doctor enhancements, setup, enhancements, ui functionality and design consolidation and , test projects fixes , product advisory attestation/rekor and delta verfications enhancements

2026-01-19 09:02:59 +02:00
parent 8c4bf54aed
commit 17419ba7c4
809 changed files with 170738 additions and 12244 deletions
--- a/examples/policies/opa/cve-gate-base.rego
+++ b/examples/policies/opa/cve-gate-base.rego
@@ -0,0 +1,99 @@
+# -----------------------------------------------------------------------------
+# cve-gate-base.rego
+# Sprint: SPRINT_20260118_027_Policy_cve_release_gates
+# Task: TASK-027-08 - OPA/Rego Policy Examples
+# Description: Base policy for DSSE signature and Rekor anchor verification
+# -----------------------------------------------------------------------------
+
+package stellaops.gates.base
+
+import future.keywords.if
+import future.keywords.in
+
+# Default deny - require explicit allow
+default valid_attestation = false
+
+# Attestation is valid if DSSE envelope has valid signature from trusted key
+valid_attestation if {
+    valid_dsse_envelope
+    valid_signature
+    valid_rekor_anchor
+}
+
+# Allow without Rekor if not required
+valid_attestation if {
+    valid_dsse_envelope
+    valid_signature
+    not config_require_rekor
+}
+
+# DSSE envelope structure validation
+valid_dsse_envelope if {
+    input.attestation.dsse_envelope.payloadType
+    input.attestation.dsse_envelope.payload
+    count(input.attestation.dsse_envelope.signatures) > 0
+}
+
+# Signature validation - at least one signature from trusted key
+valid_signature if {
+    some sig in input.attestation.dsse_envelope.signatures
+    sig.keyid in trusted_keys
+    sig.sig != ""
+}
+
+# Rekor anchor validation
+valid_rekor_anchor if {
+    input.attestation.rekor_entry.log_index >= 0
+    input.attestation.rekor_entry.integrated_time > 0
+    input.attestation.rekor_entry.inclusion_proof.root_hash != ""
+}
+
+# Configuration helpers
+config_require_rekor if {
+    input.config.require_rekor == true
+}
+
+# Get trusted keys from input or use default
+trusted_keys := input.attestation.trusted_keys if {
+    input.attestation.trusted_keys
+} else := []
+
+# Denial messages
+deny[msg] if {
+    not input.attestation.dsse_envelope
+    msg := "Missing DSSE envelope in attestation"
+}
+
+deny[msg] if {
+    input.attestation.dsse_envelope
+    not valid_dsse_envelope
+    msg := "Invalid DSSE envelope structure"
+}
+
+deny[msg] if {
+    valid_dsse_envelope
+    not valid_signature
+    msg := "No valid signature from trusted key"
+}
+
+deny[msg] if {
+    config_require_rekor
+    not input.attestation.rekor_entry
+    msg := "Rekor anchor required but not present"
+}
+
+deny[msg] if {
+    config_require_rekor
+    input.attestation.rekor_entry
+    not valid_rekor_anchor
+    msg := "Invalid Rekor inclusion proof"
+}
+
+# Metadata for debugging
+attestation_info := {
+    "has_dsse": valid_dsse_envelope,
+    "has_valid_sig": valid_signature,
+    "has_rekor": valid_rekor_anchor,
+    "signature_count": count(input.attestation.dsse_envelope.signatures),
+    "trusted_key_count": count(trusted_keys),
+}