Restructure solution layout by module
This commit is contained in:
master
@@ -1,39 +1,39 @@
|
||||
policy "Serverless Tight Policy" syntax "stella-dsl@1" {
|
||||
metadata {
|
||||
description = "Aggressive blocking for serverless runtimes."
|
||||
tags = ["serverless","prod","strict"]
|
||||
}
|
||||
|
||||
profile severity {
|
||||
env runtime_overrides {
|
||||
if env.runtime == "serverless" then +0.7
|
||||
if env.runtime == "batch" then +0.2
|
||||
}
|
||||
}
|
||||
|
||||
rule block_any_high {
|
||||
when severity.normalized >= "High"
|
||||
then status := "blocked"
|
||||
because "Serverless workloads block High+ severities."
|
||||
}
|
||||
|
||||
rule forbid_unpinned_base {
|
||||
when sbom.has_tag("image:latest-tag")
|
||||
then status := "blocked"
|
||||
because "Base image must be pinned (no :latest)."
|
||||
}
|
||||
|
||||
rule zero_tolerance_vex {
|
||||
when vex.any(status == "not_affected")
|
||||
then requireVex { vendors = ["VendorX","VendorY"], justifications = ["component_not_present"] }
|
||||
because "Allow not_affected only from trusted vendors with strongest justification."
|
||||
}
|
||||
|
||||
rule temporary_quiet {
|
||||
when env.deployment == "canary"
|
||||
and severity.normalized == "Medium"
|
||||
then ignore until coalesce(env.quietUntil, "2025-12-31T00:00:00Z")
|
||||
because "Allow short canary quiet window while fix rolls out."
|
||||
}
|
||||
}
|
||||
|
||||
policy "Serverless Tight Policy" syntax "stella-dsl@1" {
|
||||
metadata {
|
||||
description = "Aggressive blocking for serverless runtimes."
|
||||
tags = ["serverless","prod","strict"]
|
||||
}
|
||||
|
||||
profile severity {
|
||||
env runtime_overrides {
|
||||
if env.runtime == "serverless" then +0.7
|
||||
if env.runtime == "batch" then +0.2
|
||||
}
|
||||
}
|
||||
|
||||
rule block_any_high {
|
||||
when severity.normalized >= "High"
|
||||
then status := "blocked"
|
||||
because "Serverless workloads block High+ severities."
|
||||
}
|
||||
|
||||
rule forbid_unpinned_base {
|
||||
when sbom.has_tag("image:latest-tag")
|
||||
then status := "blocked"
|
||||
because "Base image must be pinned (no :latest)."
|
||||
}
|
||||
|
||||
rule zero_tolerance_vex {
|
||||
when vex.any(status == "not_affected")
|
||||
then requireVex { vendors = ["VendorX","VendorY"], justifications = ["component_not_present"] }
|
||||
because "Allow not_affected only from trusted vendors with strongest justification."
|
||||
}
|
||||
|
||||
rule temporary_quiet {
|
||||
when env.deployment == "canary"
|
||||
and severity.normalized == "Medium"
|
||||
then ignore until coalesce(env.quietUntil, "2025-12-31T00:00:00Z")
|
||||
because "Allow short canary quiet window while fix rolls out."
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user