stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: add security sink detection patterns for JavaScript/TypeScript

Browse Source 
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.
This commit is contained in:
StellaOps Bot
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
Download Patch File Download Diff File Expand all files Collapse all files

327
policies/schemas/policy-pack.schema.json Normal file
View File

@@ -0,0 +1,327 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stellaops.io/schemas/policy-pack.schema.json",
"title": "Stella Ops Policy Pack",
"description": "Schema for validating Stella Ops policy pack YAML files",
"type": "object",
"required": ["apiVersion", "kind", "metadata", "spec"],
"properties": {
"apiVersion": {
"type": "string",
"pattern": "^policy\\.stellaops\\.io/v[0-9]+$",
"description": "API version for the policy pack format",
"examples": ["policy.stellaops.io/v1"]
},
"kind": {
"type": "string",
"enum": ["PolicyPack", "PolicyOverride"],
"description": "Type of policy document"
},
"metadata": {
"$ref": "#/$defs/Metadata"
},
"spec": {
"$ref": "#/$defs/PolicySpec"
}
},
"$defs": {
"Metadata": {
"type": "object",
"required": ["name", "version"],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z0-9][a-z0-9-]*[a-z0-9]$",
"minLength": 2,
"maxLength": 63,
"description": "Unique identifier for the policy pack"
},
"version": {
"type": "string",
"pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+(-[a-zA-Z0-9]+)?$",
"description": "Semantic version of the policy pack"
},
"description": {
"type": "string",
"maxLength": 500,
"description": "Human-readable description"
},
"labels": {
"type": "object",
"additionalProperties": { "type": "string" },
"description": "Key-value labels for categorization"
},
"annotations": {
"type": "object",
"additionalProperties": { "type": "string" },
"description": "Key-value annotations for custom metadata"
},
"parent": {
"type": "string",
"description": "Parent policy pack name (for overrides)"
},
"environment": {
"type": "string",
"enum": ["development", "staging", "production", "all"],
"description": "Target environment for this policy"
}
}
},
"PolicySpec": {
"type": "object",
"properties": {
"settings": {
"$ref": "#/$defs/PolicySettings"
},
"rules": {
"type": "array",
"items": { "$ref": "#/$defs/PolicyRule" },
"description": "List of policy rules"
},
"ruleOverrides": {
"type": "array",
"items": { "$ref": "#/$defs/RuleOverride" },
"description": "Overrides for parent policy rules"
},
"additionalRules": {
"type": "array",
"items": { "$ref": "#/$defs/PolicyRule" },
"description": "Additional rules to add on top of parent"
}
}
},
"PolicySettings": {
"type": "object",
"properties": {
"defaultAction": {
"type": "string",
"enum": ["allow", "warn", "block"],
"default": "warn",
"description": "Default action for unmatched findings"
},
"unknownsThreshold": {
"type": "number",
"minimum": 0,
"maximum": 1,
"default": 0.05,
"description": "Maximum ratio of packages with unknown metadata (0.0-1.0)"
},
"requireSignedSbom": {
"type": "boolean",
"default": true,
"description": "Require cryptographically signed SBOM"
},
"requireSignedVerdict": {
"type": "boolean",
"default": true,
"description": "Require cryptographically signed policy verdict"
},
"minimumVexTrustScore": {
"type": "number",
"minimum": 0,
"maximum": 1,
"default": 0.5,
"description": "Minimum trust score for VEX source acceptance"
}
}
},
"PolicyRule": {
"type": "object",
"required": ["name", "action"],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z0-9][a-z0-9-]*[a-z0-9]$",
"description": "Unique rule identifier"
},
"description": {
"type": "string",
"description": "Human-readable rule description"
},
"priority": {
"type": "integer",
"minimum": 0,
