2d08f52715
- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps. - Added example JSON schemas for observer events and webhook admissions. - Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control. - Created alert rules for Vuln Explorer to monitor API latency and projection errors. - Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails. - Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization. - Added expected projection SHA256 for vulnerability events. - Created k6 load testing script for Vuln Explorer API. - Added sample projection and replay event data for testing. - Implemented ReplayInputsLock for deterministic replay inputs management. - Developed tests for ReplayInputsLock to ensure stable hash computation. - Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity. - Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality. - Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
2.9 KiB
2.9 KiB
Vuln Explorer CI + Ops Plan (DEVOPS-VULN-29-001)
Scope: CI jobs, backup/DR, Merkle anchoring monitoring, and verification automation for the Vuln Explorer ledger projector and API. Assumptions: Vuln Explorer API uses MongoDB + Redis; ledger projector performs replay into materialized views; Merkle tree anchoring to transparency log.
CI Jobs
build-vuln: dotnet restore/build forsrc/VulnExplorer/StellaOps.VulnExplorer.Apiand projector; useDOTNET_DISABLE_BUILTIN_GRAPH=1andlocal-nugets/.test-vuln: focused tests withdotnet test src/VulnExplorer/__Tests/...and--filter Category!=GraphHeavy; publish TRX + coverage.replay-smoke: run projector against fixture event log (samples/vuln/events/replay.ndjson) and assert deterministic materialized view hash; fail on divergence.sbom+attest: reuseops/devops/docker/sbom_attest.shpost-build.
Backup & DR
- Mongo: enable point-in-time snapshots (if available) or nightly
mongodumpofvuln_explorerdb; store in object storage with retention 30d. - Redis (if used for cache): not authoritative; no backup required.
- Replay-first recovery: keep latest event log snapshot in
release artifacts; replay task rehydrates materialized views.
Merkle Anchoring Verification
- Monitor projector metrics:
ledger_projection_lag_seconds,ledger_projection_errors_total. - Add periodic job
verify-merkle: fetch latest Merkle root from projector state, cross-check against transparency log (rekoror configured log) usingcosign verify-treeor custom verifier. - Alert when last anchored root age > 15m or mismatch detected.
Verification Automation
- Script
ops/devops/vuln/verify_projection.shruns hash check:- Input projection export (
samples/vuln/events/projection.jsondefault) compared toops/devops/vuln/expected_projection.sha256. - Exits non-zero on mismatch; use in CI after projector replay.
- Input projection export (
Fixtures
- Store deterministic replay fixture under
samples/vuln/events/replay.ndjson(generated offline, includes mixed tenants, disputed findings, remediation states). - Export canonical projection snapshot to
samples/vuln/events/projection.jsonand hash toops/devops/vuln/expected_projection.sha256.
Dashboards / Alerts (DEVOPS-VULN-29-002/003)
- Dashboard JSON:
ops/devops/vuln/dashboards/vuln-explorer.json(latency, projection lag, error rate, budget enforcement). - Alerts:
ops/devops/vuln/alerts.yamldefiningvuln_api_latency_p95_gt_300ms,vuln_projection_lag_gt_60s,vuln_projection_error_rate_gt_1pct,vuln_query_budget_enforced_gt_50_per_min.
Offline posture
- CI and verification use in-repo fixtures; no external downloads.
- Use mirrored images and
local-nugets/for all builds/tests.
Local run
DOTNET_DISABLE_BUILTIN_GRAPH=1 dotnet test src/VulnExplorer/__Tests/StellaOps.VulnExplorer.Api.Tests/StellaOps.VulnExplorer.Api.Tests.csproj --filter Category!=GraphHeavy