stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity
Files
9e5e958d42ecddbe3e5a321ea0c0d31d1088ce20
git.stella-ops.org/docs/evaluate/checklist.md
master 9e5e958d42
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Document completed tasks for KMS, Cryptography, and Plugin Libraries 
- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys.
- Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations.
- Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
2025-10-31 14:33:05 +02:00

2.4 KiB
Raw Blame History

Evaluation Checklist 30-Day Adoption Plan

Day 01: Kick the Tires

  • Follow the Quickstart to run the first scan and confirm quota headers (X-Stella-Quota-Remaining).
  • Capture the deterministic replay bundle (stella replay export) to verify SRM evidence.
  • Log into the Console, review the explain trace for the latest scan, and test policy waiver creation.

Day 27: Prove Fit

  • Import the Offline Update Kit and confirm feeds refresh with no Internet access.
  • Apply a sovereign CryptoProfile matching your regulatory environment (FIPS, eIDAS, GOST, SM).
  • Run policy simulations with your SBOMs using stella policy simulate --input <sbom>; log explain outcomes for review.
  • Validate attestation workflows by exporting DSSE bundles and replaying them on a secondary host.

Day 814: Integrate

  • Wire the CLI into CI/CD to gate images using exit codes and X-Stella-Quota-Remaining telemetry.
  • Configure StellaOps.Notify with at least one channel (email/webhook) and confirm digest delivery.
  • Map existing advisory/VEX sources to Concelier connectors; note any feeds requiring custom plug-ins.
  • Review StellaOps.Policy.Engine audit logs to ensure waiver ownership and expiry meet governance needs.

Day 1530: Harden & Measure

  • Follow the Security Hardening Guide to rotate keys and enable mTLS across modules.
  • Enable observability pipelines (metrics + OpenTelemetry) to capture scan throughput and policy outcomes.
  • Run performance checks against the Performance Workbook targets; note P95 latencies.
  • Document operational runbooks (install, upgrade, rollback) referencing Release Engineering Playbook.

Decision Gates

Question Evidence to collect Source
Can we operate fully offline? Offline kit import logs, quota JWT validation without Internet Quickstart, Offline Kit guide
Are findings explainable and reproducible? SRM replay results, policy explain traces Key features, Policy Engine UI
Does it meet regional compliance? CryptoProfile application, Attestor/Rekor mirror configuration Sovereign crypto docs, Attestor guide

Next step: once the checklist is green, plan production rollout with module-specific architecture docs under docs/modules/.