doctor enhancements, setup, enhancements, ui functionality and design consolidation and , test projects fixes , product advisory attestation/rekor and delta verfications enhancements
This commit is contained in:
master
70
examples/policies/opa/epss-threshold.rego
Normal file
70
examples/policies/opa/epss-threshold.rego
Normal file
@@ -0,0 +1,70 @@
|
||||
# -----------------------------------------------------------------------------
|
||||
# epss-threshold.rego
|
||||
# Sprint: SPRINT_20260118_027_Policy_cve_release_gates
|
||||
# Task: TASK-027-08 - OPA/Rego Policy Examples
|
||||
# Description: EPSS exploitation probability threshold enforcement
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
package stellaops.gates.epss
|
||||
|
||||
import future.keywords.if
|
||||
import future.keywords.in
|
||||
|
||||
# Default allow if no CVEs exceed threshold
|
||||
default allow = true
|
||||
|
||||
# Block if any CVE exceeds EPSS threshold
|
||||
allow = false if {
|
||||
some cve in relevant_cves
|
||||
cve.epss_score > epss_threshold
|
||||
}
|
||||
|
||||
# Get CVEs to evaluate (optionally filtered by reachability)
|
||||
relevant_cves := [cve |
|
||||
some cve in input.cve_findings
|
||||
config_only_reachable
|
||||
cve.is_reachable == true
|
||||
]
|
||||
|
||||
relevant_cves := input.cve_findings if {
|
||||
not config_only_reachable
|
||||
}
|
||||
|
||||
# Get threshold with environment override support
|
||||
epss_threshold := env_config.epss_threshold if {
|
||||
env_config := input.config.environments[input.environment]
|
||||
env_config.epss_threshold
|
||||
} else := input.config.epss_threshold if {
|
||||
input.config.epss_threshold
|
||||
} else := 0.6 # Default threshold
|
||||
|
||||
# Configuration flags
|
||||
config_only_reachable if {
|
||||
input.config.only_reachable == true
|
||||
}
|
||||
|
||||
# Denial messages with CVE details
|
||||
deny[msg] if {
|
||||
some cve in relevant_cves
|
||||
cve.epss_score > epss_threshold
|
||||
msg := sprintf("CVE %s exceeds EPSS threshold: %.2f > %.2f", [
|
||||
cve.cve_id,
|
||||
cve.epss_score,
|
||||
epss_threshold
|
||||
])
|
||||
}
|
||||
|
||||
# Count CVEs exceeding threshold
|
||||
exceeding_cves := [cve |
|
||||
some cve in relevant_cves
|
||||
cve.epss_score > epss_threshold
|
||||
]
|
||||
|
||||
# Summary for reporting
|
||||
summary := {
|
||||
"total_cves": count(relevant_cves),
|
||||
"exceeding_count": count(exceeding_cves),
|
||||
"threshold": epss_threshold,
|
||||
"environment": input.environment,
|
||||
"exceeding_cves": [cve.cve_id | some cve in exceeding_cves],
|
||||
}
|
||||
Reference in New Issue
Block a user