git.stella-ops.org/docs/features/unchecked/cli/oci-referrer-based-artifact-association.md

OCI Referrer-Based Artifact Association

Module

Cli

Status

IMPLEMENTED

Description

OCI referrer-based attachment of SBOMs, attestations, and verdicts to image digests using the OCI referrers API, with discovery, publishing, and fallback mechanisms.

Implementation Details

• OCI Registry Client: src/Cli/StellaOps.Cli/Services/OciRegistryClient.cs / IOciRegistryClient.cs -- OCI registry operations including referrers API
• OCI Attestation Registry: src/Cli/StellaOps.Cli/Services/OciAttestationRegistryClient.cs -- attestation-specific OCI operations
• Commands:
  • stella oci-list <digest> -- list OCI referrers for an image digest
  • stella oci-verify <digest> -- verify OCI-attached attestations
• Architecture: Uses OCI referrers API (fallback to tag-based discovery for older registries)

E2E Test Plan

• Run stella oci-list sha256:abc123 and verify referrers listed (SBOMs, attestations, verdicts)
• Run stella oci-verify sha256:abc123 and verify attached attestation verification
• Verify fallback to tag-based discovery when referrers API unavailable
• Verify SBOM attachment discovery and content retrieval
• Verify --format json output