7040984215
- Introduced a new document outlining the inline DSSE provenance for SBOM, VEX, scan, and derived events. - Defined the Mongo schema for event patches, including key fields for provenance and trust verification. - Documented the write path for ingesting provenance metadata and backfilling historical events. - Created CI/CD snippets for uploading DSSE attestations and generating provenance metadata. - Established Mongo indexes for efficient provenance queries and provided query recipes for various use cases. - Outlined policy gates for managing VEX decisions based on provenance verification. - Included UI nudges for displaying provenance information and implementation tasks for future enhancements. --- Implement reachability lattice and scoring model - Developed a comprehensive document detailing the reachability lattice and scoring model. - Defined core types for reachability states, evidence, and mitigations with corresponding C# models. - Established a scoring policy with base score contributions from various evidence classes. - Mapped reachability states to VEX gates and provided a clear overview of evidence sources. - Documented the event graph schema for persisting reachability data in MongoDB. - Outlined the integration of runtime probes for evidence collection and defined a roadmap for future tasks. --- Introduce uncertainty states and entropy scoring - Created a draft document for tracking uncertainty states and their impact on risk scoring. - Defined core uncertainty states with associated entropy values and evidence requirements. - Established a schema for storing uncertainty states alongside findings. - Documented the risk score calculation incorporating uncertainty and its effect on final risk assessments. - Provided policy guidelines for handling uncertainty in decision-making processes. - Outlined UI guidelines for displaying uncertainty information and suggested remediation actions. --- Add Ruby package inventory management - Implemented Ruby package inventory management with corresponding data models and storage mechanisms. - Created C# records for Ruby package inventory, artifacts, provenance, and runtime details. - Developed a repository for managing Ruby package inventory documents in MongoDB. - Implemented a service for storing and retrieving Ruby package inventories. - Added unit tests for the Ruby package inventory store to ensure functionality and data integrity.
StellaOps Concelier & CLI
This repository hosts the StellaOps Concelier service, its plug-in ecosystem, and the
first-party CLI (stellaops-cli). Concelier ingests vulnerability advisories from
authoritative sources, stores them in MongoDB, and exports deterministic JSON and
Trivy DB artefacts. The CLI drives scanner distribution, scan execution, and job
control against the Concelier API.
Quickstart
- Prepare a MongoDB instance and (optionally) install
trivy-db/oras. - Copy
etc/concelier.yaml.sampletoetc/concelier.yamland update the storage + telemetry settings. - Copy
etc/authority.yaml.sampletoetc/authority.yaml, review the issuer, token lifetimes, and plug-in descriptors, then edit the companion manifests underetc/authority.plugins/*.yamlto match your deployment. - Start the web service with
dotnet run --project src/Concelier/StellaOps.Concelier.WebService. - Configure the CLI via environment variables (e.g.
STELLAOPS_BACKEND_URL) and trigger jobs withdotnet run --project src/Cli/StellaOps.Cli -- db merge.
Detailed operator guidance is available in docs/10_CONCELIER_CLI_QUICKSTART.md. API and
command reference material lives in docs/09_API_CLI_REFERENCE.md.
Pipeline note: deployment workflows should template etc/concelier.yaml during CI/CD,
injecting environment-specific Mongo credentials and telemetry endpoints. Upcoming
releases will add Microsoft OAuth (Entra ID) authentication support—track the quickstart
for integration steps once available.
Documentation
docs/README.mdnow consolidates the platform index and points to the updated high-level architecture.- Module architecture dossiers now live under
docs/modules/<module>/. The most relevant here aredocs/modules/concelier/ARCHITECTURE.md(service layout, merge engine, exports) anddocs/modules/cli/ARCHITECTURE.md(command surface, AOT packaging, auth flows). Related services such as the Signer, Attestor, Authority, Scanner, UI, Excititor, Zastava, and DevOps pipeline each have their own dossier in the same hierarchy. - Offline operation guidance moved to
docs/24_OFFLINE_KIT.md, which details bundle composition, verification, and delta workflows. Concelier-specific connector operations stay indocs/modules/concelier/operations/connectors/*.mdwith companion runbooks indocs/modules/concelier/operations/.