audit, advisories and doctors/setup work
This commit is contained in:
master
32
docs/examples/binary-diff/policy-integration.md
Normal file
32
docs/examples/binary-diff/policy-integration.md
Normal file
@@ -0,0 +1,32 @@
|
||||
# Policy Integration
|
||||
|
||||
Binary diff output can be used as evidence in policy decisions. This example
|
||||
shows a simple workflow using the JSON output from `stella scan diff`.
|
||||
|
||||
## Generate JSON Output
|
||||
|
||||
```bash
|
||||
stella scan diff \
|
||||
--base myapp:1.0.0 \
|
||||
--target myapp:1.0.1 \
|
||||
--format=json > diff.json
|
||||
```
|
||||
|
||||
## Feed into Policy Evaluation
|
||||
|
||||
Use the JSON report as an input signal for policy rules that require evidence
|
||||
of binary changes. Example (pseudo-rule):
|
||||
|
||||
```rego
|
||||
package stella.policy
|
||||
|
||||
allow {
|
||||
input.binaryDiff.summary.modified > 0
|
||||
input.binaryDiff.findings[_].changeType == "modified"
|
||||
}
|
||||
```
|
||||
|
||||
## Notes
|
||||
|
||||
- The CLI currently emits `unknown` verdicts for modified binaries.
|
||||
- Future classifier updates will populate `patched` and `vanilla` verdicts.
|
||||
Reference in New Issue
Block a user