2.0 KiB
2.0 KiB
Mesh Entrypoint Graph (Multi-Container Reachability)
Module
Scanner
Status
IMPLEMENTED
Description
Cross-container entrypoint reachability analysis that parses Kubernetes and Docker Compose manifests to build a mesh graph of service-to-service connections, enabling vulnerability impact analysis across multi-container deployments.
Implementation Details
- Mesh Entrypoint Analysis:
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/MeshEntrypointAnalyzer.cs-MeshEntrypointAnalyzerperforms cross-container entrypoint reachability analysissrc/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/MeshEntrypointGraph.cs-MeshEntrypointGraphrepresents the service-to-service connection graph across containers
- Manifest Parsers:
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/IManifestParser.cs-IManifestParserinterface for container orchestration manifest parsingsrc/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/KubernetesManifestParser.cs-KubernetesManifestParserparses Kubernetes Deployment, Service, and Ingress manifests to extract service topologysrc/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/DockerComposeParser.cs-DockerComposeParserparses Docker Compose files to extract service connections, port mappings, and network topology
E2E Test Plan
- Provide a Kubernetes deployment with multiple services and verify the mesh graph correctly maps service-to-service connections
- Provide a Docker Compose file with linked services and verify cross-container connections are identified
- Verify a vulnerability in an internet-facing service is classified with higher exposure than one in an internal-only service
- Verify the mesh graph identifies transitive reachability (service A -> service B -> vulnerable service C)
- Verify port mappings and network policies are factored into the mesh connectivity analysis
- Verify the mesh graph handles service discovery (DNS-based and environment variable-based) for connection resolution