warnings fixes, tests fixes, sprints completions

policies/starter-day1.yaml

@@ -1,6 +1,118 @@
 # Starter Day-1 Policy Pack
-# This is a minimal stub file for build compatibility.
+# Sprint: SPRINT_20260104_004_POLICY - Task PSD-010
+#
+# This is a comprehensive starter policy for day-1 security controls.
+# It includes gates for vulnerabilities, secret detection, and SBOM quality.
+
 name: starter-day1
 version: 1.0.0
-description: Starter policy pack for day-1 security controls.
-rules: []
+description: |
+  Starter policy pack for day-1 security controls.
+  Includes essential gates for vulnerabilities, secrets, and SBOM validation.
+
+rules:
+  # === VULNERABILITY GATES ===
+  
+  - id: block-critical-cves
+    description: Block images with critical vulnerabilities
+    severity: critical
+    when:
+      signal: vuln.severity.critical
+      operator: gt
+      value: 0
+    deny_message: |
+      BLOCKED: Image contains critical vulnerabilities.
+      Review CVEs and apply patches before deployment.
+
+  - id: block-kev-vulnerabilities
+    description: Block images with Known Exploited Vulnerabilities
+    severity: critical
+    when:
+      signal: vuln.kev.count
+      operator: gt
+      value: 0
+    deny_message: |
+      BLOCKED: Image contains Known Exploited Vulnerabilities (KEV).
+      These vulnerabilities are actively being exploited in the wild.
+      Immediate remediation required.
+
+  # === SECRET DETECTION GATES ===
+  
+  - id: block-critical-secrets
+    description: Block deployment when critical secrets are detected
+    severity: critical
+    when:
+      signal: secret.severity.critical
+      equals: true
+    deny_message: |
+      BLOCKED: Critical secrets detected (private keys, service account keys).
+      Rotate exposed credentials and remove from container image.
+
+  - id: block-high-secrets
+    description: Block deployment when high-severity secrets are detected
+    severity: high
+    when:
+      all:
+        - signal: secret.severity.high
+          equals: true
+        - signal: secret.confidence.high
+          equals: true
+    deny_message: |
+      BLOCKED: High-severity secrets detected with high confidence.
+      These appear to be real credentials. Remediate before deployment.
+
+  - id: warn-secret-findings
+    description: Warn when any secrets are detected
+    severity: medium
+    when:
+      signal: secret.has_finding
+      equals: true
+    warn_message: |
+      WARNING: Secret detection found {{secret.count}} potential secret(s).
+      Review findings and add legitimate patterns to the exception list.
+
+  # === SBOM QUALITY GATES ===
+  
+  - id: require-sbom
+    description: Require a valid SBOM for all images
+    severity: high
+    when:
+      signal: sbom.present
+      equals: false
+    deny_message: |
+      BLOCKED: No SBOM found for image.
+      Generate an SBOM before deployment (CycloneDX or SPDX format).
+
+  - id: warn-unknown-components
+    description: Warn when SBOM contains many unknown components
+    severity: medium
+    when:
+      signal: sbom.unknown_ratio
+      operator: gt
+      value: 0.2
+    warn_message: |
+      WARNING: Over 20% of SBOM components could not be identified.
+      Consider improving build process for better provenance.
+
+  # === IMAGE CONFIGURATION GATES ===
+  
+  - id: block-root-user
+    description: Block images that run as root by default
+    severity: high
+    when:
+      signal: image.runs_as_root
+      equals: true
+    deny_message: |
+      BLOCKED: Image runs as root user.
+      Configure a non-root USER in the Dockerfile.
+
+  - id: warn-old-base-image
+    description: Warn when base image is outdated
+    severity: medium
+    when:
+      signal: image.base_age_days
+      operator: gt
+      value: 90
+    warn_message: |
+      WARNING: Base image is over 90 days old.
+      Consider updating to get latest security patches.