4.1 KiB
Runbook: Release Orchestrator - Required Evidence Not Found
Sprint: SPRINT_20260117_029_DOCS_runbook_coverage Task: RUN-004 - Release Orchestrator Runbooks
Metadata
| Field | Value |
|---|---|
| Component | Release Orchestrator |
| Severity | High |
| On-call scope | Platform team, Security team |
| Last updated | 2026-01-17 |
| Doctor check | check.orchestrator.evidence-availability |
Symptoms
- Promotion failing with "required evidence not found"
- Alert
OrchestratorEvidenceMissingfiring - Gate evaluation blocked waiting for evidence
- Error: "SBOM not found" or "attestation missing"
- Evidence chain incomplete for artifact
Impact
| Impact Type | Description |
|---|---|
| User-facing | Promotion blocked until evidence is generated |
| Data integrity | Indicates missing security artifact - must be resolved |
| SLA impact | Release blocked; compliance requirements not met |
Diagnosis
Quick checks
-
Check Doctor diagnostics:
stella doctor --check check.orchestrator.evidence-availability -
List missing evidence for promotion:
stella promotion evidence <promotion-id> --missing -
Check what evidence exists for artifact:
stella evidence list --artifact <digest>
Deep diagnosis
-
Check evidence chain completeness:
stella evidence chain --artifact <digest> --verboseLook for: Missing nodes in the chain
-
Check if scan completed:
stella scanner jobs list --artifact <digest>Problem if: No completed scan or scan failed
-
Check if attestation was created:
stella attest list --subject <digest>Problem if: No attestation or attestation failed
-
Check evidence store health:
stella evidence store health
Resolution
Immediate mitigation
-
Generate missing SBOM:
stella scan image --image <image-ref> --sbom-only -
Generate missing attestation:
stella attest create --subject <digest> --type slsa-provenance -
Re-scan artifact to regenerate all evidence:
stella scan image --image <image-ref> --force
Root cause fix
If scan never ran:
-
Check why artifact wasn't scanned:
stella scanner queue list --artifact <digest> -
Configure automatic scanning on push:
stella scanner config set auto_scan.enabled true stella scanner config set auto_scan.triggers "push,promote"
If evidence was generated but not stored:
-
Check evidence store connectivity:
stella evidence store health -
Retry evidence storage:
stella evidence retry-store --artifact <digest>
If attestation signing failed:
-
Check attestor status:
stella attest status -
See
attestor-signing-failed.mdrunbook
If evidence expired or was deleted:
-
Check evidence retention policy:
stella evidence policy show -
Regenerate evidence:
stella scan image --image <image-ref> --force stella attest create --subject <digest> --type slsa-provenance
Verification
# Check all evidence now exists
stella evidence list --artifact <digest>
# Verify evidence chain is complete
stella evidence chain --artifact <digest>
# Retry promotion
stella promotion retry <promotion-id>
# Verify promotion proceeds
stella promotion status <promotion-id>
Prevention
- Auto-scan: Enable automatic scanning for all pushed images
- Gates: Configure evidence requirements clearly in promotion policy
- Monitoring: Alert on evidence generation failures
- Retention: Set appropriate evidence retention periods
Related Resources
- Architecture:
docs/modules/evidence-locker/architecture.md - Related runbooks:
orchestrator-promotion-stuck.md,attestor-signing-failed.md - Evidence requirements:
docs/operations/evidence-requirements.md