git.stella-ops.org/docs/modules/scanner/README.md

StellaOps Scanner

Scanner analyses container images layer-by-layer, producing deterministic SBOM fragments, diffs, and signed reports.

Responsibilities

• Expose APIs (WebService) for scan orchestration, diffing, and artifact retrieval.
• Run Worker analyzers for OS, language, and native ecosystems with restart-only plug-ins.
• Store SBOM fragments and artifacts in RustFS/object storage.
• Publish DSSE-ready metadata for Signer/Attestor and downstream policy evaluation.

Key components

• StellaOps.Scanner.WebService minimal API host.
• StellaOps.Scanner.Worker analyzer executor.
• Analyzer libraries under StellaOps.Scanner.Analyzers.*.

Integrations & dependencies

• Scheduler for job intake and retries.
• Policy Engine for evidence handoff.
• Export Center / Offline Kit for artifact packaging.

Operational notes

• CAS caches, bounded retries, DSSE integration.
• Monitoring dashboards (see ./operations/analyzers-grafana-dashboard.json).
• RustFS migration playbook.

Related resources

• ./operations/analyzers.md
• ./operations/analyzers-grafana-dashboard.json
• ./operations/rustfs-migration.md
• ./operations/entrypoint.md
• ./operations/secret-leak-detection.md
• ./design/macos-analyzer.md
• ./design/windows-analyzer.md
• ../benchmarks/scanner/deep-dives/macos.md
• ../benchmarks/scanner/deep-dives/windows.md
• ../benchmarks/scanner/windows-macos-demand.md
• ../benchmarks/scanner/windows-macos-interview-template.md
• ./operations/field-engagement.md
• ./design/README.md

Backlog references

• DOCS-SCANNER updates tracked in ../../TASKS.md.
• Analyzer parity work in src/Scanner/**/TASKS.md.

Epic alignment

• Epic 6 – Vulnerability Explorer: provide policy-aware scan outputs, explain traces, and findings ledger hooks for triage workflows.
• Epic 10 – Export Center: generate export-ready artefacts, manifests, and DSSE metadata for bundles.