Scanner PR/MR Evidence Annotations (Webhook-Driven)

Module

Scanner

Status

IMPLEMENTED

Description

Webhook-driven PR/MR annotation generation with evidence anchors (attestation digest, policy verdict, verify command), ASCII-only output, and posting via SCM annotation clients with retry/backoff.

Implementation Details

PR Annotation Service:
- src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationService.cs - PrAnnotationService generates PR/MR annotations with evidence anchors including attestation digest, policy verdict, and verify command
Webhook Handler:
- src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationWebhookHandler.cs - PrAnnotationWebhookHandler processes incoming webhook events from SCM providers and triggers annotation generation
- src/Scanner/StellaOps.Scanner.WebService/Endpoints/WebhookEndpoints.cs - Webhook endpoints receiving SCM events for PR/MR annotation
Reachability Gate:
- src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/PrReachabilityGate.cs - PrReachabilityGate evaluating reachability status for PR annotations
Tests:
- src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/PrAnnotationServiceTests.cs - Unit tests for annotation generation
- src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/PrReachabilityGateTests.cs - PR reachability gate tests

E2E Test Plan

Send a webhook event for a PR/MR and verify PrAnnotationWebhookHandler triggers annotation generation
Verify the generated annotation includes attestation digest, policy verdict, and a stella verify command
Verify annotation output is ASCII-only (no unicode characters that might break SCM rendering)
Verify annotations are posted to the SCM provider (Gitea, GitHub, GitLab) with retry/backoff on failure
Verify PrReachabilityGate integrates reachability status into the PR annotation (showing which vulnerabilities are reachable)

1.9 KiB Raw Blame History