"maximum": 1000,
"default": 50,
"description": "Rule priority (higher = evaluated first)"
},
"type": {
"type": "string",
"enum": ["finding", "aggregate"],
"default": "finding",
"description": "Rule type: per-finding or aggregate"
},
"match": {
"$ref": "#/$defs/RuleMatch",
"description": "Conditions that must match for rule to apply"
},
"unless": {
"$ref": "#/$defs/RuleUnless",
"description": "Conditions that exempt from this rule"
},
"require": {
"$ref": "#/$defs/RuleRequire",
"description": "Requirements that must be met"
},
"action": {
"type": "string",
"enum": ["allow", "warn", "block"],
"description": "Action to take when rule matches"
},
"log": {
"type": "boolean",
"default": false,
"description": "Whether to log when rule matches"
},
"logLevel": {
"type": "string",
"enum": ["minimal", "normal", "verbose"],
"default": "normal"
},
"message": {
"type": "string",
"description": "Message template with {variable} placeholders"
}
}
},
"RuleMatch": {
"type": "object",
"properties": {
"always": {
"type": "boolean",
"description": "Always match (for default rules)"
},
"severity": {
"oneOf": [
{ "type": "string", "enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN"] },
{
"type": "array",
"items": { "type": "string", "enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN"] }
}
],
"description": "CVE severity to match"
},
"reachability": {
"type": "string",
"enum": ["reachable", "unreachable", "unknown"],
"description": "Reachability status"
},
"kev": {
"type": "boolean",
"description": "Match CISA KEV vulnerabilities"
},
"environment": {
"type": "string",
"description": "Target environment"
},
"isDirect": {
"type": "boolean",
"description": "Match direct dependencies only"
},
"hasSecurityContact": {
"type": "boolean",
"description": "Whether package has security contact"
},
"unknownsRatio": {
"$ref": "#/$defs/NumericComparison",
"description": "Aggregate: ratio of unknown packages"
},
"hasException": {
"type": "boolean",
"description": "Whether finding has exception"
}
}
},
"RuleUnless": {
"type": "object",
"properties": {
"vexStatus": {
"type": "string",
"enum": ["not_affected", "affected", "fixed", "under_investigation"],
"description": "VEX status that exempts from rule"
},
"vexJustification": {
"type": "array",
"items": {
"type": "string",
"enum": [
"vulnerable_code_not_present",
"vulnerable_code_cannot_be_controlled_by_adversary",
"inline_mitigations_already_exist",
"vulnerable_code_not_in_execute_path",
"component_not_present"
]
},
"description": "VEX justifications that exempt from rule"
},
"vexTrustScore": {
"$ref": "#/$defs/NumericComparison",
"description": "Minimum VEX trust score for exemption"
}
}
},
"RuleRequire": {
"type": "object",
"properties": {
"signedSbom": {
"type": "boolean",
"description": "Require signed SBOM"
},
"signedVerdict": {
"type": "boolean",
"description": "Require signed verdict"
},
"exceptionApproval": {
"type": "boolean",
"description": "Require exception approval"
},
"exceptionExpiry": {
"type": "object",
"properties": {
"maxDays": {
"type": "integer",
"minimum": 1,
"maximum": 365
}
}
}
}
},
"RuleOverride": {
"type": "object",
"required": ["name"],
"properties": {
"name": {
"type": "string",
"description": "Name of rule to override"
},
"enabled": {
"type": "boolean",
"description": "Enable or disable the rule"
},
"action": {
"type": "string",
"enum": ["allow", "warn", "block"],
"description": "Override action"
},
"log": {
"type": "boolean"
},
"logLevel": {
"type": "string",
"enum": ["minimal", "normal", "verbose"]
}
}
},
"NumericComparison": {
"type": "object",
"properties": {
"gt": { "type": "number" },
"gte": { "type": "number" },
"lt": { "type": "number" },
"lte": { "type": "number" },
"eq": { "type": "number" }
}
}
}
}

