Add unit tests for AST parsing and security sink detection

- Created `StellaOps.AuditPack.Tests.csproj` for unit testing the AuditPack library. - Implemented comprehensive unit tests in `index.test.js` for AST parsing, covering various JavaScript and TypeScript constructs including functions, classes, decorators, and JSX. - Added `sink-detect.test.js` to test security sink detection patterns, validating command injection, SQL injection, file write, deserialization, SSRF, NoSQL injection, and more. - Included tests for taint source detection in various contexts such as Express, Koa, and AWS Lambda.
2025-12-23 09:23:42 +02:00
parent 7e384ab610
commit 56e2dc01ee
96 changed files with 8555 additions and 1455 deletions
--- a/docs/10_CONCELIER_CLI_QUICKSTART.md
+++ b/docs/10_CONCELIER_CLI_QUICKSTART.md
@@ -352,3 +352,75 @@ a problem document.
  1. Stage the integration with fallback enabled (`allowAnonymousFallback=true`) and confirm CLI/token issuance using `stella auth status`.
  2. Follow the rehearsal pattern (`allowAnonymousFallback=false`) while monitoring `Concelier.Authorization.Audit` and `web.jobs.triggered`/`web.jobs.trigger.failed` metrics.
  3. Lock in enforcement, review the audit runbook (`docs/modules/concelier/operations/authority-audit-runbook.md`), and document the bypass CIDR approvals in your change log.
+
+---
+
+## 7 · Policy Starter Pack (Day 1)
+
+StellaOps provides a production-ready starter policy that blocks reachable HIGH/CRITICAL
+vulnerabilities while respecting VEX statements and enforcing metadata quality gates.
+
+### Quick Installation
+
+```bash
+# Install the starter policy pack
+stellaops policy install starter-day1
+
+# Verify the installation
+stellaops policy list-packs
+```
+
+### One-Liner for Scans with Policy
+
+```bash
+# Scan with policy evaluation
+stellaops scan run --image myregistry/myapp:latest --policy starter-day1
+
+# Check policy verdict
+stellaops verdict verify myregistry/myapp:latest
+```
+
+### What Starter Policy Does
+
+| Finding Type | Action | Notes |
+|--------------|--------|-------|
+| Reachable HIGH/CRITICAL | **Block** | Unless VEX says `not_affected` |
+| Reachable MEDIUM | **Warn** | Review recommended |
+| Unreachable vulnerabilities | **Allow** | Logged for awareness |
+| Unknowns > 5% | **Block** | Quality gate for SBOM coverage |
+| Unsigned SBOM (prod) | **Block** | Integrity requirement |
+
+### Environment Overrides
+
+Apply environment-specific behavior:
+
+```bash
+# Development - warnings only, no signing required
+stellaops scan run --image myapp:dev --policy starter-day1 --env development
+
+# Production - full enforcement (default)
+stellaops scan run --image myapp:prod --policy starter-day1 --env production
+```
+
+### Simulate Before Deploying
+
+Test policy impact on existing scans without blocking:
+
+```bash
+stellaops policy simulate --policy policies/starter-day1.yaml --scan <scan-id>
+```
+
+### Distribution (Air-Gapped Environments)
+
+For air-gapped installations, export and import policy packs as offline bundles:
+
+```bash
+# Export to offline bundle
+stellaops policy export-bundle --policy policies/starter-day1.yaml \
+  --output starter-day1-bundle.tar.gz
+
+# Import in air-gapped environment
+stellaops policy import-bundle --bundle starter-day1-bundle.tar.gz
+```
+
+See `docs/policy/starter-guide.md` for detailed customization and migration guidance.