stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

tests fixes and some product advisories tunes ups

Browse Source
This commit is contained in:
master
2026-01-30 07:57:43 +02:00
parent 644887997c
commit 55744f6a39
345 changed files with 26290 additions and 2267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
docs/modules/policy/architecture.md
View File

@@ -995,6 +995,70 @@ Group: `/api/v1/policy/interop` with tag `PolicyInterop`
| POST | `/evaluate` | `platform.policy.evaluate` | Evaluate policy against input |
| GET | `/formats` | `platform.policy.read` | List supported formats |
### 13.9 · OPA Supply Chain Evidence Input
> **Sprint:** SPRINT_0129_001_Policy_supply_chain_evidence_input
OPA policies can optionally access comprehensive supply chain evidence beyond basic VEX merge results. When `PolicyGateContext.SupplyChainEvidence` is populated, the following fields become available in the OPA input:
| Input Field | Type | Description |
|-------------|------|-------------|
| `artifact.digest` | string | Artifact digest (e.g., `sha256:abc...`) |
| `artifact.mediaType` | string | OCI media type |
| `artifact.reference` | string | Full artifact reference |
| `sbom.digest` | string | SBOM content hash |
| `sbom.format` | string | Format identifier (e.g., `cyclonedx-1.7`, `spdx-3.0.1`) |
| `sbom.componentCount` | int | Number of components |
| `sbom.content` | object | Optional inline SBOM JSON |
| `attestations[]` | array | Attestation references |
| `attestations[].digest` | string | DSSE envelope digest |
| `attestations[].predicateType` | string | in-toto predicate type URI |
| `attestations[].signatureVerified` | bool | Signature verification status |
| `attestations[].rekorLogIndex` | long | Transparency log index |
| `transparency.rekor[]` | array | Rekor receipts |
| `transparency.rekor[].logId` | string | Log identifier |
| `transparency.rekor[].uuid` | string | Entry UUID |
| `transparency.rekor[].logIndex` | long | Log position |
| `transparency.rekor[].integratedTime` | long | Unix timestamp |
| `transparency.rekor[].verified` | bool | Receipt verification status |
| `vex.mergeDecision` | object | VEX merge decision |
| `vex.mergeDecision.algorithm` | string | Merge algorithm (e.g., `trust-weighted-lattice-v1`) |
| `vex.mergeDecision.inputs[]` | array | Source documents with trust weights |
| `vex.mergeDecision.decisions[]` | array | Per-vulnerability decisions with provenance |
**Code locations:**
- Evidence models: `src/Policy/__Libraries/StellaOps.Policy/Gates/Opa/OpaEvidenceModels.cs`
- Context extension: `src/Policy/__Libraries/StellaOps.Policy/Gates/PolicyGateAbstractions.cs`
- Input builder: `src/Policy/__Libraries/StellaOps.Policy/Gates/Opa/OpaGateAdapter.cs`
**Example Rego policy using evidence:**
```rego
package stella.supply_chain
default allow = false
# Require SBOM presence
allow {
input.sbom.digest != ""
input.sbom.componentCount > 0
}
# Require verified attestation with SLSA provenance
allow {
some att in input.attestations
att.predicateType == "https://slsa.dev/provenance/v1"
att.signatureVerified == true
}
# Require transparency log entry within 24 hours
allow {
some receipt in input.transparency.rekor
receipt.verified == true
time.now_ns() - (receipt.integratedTime * 1000000000) < 86400000000000
}
```
---
*Last updated: 2026-01-23 (Sprint 041).*
*Last updated: 2026-01-29 (Sprint 0129_001).*