190
policies/starter-day1.yaml Normal file
View File

@@ -0,0 +1,190 @@
# Stella Ops Starter Policy Pack - Day 1
# Version: 1.0.0
# Last Updated: 2025-12-22
#
# This policy provides sensible defaults for organizations beginning
# their software supply chain security journey. Customize as needed.
#
# Key principles:
# - Block reachable HIGH/CRITICAL vulnerabilities without VEX
# - Allow bypass only with evidence-based VEX justification
# - Enforce unknowns budget to maintain scan quality
# - Require signed artifacts for production deployments
apiVersion: policy.stellaops.io/v1
kind: PolicyPack
metadata:
name: starter-day1
version: "1.0.0"
description: "Production-ready starter policy for Day 1 adoption"
labels:
tier: starter
environment: all
recommended: "true"
annotations:
stellaops.io/maintainer: "policy-team@stellaops.io"
stellaops.io/docs: "https://docs.stellaops.io/policy/starter-guide"
spec:
# Global settings - can be overridden per environment
settings:
# Default action for unmatched findings: warn | block | allow
defaultAction: warn
# Maximum percentage of packages with unknown metadata
# Before blocking deployment (5% = conservative default)
unknownsThreshold: 0.05
# Require cryptographically signed SBOM for production
requireSignedSbom: true
# Require cryptographically signed policy verdict
requireSignedVerdict: true
# Trust score threshold for VEX acceptance (0.0-1.0)
minimumVexTrustScore: 0.5
# Rule evaluation order: first match wins
rules:
# =========================================================================
# Rule 1: Block reachable HIGH/CRITICAL vulnerabilities
# =========================================================================
# This is the core security gate. Deployments with reachable HIGH or
# CRITICAL severity vulnerabilities are blocked unless VEX justifies.
- name: block-reachable-high-critical
description: "Block deployments with reachable HIGH or CRITICAL vulnerabilities"
priority: 100
match:
severity:
- CRITICAL
- HIGH
reachability: reachable
unless:
# Allow if VEX says not_affected with valid justification
vexStatus: not_affected
vexJustification:
- vulnerable_code_not_present
- vulnerable_code_cannot_be_controlled_by_adversary
- inline_mitigations_already_exist
# Require minimum trust score for VEX source
vexTrustScore:
gte: ${settings.minimumVexTrustScore}
action: block
message: |
Reachable {severity} vulnerability {cve} in {package} must be remediated.
Options:
- Upgrade to a fixed version
- Provide VEX justification (not_affected with evidence)
- Request exception through governance process
# =========================================================================
# Rule 2: Warn on reachable MEDIUM vulnerabilities
# =========================================================================
# Medium severity findings are not blocking but should be tracked.
- name: warn-reachable-medium
description: "Warn on reachable MEDIUM severity vulnerabilities"
priority: 90
match:
severity: MEDIUM
reachability: reachable
unless:
vexStatus: not_affected
action: warn
message: "Reachable MEDIUM vulnerability {cve} in {package} should be reviewed"
# =========================================================================
# Rule 3: Allow unreachable vulnerabilities
# =========================================================================
# Unreachable vulnerabilities pose lower risk and are allowed, but logged.
- name: allow-unreachable
description: "Allow unreachable vulnerabilities but log for awareness"
priority: 80
match:
reachability: unreachable
action: allow
log: true
message: "Vulnerability {cve} is unreachable in {package} - allowing"
# =========================================================================
# Rule 4: Fail on excessive unknowns
# =========================================================================
# Too many packages with unknown metadata indicates scan quality issues.
- name: fail-on-unknowns
description: "Block if too many packages have unknown metadata"
priority: 200
type: aggregate # Applies to entire scan, not individual findings
match:
unknownsRatio:
gt: ${settings.unknownsThreshold}
action: block
message: |
Unknown packages exceed threshold: {unknownsRatio}% > {threshold}%.
Improve SBOM quality or adjust threshold in policy settings.
# =========================================================================
# Rule 5: Require signed SBOM for production
# =========================================================================
- name: require-signed-sbom-prod
description: "Production deployments must have signed SBOM"
priority: 300
match:
environment: production
require:
signedSbom: ${settings.requireSignedSbom}
action: block
message: "Production deployment requires cryptographically signed SBOM"
# =========================================================================
# Rule 6: Require signed verdict for production
# =========================================================================
- name: require-signed-verdict-prod
description: "Production deployments must have signed policy verdict"
priority: 300
match:
environment: production
require:
signedVerdict: ${settings.requireSignedVerdict}
action: block
message: "Production deployment requires signed policy verdict"
# =========================================================================
# Rule 7: Block on KEV (Known Exploited Vulnerabilities)
# =========================================================================
# CISA KEV vulnerabilities are actively exploited and should be prioritized.
- name: block-kev
description: "Block deployments with CISA KEV vulnerabilities"
priority: 110
match:
kev: true
reachability: reachable
unless:
vexStatus: not_affected
action: block
message: |
{cve} is in CISA Known Exploited Vulnerabilities catalog.
Active exploitation detected - immediate remediation required.
# =========================================================================
# Rule 8: Warn on dependencies with no security contact
# =========================================================================
- name: warn-no-security-contact
description: "Warn when critical dependencies have no security contact"
priority: 50
match:
isDirect: true
hasSecurityContact: false
severity:
- CRITICAL
- HIGH
action: warn
message: "Package {package} has no security contact - coordinated disclosure may be difficult"
# =========================================================================
# Rule 9: Default allow for everything else
# =========================================================================
- name: default-allow
description: "Allow everything not matched by above rules"
priority: 0
match:
always: true
action: allow

