git.stella-ops.org/docs/features/unchecked/scanner/scanner-analyzers.md

# Scanner Analyzers (Language-Specific and Binary)

## Module
Scanner

## Status
IMPLEMENTED

## Description
Extensive analyzer ecosystem covering language-specific (Ruby, Java), OS-specific (Windows WinSxS, MSI, Chocolatey, macOS Homebrew, pkgutil), and secrets analyzers.

## Implementation Details
- **Ruby Language Analyzer**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/RubyLanguageAnalyzer.cs` - `RubyLanguageAnalyzer` parsing Gemfile.lock, .gemspec, and gem metadata for Ruby dependency analysis
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/RubyAnalyzerPlugin.cs` - `RubyAnalyzerPlugin` registering the Ruby analyzer in the scanner pipeline
- **Windows WinSxS Analyzer**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/WinSxSPackageAnalyzer.cs` - `WinSxSPackageAnalyzer` discovering side-by-side assemblies in Windows images
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/WinSxSManifestParser.cs` - `WinSxSManifestParser` parsing WinSxS assembly manifests
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/WinSxSAssemblyMetadata.cs` - Metadata model for WinSxS assemblies
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/WinSxSAnalyzerPlugin.cs` - Plugin registration
- **Windows MSI Analyzer**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.Msi/MsiAnalyzerPlugin.cs` - `MsiAnalyzerPlugin` analyzing MSI installer packages
- **Windows Chocolatey Analyzer**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey/ChocolateyAnalyzerPlugin.cs` - `ChocolateyAnalyzerPlugin` discovering packages installed via Chocolatey
- **Secrets Analyzer**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzer.cs` - `SecretsAnalyzer` detecting exposed secrets (API keys, tokens, passwords) in image layers
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerHost.cs` - `SecretsAnalyzerHost` managing analyzer lifecycle
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerOptions.cs` - Configuration options for secret detection rules
  - `src/Scanner/StellaOps.Scanner.Worker/Processing/Secrets/SecretsAnalyzerStageExecutor.cs` - `SecretsAnalyzerStageExecutor` scanner pipeline stage for secrets analysis
- **Secret Alert Emitter**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/SecretAlertEmitter.cs` - `SecretAlertEmitter` emitting alerts for discovered secrets
  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/ISecretAlertEmitter.cs` - Interface for secret alerts
  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretExceptionMatcher.cs` - `SecretExceptionMatcher` for allowlisting known-safe patterns
- **Tests**:
  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests/RubyLanguageAnalyzerTests.cs` - Ruby analyzer tests
  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerTests.cs` - Secrets analyzer tests
  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey.Tests/ChocolateyAnalyzerPluginTests.cs` - Chocolatey analyzer tests

## E2E Test Plan
- [ ] Scan a container image with a Ruby application and verify `RubyLanguageAnalyzer` discovers all gems from Gemfile.lock with correct versions
- [ ] Scan a Windows container image and verify `WinSxSPackageAnalyzer` discovers side-by-side assemblies with correct version and architecture metadata
- [ ] Scan a Windows image with Chocolatey packages and verify `ChocolateyAnalyzerPlugin` lists all installed packages
- [ ] Scan an image containing embedded secrets (test fixtures) and verify `SecretsAnalyzer` detects API keys, tokens, and passwords with correct file locations
- [ ] Verify the `SecretExceptionMatcher` correctly suppresses findings that match allowlisted patterns
- [ ] Verify all analyzer plugins register correctly and execute as pipeline stages in the scanner worker