Restructure solution layout by module
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
This commit is contained in:
root
@@ -1,72 +1,72 @@
|
||||
# Serverless Policy Example (`serverless.stella`)
|
||||
|
||||
Optimised for short-lived serverless workloads: focus on runtime integrity, disallow vulnerable layers entirely, and permit temporary suppressions only with strict justification windows.
|
||||
|
||||
```dsl
|
||||
policy "Serverless Tight Policy" syntax "stella-dsl@1" {
|
||||
metadata {
|
||||
description = "Aggressive blocking for serverless runtimes."
|
||||
tags = ["serverless","prod","strict"]
|
||||
}
|
||||
|
||||
profile severity {
|
||||
env runtime_overrides {
|
||||
if env.runtime == "serverless" then +0.7
|
||||
if env.runtime == "batch" then +0.2
|
||||
}
|
||||
}
|
||||
|
||||
rule block_any_high {
|
||||
when severity.normalized >= "High"
|
||||
then status := "blocked"
|
||||
because "Serverless workloads block High+ severities."
|
||||
}
|
||||
|
||||
rule forbid_unpinned_base {
|
||||
when sbom.has_tag("image:latest-tag")
|
||||
then status := "blocked"
|
||||
because "Base image must be pinned (no :latest)."
|
||||
}
|
||||
|
||||
rule zero_tolerance_vex {
|
||||
when vex.any(status == "not_affected")
|
||||
then requireVex { vendors = ["VendorX","VendorY"], justifications = ["component_not_present"] }
|
||||
because "Allow not_affected only from trusted vendors with strongest justification."
|
||||
}
|
||||
|
||||
rule temporary_quiet {
|
||||
when env.deployment == "canary"
|
||||
and severity.normalized == "Medium"
|
||||
then ignore until coalesce(env.quietUntil, "2025-12-31T00:00:00Z")
|
||||
because "Allow short canary quiet window while fix rolls out."
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Commentary
|
||||
|
||||
- Designed for serverless tenants where redeploy cost is low and failing fast is preferred.
|
||||
- `forbid_unpinned_base` enforces supply-chain best practices.
|
||||
- `temporary_quiet` ensures quiet windows expire automatically; require deployments to set `env.quietUntil`.
|
||||
- Intended to be layered on top of baseline (override per tenant) or used standalone for serverless-only accounts.
|
||||
|
||||
## Try it out
|
||||
|
||||
```bash
|
||||
stella policy lint examples/policies/serverless.stella
|
||||
stella policy simulate P-serverless --candidate 1 \
|
||||
--sbom sbom:lambda-hello --env runtime=serverless --env deployment=canary
|
||||
```
|
||||
|
||||
## Compliance checklist
|
||||
|
||||
- [ ] Quiet window expirations tracked and documented.
|
||||
- [ ] Trusted VEX vendor list reviewed quarterly.
|
||||
- [ ] Deployment pipeline enforces pinned base images before approval.
|
||||
- [ ] Canary deployments monitored for recurrence before ignoring Medium severity.
|
||||
- [ ] Serverless teams acknowledge runbook for blocked deployments.
|
||||
|
||||
---
|
||||
|
||||
*Last updated: 2025-10-26.*
|
||||
|
||||
# Serverless Policy Example (`serverless.stella`)
|
||||
|
||||
Optimised for short-lived serverless workloads: focus on runtime integrity, disallow vulnerable layers entirely, and permit temporary suppressions only with strict justification windows.
|
||||
|
||||
```dsl
|
||||
policy "Serverless Tight Policy" syntax "stella-dsl@1" {
|
||||
metadata {
|
||||
description = "Aggressive blocking for serverless runtimes."
|
||||
tags = ["serverless","prod","strict"]
|
||||
}
|
||||
|
||||
profile severity {
|
||||
env runtime_overrides {
|
||||
if env.runtime == "serverless" then +0.7
|
||||
if env.runtime == "batch" then +0.2
|
||||
}
|
||||
}
|
||||
|
||||
rule block_any_high {
|
||||
when severity.normalized >= "High"
|
||||
then status := "blocked"
|
||||
because "Serverless workloads block High+ severities."
|
||||
}
|
||||
|
||||
rule forbid_unpinned_base {
|
||||
when sbom.has_tag("image:latest-tag")
|
||||
then status := "blocked"
|
||||
because "Base image must be pinned (no :latest)."
|
||||
}
|
||||
|
||||
rule zero_tolerance_vex {
|
||||
when vex.any(status == "not_affected")
|
||||
then requireVex { vendors = ["VendorX","VendorY"], justifications = ["component_not_present"] }
|
||||
because "Allow not_affected only from trusted vendors with strongest justification."
|
||||
}
|
||||
|
||||
rule temporary_quiet {
|
||||
when env.deployment == "canary"
|
||||
and severity.normalized == "Medium"
|
||||
then ignore until coalesce(env.quietUntil, "2025-12-31T00:00:00Z")
|
||||
because "Allow short canary quiet window while fix rolls out."
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Commentary
|
||||
|
||||
- Designed for serverless tenants where redeploy cost is low and failing fast is preferred.
|
||||
- `forbid_unpinned_base` enforces supply-chain best practices.
|
||||
- `temporary_quiet` ensures quiet windows expire automatically; require deployments to set `env.quietUntil`.
|
||||
- Intended to be layered on top of baseline (override per tenant) or used standalone for serverless-only accounts.
|
||||
|
||||
## Try it out
|
||||
|
||||
```bash
|
||||
stella policy lint examples/policies/serverless.stella
|
||||
stella policy simulate P-serverless --candidate 1 \
|
||||
--sbom sbom:lambda-hello --env runtime=serverless --env deployment=canary
|
||||
```
|
||||
|
||||
## Compliance checklist
|
||||
|
||||
- [ ] Quiet window expirations tracked and documented.
|
||||
- [ ] Trusted VEX vendor list reviewed quarterly.
|
||||
- [ ] Deployment pipeline enforces pinned base images before approval.
|
||||
- [ ] Canary deployments monitored for recurrence before ignoring Medium severity.
|
||||
- [ ] Serverless teams acknowledge runbook for blocked deployments.
|
||||
|
||||
---
|
||||
|
||||
*Last updated: 2025-10-26.*
|
||||
|
||||
|
||||
Reference in New Issue
Block a user