stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/security-state-snapshot.md

2.3 KiB
Raw Blame History

Security State Snapshot (Content-Addressed Release Bundle)

Module

Attestor

Status

IMPLEMENTED

Description

Versioned, content-addressed snapshot bundles that capture SBOM graph, reachability graph, VEX claim set, policies, data-feed identifiers, and toolchain versions as digests for a release evaluation.

Implementation Details

  • Attestation Bundler: src/Attestor/__Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs -- bundles multiple attestation artifacts into a versioned snapshot bundle.
  • Release Evidence Pack Builder: __Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs -- builds release evidence packs containing SBOM, VEX, policy, and verdict data.
  • Pack Manifest: __Libraries/StellaOps.Attestor.EvidencePack/Models/ReleaseEvidencePackManifest.cs -- manifest with SHA-256 digests of every included artifact.
  • Content-Addressed IDs: __Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs -- generates content-addressed IDs for each snapshot component.
  • Graph Root Attestor: __Libraries/StellaOps.Attestor.GraphRoot/GraphRootAttestor.cs -- attests SBOM graph and reachability graph Merkle roots.
  • Proof Spine: __Libraries/StellaOps.Attestor.ProofChain/Assembly/ProofSpineRequest.cs, ProofSpineResult.cs -- assembles snapshot components into a proof spine.
  • DSSE Signing: Signing/ProofChainSigner.cs -- signs the snapshot bundle.
  • Verdict Receipt: Statements/VerdictReceiptPayload.cs -- captures the security state at evaluation time.
  • Tests: __Tests/StellaOps.Attestor.EvidencePack.Tests/

E2E Test Plan

  • Build a security state snapshot via AttestationBundler with SBOM, VEX, policy, and reachability data; verify all components are included
  • Verify each component has a content-addressed ID and the manifest lists all digests
  • Attest the SBOM graph and reachability graph roots via GraphRootAttestor and verify they are included in the snapshot
  • Assemble the snapshot into a proof spine and verify the Merkle root covers all components
  • Sign the snapshot bundle and verify the DSSE envelope is valid
  • Create a second snapshot with one modified component and verify the content-addressed IDs differ
  • Verify offline verification: export the snapshot, import in an air-gapped environment, and verify all signatures