49922dff5a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Risk Bundle CI / risk-bundle-build (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Risk Bundle CI / risk-bundle-offline-kit (push) Has been cancelled
Risk Bundle CI / publish-checksums (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
1.8 KiB
1.8 KiB
Scanner Cache Key & DSSE Validation Contract
Scope: unblocks SCAN-CACHE-186-013 by defining cache key inputs, validation, and storage layout.
Cache key
- Key components (concatenate with
|, then SHA256):subject_digest(image digest)manifest_hash(replay manifest canonical hash)tool.id+tool.versionpolicy.hash- feed hashes (sorted, joined with
;) - determinism toggles (clock seed, rng seed, max_parallel)
- Resulting cache key encoded as hex SHA256; used as folder name under CAS:
cache/{tenant}/{cache_key}/.
Stored entries
sbom.cdx.json,vex.json,findings.ndjson,entropy.report.json(when present).cache-manifest.json: summary containing all key components, file hashes, created_at UTC.checksums.txt: SHA256 for every file in folder.- Optional
cache-manifest.json.dsse: DSSE envelope signed by replay signer profile; payload typeapplication/vnd.stellaops.cache-manifest+json.
Validation on hit
- Recompute cache key from incoming request; must match folder name.
- Recompute SHA256 over stored files and compare with
checksums.txt. - If DSSE present, verify signature using replay trust root.
- Compare
manifest_hashincache-manifest.jsonwith current scan manifest. - Reject (miss) on any mismatch; log reason for determinism audit.
Idempotency & TTL
- Cache entries are immutable; if folder exists, compare manifests and return existing entry.
- TTL controlled by policy; default 30 days; purge job removes expired entries by created_at.
API notes
- Worker -> WebService:
POST /api/v1/cache/{subjectDigest}with bundle metadata; returns cache URI or 404 (miss). - WebService -> Worker:
GET /api/v1/cache/{subjectDigest}?cacheKey=...returns cache-manifest + artifacts stream.