feat: add security sink detection patterns for JavaScript/TypeScript
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
This commit is contained in:
StellaOps Bot
76
policies/starter-day1/base.yaml
Normal file
76
policies/starter-day1/base.yaml
Normal file
@@ -0,0 +1,76 @@
|
||||
# Stella Ops Starter Policy Pack - Base Configuration
|
||||
# Version: 1.0.0
|
||||
#
|
||||
# This file contains the core policy rules that apply across all environments.
|
||||
# Environment-specific overrides are in the overrides/ directory.
|
||||
#
|
||||
# Override precedence: base.yaml < overrides/<env>.yaml
|
||||
|
||||
apiVersion: policy.stellaops.io/v1
|
||||
kind: PolicyPack
|
||||
metadata:
|
||||
name: starter-day1
|
||||
version: "1.0.0"
|
||||
description: "Production-ready starter policy - Base configuration"
|
||||
|
||||
spec:
|
||||
settings:
|
||||
defaultAction: warn
|
||||
unknownsThreshold: 0.05
|
||||
requireSignedSbom: true
|
||||
requireSignedVerdict: true
|
||||
minimumVexTrustScore: 0.5
|
||||
|
||||
# Core rules - see ../starter-day1.yaml for full documentation
|
||||
rules:
|
||||
- name: block-reachable-high-critical
|
||||
priority: 100
|
||||
match:
|
||||
severity: [CRITICAL, HIGH]
|
||||
reachability: reachable
|
||||
unless:
|
||||
vexStatus: not_affected
|
||||
vexJustification:
|
||||
- vulnerable_code_not_present
|
||||
- vulnerable_code_cannot_be_controlled_by_adversary
|
||||
- inline_mitigations_already_exist
|
||||
action: block
|
||||
|
||||
- name: warn-reachable-medium
|
||||
priority: 90
|
||||
match:
|
||||
severity: MEDIUM
|
||||
reachability: reachable
|
||||
unless:
|
||||
vexStatus: not_affected
|
||||
action: warn
|
||||
|
||||
- name: allow-unreachable
|
||||
priority: 80
|
||||
match:
|
||||
reachability: unreachable
|
||||
action: allow
|
||||
log: true
|
||||
|
||||
- name: fail-on-unknowns
|
||||
priority: 200
|
||||
type: aggregate
|
||||
match:
|
||||
unknownsRatio:
|
||||
gt: ${settings.unknownsThreshold}
|
||||
action: block
|
||||
|
||||
- name: block-kev
|
||||
priority: 110
|
||||
match:
|
||||
kev: true
|
||||
reachability: reachable
|
||||
unless:
|
||||
vexStatus: not_affected
|
||||
action: block
|
||||
|
||||
- name: default-allow
|
||||
priority: 0
|
||||
match:
|
||||
always: true
|
||||
action: allow
|
||||
Reference in New Issue
Block a user