Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools

- Implemented PolicyDslValidator with command-line options for strict mode and JSON output. - Created PolicySchemaExporter to generate JSON schemas for policy-related models. - Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes. - Added project files and necessary dependencies for each tool. - Ensured proper error handling and usage instructions across tools.
2025-10-27 08:00:11 +02:00
parent 651b8e0fa3
commit 96d52884e8
712 changed files with 49449 additions and 6124 deletions
--- a/samples/policy/simulations/baseline/diff.json
+++ b/samples/policy/simulations/baseline/diff.json
@@ -0,0 +1,23 @@
+{
+  "summary": {
+    "policy": "baseline",
+    "policyDigest": "sha256:simulation-baseline",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/openssl@1.1.1w",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "block_critical",
+      "notes": "Critical severity must be remediated before deploy."
+    },
+    {
+      "findingId": "library:pkg/internal-runtime@1.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Warned",
+      "rule": "alert_warn_eol_runtime",
+      "notes": "Runtime marked as EOL; upgrade recommended."
+    }
+  ]
+}
--- a/samples/policy/simulations/baseline/scenario.json
+++ b/samples/policy/simulations/baseline/scenario.json
@@ -0,0 +1,21 @@
+{
+  "name": "baseline",
+  "policyPath": "docs/examples/policies/baseline.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/openssl@1.1.1w",
+      "severity": "Critical",
+      "source": "NVD"
+    },
+    {
+      "findingId": "library:pkg/internal-runtime@1.0.0",
+      "severity": "Low",
+      "source": "NVD",
+      "tags": ["runtime:eol"]
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/openssl@1.1.1w", "status": "Blocked" },
+    { "findingId": "library:pkg/internal-runtime@1.0.0", "status": "Warned" }
+  ]
+}
--- a/samples/policy/simulations/internal-only/diff.json
+++ b/samples/policy/simulations/internal-only/diff.json
@@ -0,0 +1,23 @@
+{
+  "summary": {
+    "policy": "internal-only",
+    "policyDigest": "sha256:simulation-internal-only",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/internal-app@2.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "RequiresVex",
+      "rule": "accept_vendor_vex",
+      "notes": "Trust vendor VEX statements for internal scope."
+    },
+    {
+      "findingId": "library:pkg/kev-component@3.1.4",
+      "baselineStatus": "Pass",
+      "projectedStatus": "RequiresVex",
+      "rule": "accept_vendor_vex",
+      "notes": "Trust vendor VEX statements for internal scope."
+    }
+  ]
+}
--- a/samples/policy/simulations/internal-only/scenario.json
+++ b/samples/policy/simulations/internal-only/scenario.json
@@ -0,0 +1,23 @@
+{
+  "name": "internal-only",
+  "policyPath": "docs/examples/policies/internal-only.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/internal-app@2.0.0",
+      "severity": "Medium",
+      "source": "GHSA",
+      "environment": "internal"
+    },
+    {
+      "findingId": "library:pkg/kev-component@3.1.4",
+      "severity": "High",
+      "source": "NVD",
+      "tags": ["kev"],
+      "environment": "internal"
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/internal-app@2.0.0", "status": "RequiresVex" },
+    { "findingId": "library:pkg/kev-component@3.1.4", "status": "RequiresVex" }
+  ]
+}
--- a/samples/policy/simulations/serverless/diff.json
+++ b/samples/policy/simulations/serverless/diff.json
@@ -0,0 +1,23 @@
+{
+  "summary": {
+    "policy": "serverless",
+    "policyDigest": "sha256:simulation-serverless",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/aws-lambda@1.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "block_any_high",
+      "notes": "Serverless workloads block High+ severities."
+    },
+    {
+      "findingId": "image:sha256:untrusted-base",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "forbid_unpinned_base",
+      "notes": "Base image must be pinned (no :latest)."
+    }
+  ]
+}
--- a/samples/policy/simulations/serverless/scenario.json
+++ b/samples/policy/simulations/serverless/scenario.json
@@ -0,0 +1,23 @@
+{
+  "name": "serverless",
+  "policyPath": "docs/examples/policies/serverless.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/aws-lambda@1.0.0",
+      "severity": "High",
+      "source": "NVD",
+      "environment": "serverless"
+    },
+    {
+      "findingId": "image:sha256:untrusted-base",
+      "severity": "Medium",
+      "source": "NVD",
+      "tags": ["image:latest-tag"],
+      "environment": "serverless"
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/aws-lambda@1.0.0", "status": "Blocked" },
+    { "findingId": "image:sha256:untrusted-base", "status": "Blocked" }
+  ]
+}