stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/scanner/scanner-pr-mr-evidence-annotations.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

41 lines
2.1 KiB
Markdown
Raw Blame History

# Scanner PR/MR Evidence Annotations (Webhook-Driven)
## Module
Scanner
## Status
VERIFIED
## Description
Webhook-driven PR/MR annotation generation with evidence anchors (attestation digest, policy verdict, verify command), ASCII-only output, and posting via SCM annotation clients with retry/backoff.
## Implementation Details
- **PR Annotation Service**:
- `src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationService.cs` - `PrAnnotationService` generates PR/MR annotations with evidence anchors including attestation digest, policy verdict, and verify command
- **Webhook Handler**:
- `src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationWebhookHandler.cs` - `PrAnnotationWebhookHandler` processes incoming webhook events from SCM providers and triggers annotation generation
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/WebhookEndpoints.cs` - Webhook endpoints receiving SCM events for PR/MR annotation
- **Reachability Gate**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/PrReachabilityGate.cs` - `PrReachabilityGate` evaluating reachability status for PR annotations
- **Tests**:
- `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/PrAnnotationServiceTests.cs` - Unit tests for annotation generation
- `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/PrReachabilityGateTests.cs` - PR reachability gate tests
## E2E Test Plan
- [ ] Send a webhook event for a PR/MR and verify `PrAnnotationWebhookHandler` triggers annotation generation
- [ ] Verify the generated annotation includes attestation digest, policy verdict, and a `stella verify` command
- [ ] Verify annotation output is ASCII-only (no unicode characters that might break SCM rendering)
- [ ] Verify annotations are posted to the SCM provider (Gitea, GitHub, GitLab) with retry/backoff on failure
- [ ] Verify `PrReachabilityGate` integrates reachability status into the PR annotation (showing which vulnerabilities are reachable)
---
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |
Reference in New Issue View Git Blame Copy Permalink