stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
d099a90f9b77d52fdaccf5f0bd4585e2156f56d5
git.stella-ops.org/src/StellaOps.Scanner.Analyzers.OS/AGENTS.md
master d099a90f9b feat: Initialize Zastava Webhook service with TLS and Authority authentication 
- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint.
- Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately.
- Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly.
- Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.
2025-10-19 18:36:22 +03:00

2.9 KiB
Raw Blame History

AGENTS

Role

Design and ship deterministic Linux operating-system analyzers that transform container root filesystems into canonical package evidence for SBOM emission.

Scope

  • Provide shared helpers for reading apk, dpkg, and rpm metadata and emitting normalized package identities with provenance.
  • Implement analyzer plug-ins for Alpine (apk), Debian (dpkg), and RPM-based distributions that operate on extracted rootfs snapshots.
  • Enrich package records with vendor-origin metadata (source packages, declared licenses, CVE hints) and evidence linking files to packages.
  • Expose restart-time plug-in manifests so the Scanner.Worker can load analyzers in offline or air-gapped environments.
  • Supply deterministic fixtures and a regression harness that verifies analyzer outputs remain stable across runs.

Participants

  • StellaOps.Scanner.Core for shared contracts, observability, and plug-in catalog guardrails.
  • StellaOps.Scanner.Worker which executes analyzers inside the scan pipeline.
  • StellaOps.Scanner.Cache (future) for layer cache integration; analyzers must be cache-aware via deterministic inputs/outputs.
  • StellaOps.Scanner.Emit and StellaOps.Scanner.Diff rely on analyzer outputs to build SBOMs and change reports.

Interfaces & Contracts

  • Analyzers implement IOSPackageAnalyzer (defined in this module) and register via plug-in manifests; they must be restart-time only.
  • Input rootfs paths are read-only; analyzers must never mutate files and must tolerate missing metadata gracefully.
  • Package records emit canonical purls (pkg:alpine, pkg:deb, pkg:rpm) plus NEVRA/EVR details, source package identifiers, declared licenses, and evidence (file lists with layer attribution placeholders).
  • Outputs must be deterministic: ordering is lexicographic, timestamps removed or normalized, hashes (SHA256) calculated when required.

In/Out of Scope

In scope:

  • Linux apk/dpkg/rpm analyzers, shared helpers, plug-in manifests, deterministic regression harness.

Out of scope:

  • Windows MSI/SxS analyzers, native (ELF) analyzers, language analyzers, EntryTrace pipeline, or SBOM assembly logic (handled by other guilds).

Observability & Security Expectations

  • Emit structured logs with correlation/job identifiers provided by StellaOps.Scanner.Core.
  • Surface metrics for package counts, elapsed time, and cache hits (metrics hooks stubbed until Cache module lands).
  • Do not perform outbound network calls; operate entirely on provided filesystem snapshot.
  • Validate plug-in manifests via IPluginCatalogGuard to enforce restart-only loading.

Tests

  • StellaOps.Scanner.Analyzers.OS.Tests hosts regression tests with canned rootfs fixtures to verify determinism.
  • Fixtures store expected analyzer outputs under Fixtures/ with golden JSON (normalized, sorted).
  • Tests cover apk/dpkg/rpm analyzers, shared helper edge cases, and plug-in catalog enforcement.