feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
--- a/etc/policy-engine.yaml.sample
+++ b/etc/policy-engine.yaml.sample
@@ -44,3 +44,61 @@ rateLimiting:
  windowSeconds: 60             # Window duration in seconds
  queueLimit: 10                # Requests queued when limit reached
  tenantPartitioning: true      # Enable per-tenant rate limits
+
+# Unknown budget configuration (SPRINT_4300_0002_0001)
+# Controls enforcement of unknown thresholds by environment.
+UnknownBudgets:
+  enforceBudgets: true  # Set to false to log warnings only
+
+  budgets:
+    # Production: Strict limits, block on exceed
+    production:
+      environment: "production"
+      totalLimit: 5
+      reasonLimits:
+        Reachability: 0         # No reachability unknowns allowed
+        Identity: 2             # Max 2 identity unknowns
+        Provenance: 2           # Max 2 provenance unknowns
+        VexConflict: 0          # No VEX conflicts allowed
+        FeedGap: 5              # Some feed gaps tolerated
+        ConfigUnknown: 3        # Some config unknowns allowed
+        AnalyzerLimit: 5        # Analyzer limits are less critical
+      action: Block
+      exceededMessage: "Production deployment blocked: unknown budget exceeded."
+
+    # Staging: Moderate limits, warn on exceed
+    staging:
+      environment: "staging"
+      totalLimit: 20
+      reasonLimits:
+        Reachability: 5
+        Identity: 10
+        Provenance: 10
+        VexConflict: 5
+        FeedGap: 15
+        ConfigUnknown: 10
+        AnalyzerLimit: 15
+      action: Warn
+      exceededMessage: "Staging warning: unknown budget exceeded."
+
+    # Development: Permissive limits
+    development:
+      environment: "development"
+      totalLimit: 100
+      reasonLimits:
+        Reachability: 25
+        Identity: 50
+        Provenance: 50
+        VexConflict: 25
+        FeedGap: 50
+        ConfigUnknown: 50
+        AnalyzerLimit: 50
+      action: Warn
+      exceededMessage: "Development environment unknown budget exceeded."
+
+    # Default: Fallback for unknown environments
+    default:
+      environment: "default"
+      totalLimit: 50
+      action: Warn
+      exceededMessage: "Unknown budget exceeded."