46 lines
2.5 KiB
Markdown
46 lines
2.5 KiB
Markdown
# Delta Layer Scanning Engine
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Container image delta scanning engine that scans only changed layers between image versions by diffID comparison, reusing cached per-layer SBOMs for unchanged layers. Produces DSSE-wrapped delta evidence with Rekor anchoring. Targets 70%+ CVE churn reduction on minor base image bumps.
|
|
|
|
## Implementation Details
|
|
- **Core Delta Scanner**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Delta/IDeltaLayerScanner.cs` - Interface for delta layer scanning
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Delta/DeltaLayerScanner.cs` - Scans only changed layers by diffID comparison, reuses cached per-layer SBOMs
|
|
- **Delta Evidence**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/IDeltaEvidenceComposer.cs` - Interface for composing delta evidence
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/DeltaEvidenceComposer.cs` - Composes DSSE-wrapped delta evidence with Rekor anchoring
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/DeltaScanPredicate.cs` - Delta scan predicate model
|
|
- **WebService Integration**:
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Services/IDeltaScanRequestHandler.cs` - Delta scan request handler interface
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Services/DeltaScanRequestHandler.cs` - Handles delta scan API requests
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaCompareEndpoints.cs` - Delta comparison API endpoints
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaEvidenceEndpoints.cs` - Delta evidence API endpoints
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Contracts/DeltaCompareContracts.cs` - API contracts
|
|
|
|
## E2E Test Plan
|
|
- [ ] Scan two versions of the same image with minor base image changes
|
|
- [ ] Verify only changed layers are scanned (unchanged layers reuse cached SBOMs)
|
|
- [ ] Verify delta evidence is DSSE-wrapped and includes Rekor anchoring reference
|
|
- [ ] Call `GET /api/v1/delta/{baselineScanId}/{currentScanId}` and verify delta comparison results
|
|
- [ ] Call `GET /api/v1/delta/{scanId}/evidence` and verify delta evidence bundle
|
|
- [ ] Verify CVE churn is reduced (only changed-layer CVEs appear as new findings)
|
|
- [ ] Verify the delta scan completes significantly faster than a full scan
|
|
|
|
---
|
|
|
|
## Verification
|
|
|
|
| Check | Result |
|
|
|-------|--------|
|
|
| Tier 0 - Source files exist | PASS |
|
|
| Tier 1 - Build + code review | PASS |
|
|
| Tier 2 - Integration tests | PASS |
|
|
| Verified | 2026-02-13T18:10:00Z |
|