stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

doctor enhancements, setup, enhancements, ui functionality and design consolidation and , test projects fixes , product advisory attestation/rekor and delta verfications enhancements

Browse Source
This commit is contained in:
master
2026-01-19 09:02:59 +02:00
parent 8c4bf54aed
commit 17419ba7c4
809 changed files with 170738 additions and 12244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
docs/modules/policy/gates/kev-blocker.md Normal file
View File

@@ -0,0 +1,100 @@
# KEV Blocker Gate
**Gate ID:** `kev-blocker`
Blocks CVEs listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. KEV entries represent vulnerabilities with confirmed active exploitation in the wild.
## How It Works
1. For each CVE finding in the release candidate, checks KEV catalog membership
2. Blocks any CVE present in KEV (with optional grace period)
3. Reports KEV due dates for remediation tracking
4. Optionally respects KEV due dates as soft deadlines
## Configuration
```json
{
"Policy": {
"Gates": {
"KevBlocker": {
"Enabled": true,
"AllowGracePeriod": true,
"GracePeriodDays": 14,
"BlockPastDueDate": true,
"WarnBeforeDueDate": true,
"WarnDaysBeforeDue": 7,
"RequireReachability": false,
"Environments": {
"development": {
"Enabled": false
},
"production": {
"AllowGracePeriod": false
}
}
}
}
}
}
```
### Options
| Option | Type | Default | Description |
|--------|------|---------|-------------|
| `Enabled` | bool | `true` | Whether the gate is active |
| `AllowGracePeriod` | bool | `true` | Allow grace period after KEV addition |
| `GracePeriodDays` | int | `14` | Days after KEV addition before blocking |
| `BlockPastDueDate` | bool | `true` | Block CVEs past their KEV due date |
| `WarnBeforeDueDate` | bool | `true` | Emit warning as due date approaches |
| `WarnDaysBeforeDue` | int | `7` | Days before due date to start warning |
| `RequireReachability` | bool | `false` | Only evaluate reachable CVEs |
| `Environments` | dict | `{}` | Per-environment overrides |
## KEV Catalog Context
The CISA KEV catalog contains:
- CVEs with confirmed active exploitation
- Required remediation due dates (typically 2-3 weeks from addition)
- Affected vendor/product information
KEV inclusion indicates:
- Real-world exploitation is occurring
- Federal agencies must remediate by due date (BOD 22-01)
- High priority for all organizations
## Example Gate Results
**Pass:**
```
KEV blocker check passed. No KEV entries found in 15 CVE findings
```
**Fail:**
```
KEV entries found: CVE-2024-1234 (due: 2024-02-15, overdue), CVE-2024-5678 (due: 2024-02-28, 5 days remaining)
```
**Warning:**
```
KEV blocker check passed. Warnings: CVE-2024-9012 KEV due date approaching (7 days)
```
## CLI Usage
```bash
# Evaluate KEV gate against image
stella policy evaluate --gate kev-blocker --image myapp:v1.2.3
# Check with no grace period
stella policy evaluate --gate kev-blocker --no-grace-period --image myapp:v1.2.3
```
## Data Source
KEV data is fetched from [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) via the configured `IKevDataProvider`. The catalog is refreshed daily with catalog update timestamps tracked for staleness detection.
---
*Last updated: 2026-01-19.*