stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc4318ef971247e18c9c05f8b7838880f6584dc3
git.stella-ops.org/docs2/provenance/rekor-policy.md
master bc4318ef97 Add tests for SBOM generation determinism across multiple formats 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00

35 lines
938 B
Markdown
Raw Blame History

# Rekor submission policy
Purpose
- Balance transparency log usage with budget limits and offline safety.
Submission tiers
- Tier 1: graph-level attestations per scan (default).
- Tier 2: edge bundle attestations for escalations.
Budgets
- Hourly limits for graph submissions.
- Daily limits for edge bundle submissions.
- Burst windows for Tier 1 only.
Enforcement
- Queue excess submissions with backpressure.
- Retry failed submissions with backoff.
- Store overflow locally for later submission.
Offline behavior
- Queue submissions in attestor.rekor_offline_queue.
- Bundle pending submissions in offline kits.
- Drain queue when connectivity returns.
Monitoring
- attestor_rekor_submissions_total
- attestor_rekor_submission_latency_seconds
- attestor_rekor_queue_depth
- attestor_rekor_budget_remaining
Related references
- provenance/attestation-workflow.md
- security/crypto-and-trust.md
- docs/operations/rekor-policy.md
Reference in New Issue View Git Blame Copy Permalink