stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
813750322115067823212b84526132b2478a86d6
git.stella-ops.org/docs/schemas/audit-bundle-index.schema.json
StellaOps Bot 8137503221 up
2025-12-15 09:23:28 +02:00

313 lines
9.6 KiB
JSON
Raw Blame History

{
"$id": "https://stella.ops/schema/audit-bundle-index.json",
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "AuditBundleIndex",
"description": "Root manifest for an immutable audit bundle containing vulnerability reports, VEX decisions, policy evaluations, and attestations",
"type": "object",
"required": ["apiVersion", "kind", "bundleId", "createdAt", "createdBy", "subject", "artifacts"],
"properties": {
"apiVersion": {
"type": "string",
"const": "stella.ops/v1",
"description": "API version for this bundle format"
},
"kind": {
"type": "string",
"const": "AuditBundleIndex",
"description": "Resource kind identifier"
},
"bundleId": {
"type": "string",
"description": "Unique identifier for this bundle",
"examples": ["bndl-6f6b0c94-9c5b-4bbf-9a77-a5d8a83da4a2"]
},
"createdAt": {
"type": "string",
"format": "date-time",
"description": "ISO-8601 timestamp when bundle was created"
},
"createdBy": {
"$ref": "#/$defs/BundleActorRef",
"description": "User who created this bundle"
},
"subject": {
"$ref": "#/$defs/BundleSubjectRef",
"description": "Primary artifact this bundle documents"
},
"timeWindow": {
"type": "object",
"properties": {
"from": {
"type": "string",
"format": "date-time",
"description": "Start of time window for included artifacts"
},
"to": {
"type": "string",
"format": "date-time",
"description": "End of time window for included artifacts"
}
},
"description": "Optional time window filter for included content"
},
"artifacts": {
"type": "array",
"items": {
"$ref": "#/$defs/BundleArtifact"
},
"description": "List of artifacts included in this bundle"
},
"vexDecisions": {
"type": "array",
"items": {
"$ref": "#/$defs/BundleVexDecisionEntry"
},
"description": "Summary of VEX decisions included in this bundle"
},
"integrity": {
"$ref": "#/$defs/BundleIntegrity",
"description": "Integrity verification data for the entire bundle"
}
},
"$defs": {
"BundleActorRef": {
"type": "object",
"required": ["id", "displayName"],
"properties": {
"id": {
"type": "string",
"description": "User identifier"
},
"displayName": {
"type": "string",
"description": "Human-readable display name"
}
}
},
"BundleSubjectRef": {
"type": "object",
"required": ["type", "name", "digest"],
"properties": {
"type": {
"type": "string",
"enum": ["IMAGE", "REPO", "SBOM", "OTHER"],
"description": "Type of subject artifact"
},
"name": {
"type": "string",
"description": "Human-readable subject name"
},
"digest": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Algorithm -> digest map"
}
}
},
"BundleArtifact": {
"type": "object",
"required": ["id", "type", "source", "path", "mediaType", "digest"],
"properties": {
"id": {
"type": "string",
"description": "Internal identifier for this artifact within the bundle"
},
"type": {
"type": "string",
"enum": ["VULN_REPORT", "SBOM", "VEX", "POLICY_EVAL", "OTHER"],
"description": "Type of artifact"
},
"source": {
"type": "string",
"description": "Tool/service that produced this artifact",
"examples": ["Trivy@0.53.0", "Syft@1.0.0", "StellaOps", "StellaPolicyEngine@2.1.0"]
},
"path": {
"type": "string",
"description": "Relative path within the bundle",
"examples": ["reports/trivy/app-service-7d9c-vulns.json"]
},
"mediaType": {
"type": "string",
"description": "Media type of the artifact",
"examples": ["application/json", "application/vnd.cyclonedx+json"]
},
"digest": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Content digest of the artifact"
},
"attestation": {
"$ref": "#/$defs/BundleArtifactAttestationRef",
"description": "Optional reference to attestation for this artifact"
