more features checks. setup improvements
This commit is contained in:
master
34
docs/features/checked/policy/exception-recheck-build-gate.md
Normal file
34
docs/features/checked/policy/exception-recheck-build-gate.md
Normal file
@@ -0,0 +1,34 @@
|
||||
# Exception Recheck Build Gate
|
||||
|
||||
## Module
|
||||
Policy
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
CI/CD build gate that evaluates recheck policies for all active exceptions on an artifact before deployment. Fails the pipeline if any Block-action conditions are triggered (e.g., EPSS exceeds threshold, KEV flagged). Returns warnings for non-blocking conditions.
|
||||
|
||||
## Implementation Details
|
||||
- **ExceptionRecheckGate**: `src/Policy/StellaOps.Policy.Engine/BuildGate/ExceptionRecheckGate.cs` (sealed class implements `IBuildGate`)
|
||||
- GateName: `"exception-recheck"`, Priority: 100
|
||||
- `EvaluateAsync(BuildGateContext)` evaluates all active exceptions for the artifact
|
||||
- Uses `IExceptionEvaluator` to find matching exceptions, then `IRecheckEvaluationService` to evaluate recheck conditions
|
||||
- Aggregates blockers (Block, Revoke, RequireReapproval actions) and warnings (Warn action)
|
||||
- Returns `BuildGateResult` with Passed=false if any blockers exist; Passed=true otherwise
|
||||
- Message includes blocker details: `"Recheck policy blocking: {details}"`
|
||||
- **IBuildGate interface**: defined in same file
|
||||
- `GateName` (string), `Priority` (int), `EvaluateAsync(BuildGateContext, CancellationToken)`
|
||||
- **BuildGateContext**: record with ArtifactDigest, Environment, Branch, PipelineId, TenantId, EvaluatedAt, and all recheck signal fields (ReachGraphChanged, EpssScore, CvssScore, UnknownsCount, NewCveInPackage, KevFlagged, VexStatusChanged, PackageVersionChanged)
|
||||
- **BuildGateResult**: record with Passed, GateName, Message, Blockers (`ImmutableArray<string>`), Warnings (`ImmutableArray<string>`)
|
||||
- **RecheckEvaluationService**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/RecheckEvaluationService.cs` -- evaluates recheck conditions (see exception-recheck-policy-system feature)
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Create exception with RecheckPolicy containing EPSSAbove=0.80 (Block action); set EpssScore=0.85 in BuildGateContext; verify EvaluateAsync returns Passed=false with blocker message mentioning EPSS
|
||||
- [ ] Create exception with RecheckPolicy containing KEVFlagged (Block action); set KevFlagged=true; verify gate returns Passed=false
|
||||
- [ ] Create exception with no RecheckPolicy; verify gate returns Passed=true with message "All exception recheck policies satisfied"
|
||||
- [ ] Create exception with RecheckPolicy containing CVSSAbove=9.0 (Warn action); set CvssScore=9.5; verify gate returns Passed=true with 1 warning
|
||||
- [ ] Create 2 exceptions: one with Block condition triggered, one with Warn condition triggered; verify gate returns Passed=false with 1 blocker and 1 warning
|
||||
- [ ] Create exception with environment-scoped condition (prod only); evaluate in staging; verify condition does not trigger
|
||||
- [ ] Create exception with RequireReapproval action triggered; verify it is classified as a blocker (not a warning)
|
||||
- [ ] Verify gate includes exception ID in blocker/warning messages for traceability
|
||||
Reference in New Issue
Block a user