stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: add security sink detection patterns for JavaScript/TypeScript

Browse Source 
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.
This commit is contained in:
StellaOps Bot
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
policies/starter-day1/base.yaml Normal file
View File

@@ -0,0 +1,76 @@
# Stella Ops Starter Policy Pack - Base Configuration
# Version: 1.0.0
#
# This file contains the core policy rules that apply across all environments.
# Environment-specific overrides are in the overrides/ directory.
#
# Override precedence: base.yaml < overrides/<env>.yaml
apiVersion: policy.stellaops.io/v1
kind: PolicyPack
metadata:
name: starter-day1
version: "1.0.0"
description: "Production-ready starter policy - Base configuration"
spec:
settings:
defaultAction: warn
unknownsThreshold: 0.05
requireSignedSbom: true
requireSignedVerdict: true
minimumVexTrustScore: 0.5
# Core rules - see ../starter-day1.yaml for full documentation
rules:
- name: block-reachable-high-critical
priority: 100
match:
severity: [CRITICAL, HIGH]
reachability: reachable
unless:
vexStatus: not_affected
vexJustification:
- vulnerable_code_not_present
- vulnerable_code_cannot_be_controlled_by_adversary
- inline_mitigations_already_exist
action: block
- name: warn-reachable-medium
priority: 90
match:
severity: MEDIUM
reachability: reachable
unless:
vexStatus: not_affected
action: warn
- name: allow-unreachable
priority: 80
match:
reachability: unreachable
action: allow
log: true
- name: fail-on-unknowns
priority: 200
type: aggregate
match:
unknownsRatio:
gt: ${settings.unknownsThreshold}
action: block
- name: block-kev
priority: 110
match:
kev: true
reachability: reachable
unless:
vexStatus: not_affected
action: block
- name: default-allow
priority: 0
match:
always: true
action: allow

52
policies/starter-day1/overrides/development.yaml Normal file
View File

@@ -0,0 +1,52 @@
# Stella Ops Starter Policy - Development Override
# Version: 1.0.0
#
# Development environment is lenient to enable rapid iteration:
# - Never block, only warn
# - Higher unknowns threshold
# - No signing requirements
# - All vulnerabilities logged but allowed
#
# NOTE: Development policy is for local dev only. Pre-commit hooks
# or CI should use staging or production policies.
apiVersion: policy.stellaops.io/v1
kind: PolicyOverride
metadata:
name: starter-day1-development
version: "1.0.0"
parent: starter-day1
environment: development
description: "Lenient settings for development - warn only, never block"
spec:
# Development settings - maximum leniency
settings:
defaultAction: allow
unknownsThreshold: 0.50 # 50% unknowns allowed in dev
requireSignedSbom: false
requireSignedVerdict: false
minimumVexTrustScore: 0.0 # Accept any VEX in dev
ruleOverrides:
# Downgrade all blocking rules to warnings
- name: block-reachable-high-critical
action: warn # Warn instead of block
- name: block-kev
action: warn # Warn instead of block
- name: fail-on-unknowns
action: warn # Warn instead of block
# Disable signing requirements entirely
- name: require-signed-sbom-prod
enabled: false
- name: require-signed-verdict-prod
enabled: false
# Enable verbose logging for all findings (helpful for debugging)
- name: default-allow
log: true
logLevel: verbose

44
policies/starter-day1/overrides/production.yaml Normal file
View File

@@ -0,0 +1,44 @@
# Stella Ops Starter Policy - Production Override
# Version: 1.0.0
#
# Production environment has the strictest settings:
# - All blocking rules enforced
# - Lower unknowns threshold
# - Signed artifacts required
# - Higher VEX trust score required
apiVersion: policy.stellaops.io/v1
kind: PolicyOverride
metadata:
name: starter-day1-production
version: "1.0.0"
parent: starter-day1
environment: production
description: "Strict settings for production deployments"
spec:
# Production settings - stricter than defaults
settings:
defaultAction: block # Block by default in production
unknownsThreshold: 0.03 # Only 3% unknowns allowed
requireSignedSbom: true
requireSignedVerdict: true
minimumVexTrustScore: 0.7 # Higher trust required
# No rule overrides - production uses base rules at full strictness
ruleOverrides: []
# Additional production-only rules
additionalRules:
# Require explicit approval for any blocked findings
- name: require-approval-for-exceptions
priority: 400
description: "Any exception in production requires documented approval"
match:
hasException: true
require:
exceptionApproval: true
exceptionExpiry:
maxDays: 30
action: block
message: "Production exceptions require approval and must expire within 30 days"

37
policies/starter-day1/overrides/staging.yaml Normal file
View File

@@ -0,0 +1,37 @@
# Stella Ops Starter Policy - Staging Override
# Version: 1.0.0
#
# Staging environment balances security and development velocity:
# - Critical/HIGH blocking still enforced
# - Slightly higher unknowns threshold
# - Signed artifacts recommended but not required
apiVersion: policy.stellaops.io/v1
kind: PolicyOverride
metadata:
name: starter-day1-staging
version: "1.0.0"
parent: starter-day1
environment: staging
description: "Balanced settings for staging environment"
spec:
# Staging settings - moderate strictness
settings:
defaultAction: warn
unknownsThreshold: 0.10 # 10% unknowns allowed
requireSignedSbom: false # Recommended but not required
requireSignedVerdict: false
minimumVexTrustScore: 0.5
ruleOverrides:
# KEV vulnerabilities still blocked in staging
- name: block-kev
enabled: true
# Signing requirements disabled for staging
- name: require-signed-sbom-prod
enabled: false
- name: require-signed-verdict-prod
enabled: false