stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/oci-delta-attestation-service.md

2.8 KiB
Raw Blame History

OCI Delta Attestation Service

Module

Attestor

Status

IMPLEMENTED

Description

OCI-native delta attestation pipeline that computes security state deltas between image versions and attaches signed delta attestations as OCI referrers. Enables incremental security validation without full re-scan.

Implementation Details

  • Delta Verdict Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs (with .Budget) -- predicate capturing the security state delta between two image versions (new findings, resolved findings, unchanged findings).
  • Delta Verdict Change: Predicates/DeltaVerdictChange.cs -- individual change entry in a delta verdict.
  • Delta Finding Key: Predicates/DeltaFindingKey.cs -- unique key identifying a finding across delta comparisons.
  • Delta Verdict Statement: Statements/DeltaVerdictStatement.cs -- in-toto statement wrapping the delta verdict predicate.
  • Verdict Delta Summary: Predicates/VerdictDeltaSummary.cs -- summary statistics for the delta (counts of new, resolved, changed findings).
  • Verdict Finding Change: Predicates/VerdictFindingChange.cs -- detailed finding change with before/after states.
  • Verdict Rule Change: Predicates/VerdictRuleChange.cs -- policy rule changes between versions.
  • OCI Attachment: __Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs -- attaches signed delta attestations as OCI referrers to image digests.
  • Change Trace: __Libraries/StellaOps.Attestor.ProofChain/ChangeTrace/ChangeTraceAttestationService.cs (with .Helpers, .Mapping) -- creates change trace attestations tracking modifications over time.
  • DSSE Signing: Signing/ProofChainSigner.cs -- signs delta attestations into DSSE envelopes for OCI attachment.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/DeltaVerdictTests.cs

E2E Test Plan

  • Compute a delta verdict between two image versions with known finding changes and verify DeltaVerdictPredicate captures new, resolved, and unchanged findings
  • Create a DeltaVerdictStatement and sign it; attach as OCI referrer via OrasAttestationAttacher and verify attachment
  • Verify VerdictDeltaSummary correctly counts: 3 new, 2 resolved, 5 unchanged findings
  • Verify DeltaFindingKey uniquely identifies findings across delta comparisons (same CVE + component = same key)
  • Create a delta with VerdictRuleChange entries (policy rule added/removed) and verify rule changes are tracked
  • Verify delta with .Budget partial: create a delta that exceeds the uncertainty budget and verify the budget violation is captured
  • Verify incremental validation: fetch a previous delta attestation from OCI, compute a new delta from the previous state, and verify chain continuity