stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
7b01c7d6acd233c1fdfac71cad09fd266be6bfc9
git.stella-ops.org/docs/implplan/archived/updates/2025-10-29-export-center-provenance.md
master 7b01c7d6ac
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add comprehensive product advisories for improved scanner functionality 
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations.
- Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency.
- Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results.
- Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages.
- Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange.
- Established a validation plan for quiet scans, focusing on provenance and CI integration.
- Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
2025-11-17 00:09:26 +02:00

736 B
Raw Blame History

2025-10-29 Export Center provenance/signing doc

Summary

  • Authored docs/modules/export-center/provenance-and-signing.md, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist.
  • Cross-linked the new guide from the docs index (docs/README.md) and referenced outstanding CLI automation (CLI-EXPORT-37-001) to keep verification guidance aligned with upcoming tooling.

Follow-ups

  • Revisit once CLI-EXPORT-37-001 lands to confirm command names/flags and update the verification section if necessary.
  • Sync with DevOps (DEVOPS-EXPORT-37-001) after dashboards/alerts ship to embed direct links in the failure handling section.