Restructure solution layout by module
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
This commit is contained in:
root
@@ -1,72 +1,72 @@
|
||||
# Internal-Only Policy Example (`internal-only.stella`)
|
||||
|
||||
A relaxed profile for internal services and development environments: allow Medium severities with warnings, rely on VEX more heavily, but still block KEV/actively exploited advisories.
|
||||
|
||||
```dsl
|
||||
policy "Internal Only Policy" syntax "stella-dsl@1" {
|
||||
metadata {
|
||||
description = "Lenient policy for internal / dev tenants."
|
||||
tags = ["internal","dev"]
|
||||
}
|
||||
|
||||
profile severity {
|
||||
env exposure_adjustments {
|
||||
if env.exposure == "internal" then -0.4
|
||||
if env.stage == "dev" then -0.6
|
||||
}
|
||||
}
|
||||
|
||||
rule block_kev priority 1 {
|
||||
when advisory.has_tag("kev")
|
||||
then status := "blocked"
|
||||
because "Known exploited vulnerabilities must be remediated."
|
||||
}
|
||||
|
||||
rule allow_medium_with_warning {
|
||||
when severity.normalized == "Medium"
|
||||
and env.exposure == "internal"
|
||||
then warn message "Medium severity permitted in internal environments."
|
||||
because "Allow Medium findings with warning for internal workloads."
|
||||
}
|
||||
|
||||
rule accept_vendor_vex {
|
||||
when vex.any(status in ["not_affected","fixed"])
|
||||
then status := vex.status
|
||||
annotate justification := vex.latest().justification
|
||||
because "Trust vendor VEX statements for internal scope."
|
||||
}
|
||||
|
||||
rule quiet_low_priority {
|
||||
when severity.normalized <= "Low"
|
||||
then ignore until "2026-01-01T00:00:00Z"
|
||||
because "Quiet low severity until next annual remediation sweep."
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Commentary
|
||||
|
||||
- Suitable for staging/dev tenants with lower blast radius.
|
||||
- KEV advisories override lenient behaviour to maintain minimum security bar.
|
||||
- Warnings ensure Medium findings stay visible in dashboards and CLI outputs.
|
||||
- Quiet rule enforces planned clean-up date; update before expiry.
|
||||
|
||||
## Try it out
|
||||
|
||||
```bash
|
||||
stella policy lint examples/policies/internal-only.stella
|
||||
stella policy simulate P-internal --candidate 1 \
|
||||
--sbom sbom:internal-service --env exposure=internal --env stage=dev
|
||||
```
|
||||
|
||||
## Compliance checklist
|
||||
|
||||
- [ ] Tenant classified as internal-only with documented risk acceptance.
|
||||
- [ ] KEV feed synced (Concelier) and tags confirmed before relying on rule.
|
||||
- [ ] Quiet expiry tracked; remediation backlog updated prior to deadline.
|
||||
- [ ] Developers informed that warnings still affect quality score.
|
||||
- [ ] Policy not used for production or internet-exposed services.
|
||||
|
||||
---
|
||||
|
||||
*Last updated: 2025-10-26.*
|
||||
# Internal-Only Policy Example (`internal-only.stella`)
|
||||
|
||||
A relaxed profile for internal services and development environments: allow Medium severities with warnings, rely on VEX more heavily, but still block KEV/actively exploited advisories.
|
||||
|
||||
```dsl
|
||||
policy "Internal Only Policy" syntax "stella-dsl@1" {
|
||||
metadata {
|
||||
description = "Lenient policy for internal / dev tenants."
|
||||
tags = ["internal","dev"]
|
||||
}
|
||||
|
||||
profile severity {
|
||||
env exposure_adjustments {
|
||||
if env.exposure == "internal" then -0.4
|
||||
if env.stage == "dev" then -0.6
|
||||
}
|
||||
}
|
||||
|
||||
rule block_kev priority 1 {
|
||||
when advisory.has_tag("kev")
|
||||
then status := "blocked"
|
||||
because "Known exploited vulnerabilities must be remediated."
|
||||
}
|
||||
|
||||
rule allow_medium_with_warning {
|
||||
when severity.normalized == "Medium"
|
||||
and env.exposure == "internal"
|
||||
then warn message "Medium severity permitted in internal environments."
|
||||
because "Allow Medium findings with warning for internal workloads."
|
||||
}
|
||||
|
||||
rule accept_vendor_vex {
|
||||
when vex.any(status in ["not_affected","fixed"])
|
||||
then status := vex.status
|
||||
annotate justification := vex.latest().justification
|
||||
because "Trust vendor VEX statements for internal scope."
|
||||
}
|
||||
|
||||
rule quiet_low_priority {
|
||||
when severity.normalized <= "Low"
|
||||
then ignore until "2026-01-01T00:00:00Z"
|
||||
because "Quiet low severity until next annual remediation sweep."
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Commentary
|
||||
|
||||
- Suitable for staging/dev tenants with lower blast radius.
|
||||
- KEV advisories override lenient behaviour to maintain minimum security bar.
|
||||
- Warnings ensure Medium findings stay visible in dashboards and CLI outputs.
|
||||
- Quiet rule enforces planned clean-up date; update before expiry.
|
||||
|
||||
## Try it out
|
||||
|
||||
```bash
|
||||
stella policy lint examples/policies/internal-only.stella
|
||||
stella policy simulate P-internal --candidate 1 \
|
||||
--sbom sbom:internal-service --env exposure=internal --env stage=dev
|
||||
```
|
||||
|
||||
## Compliance checklist
|
||||
|
||||
- [ ] Tenant classified as internal-only with documented risk acceptance.
|
||||
- [ ] KEV feed synced (Concelier) and tags confirmed before relying on rule.
|
||||
- [ ] Quiet expiry tracked; remediation backlog updated prior to deadline.
|
||||
- [ ] Developers informed that warnings still affect quality score.
|
||||
- [ ] Policy not used for production or internet-exposed services.
|
||||
|
||||
---
|
||||
|
||||
*Last updated: 2025-10-26.*
|
||||
|
||||
Reference in New Issue
Block a user