Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools

- Implemented PolicyDslValidator with command-line options for strict mode and JSON output. - Created PolicySchemaExporter to generate JSON schemas for policy-related models. - Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes. - Added project files and necessary dependencies for each tool. - Ensured proper error handling and usage instructions across tools.
2025-10-27 08:00:11 +02:00
parent 651b8e0fa3
commit 96d52884e8
712 changed files with 49449 additions and 6124 deletions
--- a/docs/examples/policies/serverless.stella
+++ b/docs/examples/policies/serverless.stella
@@ -0,0 +1,39 @@
+policy "Serverless Tight Policy" syntax "stella-dsl@1" {
+  metadata {
+    description = "Aggressive blocking for serverless runtimes."
+    tags = ["serverless","prod","strict"]
+  }
+
+  profile severity {
+    env runtime_overrides {
+      if env.runtime == "serverless" then +0.7
+      if env.runtime == "batch" then +0.2
+    }
+  }
+
+  rule block_any_high {
+    when severity.normalized >= "High"
+    then status := "blocked"
+    because "Serverless workloads block High+ severities."
+  }
+
+  rule forbid_unpinned_base {
+    when sbom.has_tag("image:latest-tag")
+    then status := "blocked"
+    because "Base image must be pinned (no :latest)."
+  }
+
+  rule zero_tolerance_vex {
+    when vex.any(status == "not_affected")
+    then requireVex { vendors = ["VendorX","VendorY"], justifications = ["component_not_present"] }
+    because "Allow not_affected only from trusted vendors with strongest justification."
+  }
+
+  rule temporary_quiet {
+    when env.deployment == "canary"
+         and severity.normalized == "Medium"
+    then ignore until coalesce(env.quietUntil, "2025-12-31T00:00:00Z")
+    because "Allow short canary quiet window while fix rolls out."
+  }
+}
+