}
}
},
"BundleArtifactAttestationRef": {
"type": "object",
"required": ["path", "digest"],
"properties": {
"path": {
"type": "string",
"description": "Relative path to attestation within the bundle"
},
"digest": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Content digest of the attestation"
}
}
},
"BundleVexDecisionEntry": {
"type": "object",
"required": ["decisionId", "vulnerabilityId", "status", "path", "digest"],
"properties": {
"decisionId": {
"type": "string",
"format": "uuid",
"description": "VEX decision ID"
},
"vulnerabilityId": {
"type": "string",
"description": "CVE or vulnerability identifier"
},
"status": {
"type": "string",
"enum": ["NOT_AFFECTED", "UNDER_INVESTIGATION", "AFFECTED_MITIGATED", "AFFECTED_UNMITIGATED", "FIXED"],
"description": "VEX status"
},
"path": {
"type": "string",
"description": "Relative path to VEX decision file"
},
"digest": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Content digest of the decision file"
}
}
},
"BundleIntegrity": {
"type": "object",
"required": ["rootHash", "hashAlgorithm"],
"properties": {
"rootHash": {
"type": "string",
"description": "Root hash covering all artifacts in the bundle"
},
"hashAlgorithm": {
"type": "string",
"default": "sha256",
"description": "Hash algorithm used for integrity verification"
}
}
}
},
"examples": [
{
"apiVersion": "stella.ops/v1",
"kind": "AuditBundleIndex",
"bundleId": "bndl-6f6b0c94-9c5b-4bbf-9a77-a5d8a83da4a2",
"createdAt": "2025-11-21T09:05:30Z",
"createdBy": {
"id": "user-123",
"displayName": "Alice Johnson"
},
"subject": {
"type": "IMAGE",
"name": "registry.internal/stella/app-service@sha256:7d9c...",
"digest": {
"sha256": "7d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aee"
}
},
"timeWindow": {
"from": "2025-11-14T00:00:00Z",
"to": "2025-11-21T09:05:00Z"
},
"artifacts": [
{
"id": "vuln-report-trivy",
"type": "VULN_REPORT",
"source": "Trivy@0.53.0",
"path": "reports/trivy/app-service-7d9c-vulns.json",
"mediaType": "application/json",
"digest": {
"sha256": "db569aa8a1b847a922b7d61d276cc2a0ccf99efad0879500b56854b43265c09a"
},
"attestation": {
"path": "attestations/vuln-scan-trivy.dsse.json",
"digest": {
"sha256": "2e613df97fe2aa9baf7a8dac9cfaa407e60c808a8af8e7d5e50c029f6c51a54b"
}
}
},
{
"id": "sbom-cyclonedx",
"type": "SBOM",
"source": "Syft@1.0.0",
"path": "sbom/app-service-7d9c-cyclonedx.json",
"mediaType": "application/vnd.cyclonedx+json",
"digest": {
"sha256": "9477b3a9410423b37c39076678a936d5854aa2d905e72a2222c153e3e51ab150"
},
"attestation": {
"path": "attestations/sbom-syft.dsse.json",
"digest": {
"sha256": "3ebf5dc03f862b4b2fdef201130f5c6a9bde7cb0bcf4f57e7686adbc83c9c897"
}
}
},
{
"id": "vex-decisions",
"type": "VEX",
"source": "StellaOps",
"path": "vex/app-service-7d9c-vex.json",
"mediaType": "application/json",
"digest": {
"sha256": "b56f0d05af5dc4ba79ccc1d228dba27a0d9607eef17fa7faf569e3020c39da83"
}
},
{
"id": "policy-eval-prod-admission",
"type": "POLICY_EVAL",
"source": "StellaPolicyEngine@2.1.0",
"path": "policy-evals/prod-admission.json",
"mediaType": "application/json",
"digest": {
"sha256": "cf8617dd3a63b953f31501045bb559c7095fa2b6965643b64a4b463756cfa9c3"
},
"attestation": {
"path": "attestations/policy-prod-admission.dsse.json",
"digest": {
"sha256": "a7ea883ffa1100a62f0f89f455b659017864c65a4fad0af0ac3d8b989e1a6ff3"
}
}
}
],
"vexDecisions": [
{
"decisionId": "8a3d0b5a-1e07-4b57-b6a1-1a29ce6c889e",
"vulnerabilityId": "CVE-2023-12345",
"status": "NOT_AFFECTED",
"path": "vex/CVE-2023-12345-app-service.json",
"digest": {
"sha256": "b56f0d05af5dc4ba79ccc1d228dba27a0d9607eef17fa7faf569e3020c39da83"
}
}
],
"integrity": {
"rootHash": "f4ede91c4396f9dfdacaf15fe0293c6349f467701f4ef7af6a2ecd4f5bf42254",
"hashAlgorithm": "sha256"
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink