stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/libraries/doctor-health-check-plugins.md

2.6 KiB
Raw Blame History

Doctor Health Check Plugins (Attestation + Verification + Integration)

Module

__Libraries

Status

IMPLEMENTED

Description

Doctor plugin system with attestation checks, verification checks, integration checks (registry referrers API, push/pull authorization, credentials), service graph plugin, security plugin, observability plugin, and notification plugin. The advisory itself states "IMPLEMENTED on 2026-01-16".

Implementation Details

  • AttestationPlugin: src/__Libraries/StellaOps.Doctor.Plugins.Attestation/AttestationPlugin.cs -- registers attestation health checks with AttestationCheckBase base class; AttestationPluginOptions for configuration; AttestationPluginExtensions for DI registration
  • Attestation Checks: src/__Libraries/StellaOps.Doctor.Plugins.Attestation/ -- ClockSkewCheck.cs (NTP clock skew validation), CosignKeyMaterialCheck.cs (cosign key material availability), OfflineBundleCheck.cs (offline trust bundle freshness), RekorConnectivityCheck.cs (Rekor transparency log connectivity)
  • VerificationPlugin: src/__Libraries/StellaOps.Doctor.Plugins.Verification/VerificationPlugin.cs -- registers verification health checks with VerificationCheckBase base class; VerificationPluginOptions; VerificationPluginExtensions
  • Verification Checks: src/__Libraries/StellaOps.Doctor.Plugins.Verification/ -- PolicyEngineCheck.cs (policy engine availability), SbomValidationCheck.cs (SBOM validation capability), SignatureVerificationCheck.cs (signature verification capability), TestArtifactPullCheck.cs (test artifact pull from registry), VexValidationCheck.cs (VEX document validation)
  • Additional Plugins: src/__Libraries/StellaOps.Doctor.Plugins.*/ -- AI, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources
  • Integration Tests: src/__Libraries/__Tests/StellaOps.Doctor.Plugins.Integration.Tests/
  • Source: Feature matrix scan

E2E Test Plan

  • Verify AttestationPlugin registers and runs all attestation checks (ClockSkew, CosignKey, OfflineBundle, Rekor)
  • Test ClockSkewCheck detects NTP drift beyond configured threshold
  • Verify CosignKeyMaterialCheck validates cosign key availability
  • Test RekorConnectivityCheck reports connectivity status to transparency log
  • Verify VerificationPlugin runs PolicyEngine, SbomValidation, SignatureVerification, VexValidation checks
  • Test TestArtifactPullCheck verifies registry pull/push operations
  • Verify plugin DI registration via extension methods
  • Test health check aggregation across all Doctor plugins returns combined status