more audit work

policies/starter-day1/overrides/development.yaml

@@ -0,0 +1,20 @@
+apiVersion: policy.stellaops.io/v1
+kind: PolicyOverride
+metadata:
+  name: starter-day1-dev
+  version: 1.0.0
+  parent: starter-day1
+  environment: development
+
+spec:
+  settings:
+    defaultAction: warn
+    unknownsThreshold: 0.20
+    requireSignedSbom: false
+    requireSignedVerdict: false
+
+  ruleOverrides:
+    - name: block-reachable-high-critical
+      action: warn
+    - name: block-kev
+      action: warn

policies/starter-day1/overrides/production.yaml

@@ -0,0 +1,22 @@
+apiVersion: policy.stellaops.io/v1
+kind: PolicyOverride
+metadata:
+  name: starter-day1-prod
+  version: 1.0.0
+  parent: starter-day1
+  environment: production
+
+spec:
+  settings:
+    defaultAction: block
+    unknownsThreshold: 0.05
+    requireSignedSbom: true
+    requireSignedVerdict: true
+
+  additionalRules:
+    - name: require-approval-for-exceptions
+      description: "Require approval for exceptions in production"
+      action: block
+      match:
+        exceptionRequested: true
+      message: "Exception approvals are required in production"

policies/starter-day1/overrides/staging.yaml

@@ -0,0 +1,12 @@
+apiVersion: policy.stellaops.io/v1
+kind: PolicyOverride
+metadata:
+  name: starter-day1-staging
+  version: 1.0.0
+  parent: starter-day1
+  environment: staging
+
+spec:
+  settings:
+    defaultAction: warn
+    unknownsThreshold: 0.10