validation failures
- OIDC provider issues
Template
New runbooks should use the template: _template.md
Doctor Check Integration
Runbooks should be linked from Doctor check output. Current integration status:
| Module | Doctor Checks | Linked to Runbook |
|---|---|---|
| Postgres | 4 | 0 |
| Crypto | 8 | 0 |
| Storage | 3 | 0 |
| Evidence | 4 | 0 |
Next step: Update Doctor check implementations to include runbook links in remediation output.
Last updated: 2026-01-17 (UTC)