stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
7b5bdcf4d3bee4e6f398d0226ba8cd3c2754e07a
git.stella-ops.org/docs/modules/scanner/operations/entrypoint-lang-supervisor.md
master 7b5bdcf4d3 feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules 
- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes.
- Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes.
- Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables.
- Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.
2025-10-30 00:09:39 +02:00

1.9 KiB
Raw Blame History

Entry-Point Runtime — Supervisors

Some containers intentionally launch multiple long-lived services (sidecars, appliance images, supervisord, s6, runit, pm2). Instead of forcing a single runtime classification, the detector can emit a Supervisor entry with child services enumerated separately.

Signals to gather

  • Known supervisor binaries: supervisord, s6-svscan, s6-supervise, runsvdir, pm2-runtime, forego, foreman, overmind.
  • Configuration files: /etc/supervisord.conf, /etc/s6/*.conf, Procfile, ecosystem.config.js.
  • Multiple child processes that remain active after startup.
  • Environment variables controlling supervisor behaviour (SUPERVISOR_*, PM2_HOME, S6_CMD_WAIT_FOR_SERVICES).

Implementation notes

  • Keep the supervisor as the primary terminal but query configuration to list child commands.
  • For each child, run the usual reduction + runtime detection and attach results as derived evidence.
  • When configuration is templated (e.g., envsubst), evaluate ShellFlow output to resolve final commands.
  • Record scheduling details (autorestart, process limits) relevant for incident response.

Evidence & scoring

  • Supervisor detection flips LanguageType.Supervisor with mid-level confidence (0.60.7).
  • Confidence increases when configuration explicitly lists services and child processes are observed (dynamic mode).
  • Provide evidence for each child service ("manages: php-fpm on /run/php-fpm.sock", "manages: nginx listening on 0.0.0.0:80").

Edge cases

  • Docker Compose-style images using bash to run multiple services should also map here if ShellFlow detects multiple & background jobs.
  • Ensure we do not classify minimal init shims (tini, dumb-init) as supervisors—they should be collapsed.
  • When supervisor manages only one child, collapse to the child runtime and drop the supervisor evidence to avoid noise.