doctor enhancements, setup, enhancements, ui functionality and design consolidation and , test projects fixes , product advisory attestation/rekor and delta verfications enhancements

2026-01-19 09:02:59 +02:00
parent 8c4bf54aed
commit 17419ba7c4
809 changed files with 170738 additions and 12244 deletions
--- a/docs/modules/policy/gates/README.md
+++ b/docs/modules/policy/gates/README.md
@@ -0,0 +1,110 @@
+# Policy Gates
+
+Policy gates are automated checks that evaluate release candidates against configurable security criteria. Each gate produces a pass/fail result with detailed reasoning for policy decisions.
+
+## CVE-Aware Gates
+
+| Gate | ID | Description |
+|------|-----|-------------|
+| [EPSS Threshold](epss-threshold.md) | `epss-threshold` | Blocks CVEs above EPSS probability threshold |
+| [KEV Blocker](kev-blocker.md) | `kev-blocker` | Blocks CVEs in CISA Known Exploited Vulnerabilities catalog |
+| [Reachable CVE](reachable-cve.md) | `reachable-cve` | Blocks only CVEs with reachable code paths |
+| [CVE Delta](cve-delta.md) | `cve-delta` | Blocks releases introducing new high-severity CVEs vs baseline |
+| [Release Aggregate CVE](release-aggregate-cve.md) | `release-aggregate-cve` | Enforces aggregate CVE count limits per release |
+
+## Gate Configuration
+
+Gates are configured via `appsettings.json` under the `Policy:Gates` section:
+
+```json
+{
+  "Policy": {
+    "Gates": {
+      "EpssThreshold": {
+        "Enabled": true,
+        "Threshold": 0.6
+      },
+      "KevBlocker": {
+        "Enabled": true,
+        "AllowGracePeriod": true,
+        "GracePeriodDays": 14
+      },
+      "ReachableCve": {
+        "Enabled": true,
+        "SeverityThreshold": 7.0
+      },
+      "CveDelta": {
+        "Enabled": true,
+        "NewCveSeverityThreshold": 7.0,
+        "OnlyBlockReachable": false
+      },
+      "ReleaseAggregateCve": {
+        "Enabled": true,
+        "MaxCritical": 0,
+        "MaxHigh": 3,
+        "MaxMedium": 20
+      }
+    }
+  }
+}
+```
+
+## Environment Overrides
+
+Each gate supports per-environment configuration overrides:
+
+```json
+{
+  "Policy": {
+    "Gates": {
+      "CveDelta": {
+        "Enabled": true,
+        "NewCveSeverityThreshold": 7.0,
+        "Environments": {
+          "development": {
+            "Enabled": false
+          },
+          "staging": {
+            "NewCveSeverityThreshold": 9.0
+          },
+          "production": {
+            "NewCveSeverityThreshold": 7.0,
+            "OnlyBlockReachable": true
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+## DI Registration
+
+Register all CVE gates:
+
+```csharp
+services.AddCvePolicyGates(configuration);
+```
+
+Or register individual gates:
+
+```csharp
+services.AddEpssThresholdGate(configuration);
+services.AddKevBlockerGate(configuration);
+services.AddReachableCveGate(configuration);
+services.AddCveDeltaGate(configuration);
+services.AddReleaseAggregateCveGate(configuration);
+```
+
+## Gate Results
+
+All gates return a `GateResult` containing:
+
+- `GateName`: Gate identifier
+- `Passed`: Boolean pass/fail status
+- `Reason`: Human-readable explanation
+- `Details`: Additional metadata (warnings, counts, etc.)
+
+---
+
+*Last updated: 2026-01-19.*