76
policies/starter-day1/base.yaml Normal file
View File

@@ -0,0 +1,76 @@
# Stella Ops Starter Policy Pack - Base Configuration
# Version: 1.0.0
#
# This file contains the core policy rules that apply across all environments.
# Environment-specific overrides are in the overrides/ directory.
#
# Override precedence: base.yaml < overrides/<env>.yaml
apiVersion: policy.stellaops.io/v1
kind: PolicyPack
metadata:
name: starter-day1
version: "1.0.0"
description: "Production-ready starter policy - Base configuration"
spec:
settings:
defaultAction: warn
unknownsThreshold: 0.05
requireSignedSbom: true
requireSignedVerdict: true
minimumVexTrustScore: 0.5
# Core rules - see ../starter-day1.yaml for full documentation
rules:
- name: block-reachable-high-critical
priority: 100
match:
severity: [CRITICAL, HIGH]
reachability: reachable
unless:
vexStatus: not_affected
vexJustification:
- vulnerable_code_not_present
- vulnerable_code_cannot_be_controlled_by_adversary
- inline_mitigations_already_exist
action: block
- name: warn-reachable-medium
priority: 90
match:
severity: MEDIUM
reachability: reachable
unless:
vexStatus: not_affected
action: warn
- name: allow-unreachable
priority: 80
match:
reachability: unreachable
action: allow
log: true
- name: fail-on-unknowns
priority: 200
type: aggregate
match:
unknownsRatio:
gt: ${settings.unknownsThreshold}
action: block
- name: block-kev
priority: 110
match:
kev: true
reachability: reachable
unless:
vexStatus: not_affected
action: block
- name: default-allow
priority: 0
match:
always: true
action: allow

52
policies/starter-day1/overrides/development.yaml Normal file
View File

@@ -0,0 +1,52 @@
# Stella Ops Starter Policy - Development Override
# Version: 1.0.0
#
# Development environment is lenient to enable rapid iteration:
# - Never block, only warn
# - Higher unknowns threshold
# - No signing requirements
# - All vulnerabilities logged but allowed
#
# NOTE: Development policy is for local dev only. Pre-commit hooks
# or CI should use staging or production policies.
apiVersion: policy.stellaops.io/v1
kind: PolicyOverride
metadata:
name: starter-day1-development
version: "1.0.0"
parent: starter-day1
environment: development
description: "Lenient settings for development - warn only, never block"
spec:
# Development settings - maximum leniency
settings:
defaultAction: allow
unknownsThreshold: 0.50 # 50% unknowns allowed in dev
requireSignedSbom: false
requireSignedVerdict: false
minimumVexTrustScore: 0.0 # Accept any VEX in dev
ruleOverrides:
# Downgrade all blocking rules to warnings
- name: block-reachable-high-critical
action: warn # Warn instead of block
- name: block-kev
action: warn # Warn instead of block
- name: fail-on-unknowns
action: warn # Warn instead of block
# Disable signing requirements entirely
- name: require-signed-sbom-prod
enabled: false
- name: require-signed-verdict-prod
enabled: false
# Enable verbose logging for all findings (helpful for debugging)
- name: default-allow
log: true
logLevel: verbose

44
policies/starter-day1/overrides/production.yaml Normal file
View File

@@ -0,0 +1,44 @@
# Stella Ops Starter Policy - Production Override
# Version: 1.0.0
#
# Production environment has the strictest settings:
# - All blocking rules enforced
# - Lower unknowns threshold
# - Signed artifacts required
# - Higher VEX trust score required
apiVersion: policy.stellaops.io/v1
kind: PolicyOverride
metadata:
name: starter-day1-production
version: "1.0.0"
parent: starter-day1
environment: production
description: "Strict settings for production deployments"
spec:
# Production settings - stricter than defaults
settings:
defaultAction: block # Block by default in production
unknownsThreshold: 0.03 # Only 3% unknowns allowed
requireSignedSbom: true
requireSignedVerdict: true
minimumVexTrustScore: 0.7 # Higher trust required
# No rule overrides - production uses base rules at full strictness
ruleOverrides: []
# Additional production-only rules
additionalRules:
# Require explicit approval for any blocked findings
- name: require-approval-for-exceptions
priority: 400
description: "Any exception in production requires documented approval"
match:
hasException: true
require:
exceptionApproval: true
exceptionExpiry:
maxDays: 30
action: block
message: "Production exceptions require approval and must expire within 30 days"

37
policies/starter-day1/overrides/staging.yaml Normal file
View File

@@ -0,0 +1,37 @@
# Stella Ops Starter Policy - Staging Override
# Version: 1.0.0
#
# Staging environment balances security and development velocity:
# - Critical/HIGH blocking still enforced
# - Slightly higher unknowns threshold
# - Signed artifacts recommended but not required
apiVersion: policy.stellaops.io/v1
kind: PolicyOverride
metadata:
name: starter-day1-staging
version: "1.0.0"
parent: starter-day1
environment: staging
description: "Balanced settings for staging environment"
spec:
# Staging settings - moderate strictness
settings:
defaultAction: warn
unknownsThreshold: 0.10 # 10% unknowns allowed
requireSignedSbom: false # Recommended but not required
requireSignedVerdict: false
minimumVexTrustScore: 0.5
ruleOverrides:
# KEV vulnerabilities still blocked in staging
- name: block-kev
enabled: true
# Signing requirements disabled for staging
- name: require-signed-sbom-prod
enabled: false
- name: require-signed-verdict-prod
enabled: false