stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(secrets): Implement secret leak policies and signal binding

Browse Source 
- Added `spl-secret-block@1.json` to block deployments with critical or high severity secret findings.
- Introduced `spl-secret-warn@1.json` to warn on secret findings without blocking deployments.
- Created `SecretSignalBinder.cs` to bind secret evidence to policy evaluation signals.
- Developed unit tests for `SecretEvidenceContext` and `SecretSignalBinder` to ensure correct functionality.
- Enhanced `SecretSignalContextExtensions` to integrate secret evidence into signal contexts.
This commit is contained in:
StellaOps Bot
2026-01-04 15:44:49 +02:00
parent 1f33143bd1
commit f7d27c6fda
44 changed files with 2406 additions and 1107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
docs/modules/policy/secret-leak-detection-readiness.md
View File

@@ -23,20 +23,67 @@
- Rule bundles, signature manifests, and validator hash lists ship with Offline Kit; rule updates must be signed and versioned to preserve determinism.
## 3. Policy Engine considerations
- **New predicates**
- `secret.hasFinding(ruleId?, severity?, confidence?)`
- `secret.bundle.version(requiredVersion)`
- `secret.mask.applied` (bool) — verify masking for high severity hits.
- `secret.path.allowlist` — tenant-configured allow list keyed by digest/path.
- **Lattice weight suggestions**
- High severity & high confidence → escalate to `block` unless waived.
- Low confidence → default to `warn` with optional escalation when multiple matches occur (`secret.match.count >= N`).
- **Waiver workflow**
- Reuse VEX-first lattice approach: require attach of remediation note, ticket reference, and expiration date.
- Ensure waivers attach rule version so upgraded rules re-evaluate automatically.
- **Masking / privacy**
- Minimum masking: first and last 2 characters retained; remainder replaced with `*`.
- Persist masked payload only; full value never leaves scanner context.
### 3.1 Implemented predicates (SPRINT_20260104_004_POLICY)
The following secret-related signals are now available via `StellaOps.PolicyDsl.SignalContext`:
| Signal | Type | Description |
|--------|------|-------------|
| `secret.has_finding` | bool | True if any secret finding exists |
| `secret.count` | int | Total number of secret findings |
| `secret.severity.critical` | bool | True if any critical severity finding exists |
| `secret.severity.high` | bool | True if any high severity finding exists |
| `secret.severity.medium` | bool | True if any medium severity finding exists |
| `secret.severity.low` | bool | True if any low severity finding exists |
| `secret.confidence.high` | bool | True if any high confidence finding exists |
| `secret.confidence.medium` | bool | True if any medium confidence finding exists |
| `secret.confidence.low` | bool | True if any low confidence finding exists |
| `secret.mask.applied` | bool | True if masking was applied to all findings |
| `secret.bundle.version` | string | Active bundle version (YYYY.MM format) |
| `secret.bundle.id` | string | Active bundle identifier |
| `secret.bundle.rule_count` | int | Number of rules in the active bundle |
| `secret.bundle.signer_key_id` | string | Key ID used to sign the bundle |
| `secret.aws.count` | int | Count of AWS-related secret findings |
| `secret.github.count` | int | Count of GitHub-related secret findings |
| `secret.private_key.count` | int | Count of private key findings |
### 3.2 Usage in SPL policies
```json
{
"conditions": [
{ "field": "secret.severity.critical", "operator": "eq", "value": true },
{ "field": "secret.bundle.version", "operator": "gte", "value": "2025.01" }
]
}
```
See example policies in `src/Policy/__Libraries/StellaOps.Policy/Schemas/spl-secret-block@1.json` and `spl-secret-warn@1.json`.
### 3.3 Integration with SignalContext
```csharp
using StellaOps.Policy.Secrets;
using StellaOps.PolicyDsl;
// Add secret evidence to policy evaluation
var signalContext = SignalContext.Builder()
.WithSecretEvidence(secretEvidenceProvider)
.Build();
```
### 3.4 Lattice weight suggestions
- High severity & high confidence: escalate to `block` unless waived.
- Low confidence: default to `warn` with optional escalation when multiple matches occur (`secret.match.count >= N`).
### 3.5 Waiver workflow
- Reuse VEX-first lattice approach: require attach of remediation note, ticket reference, and expiration date.
- Ensure waivers attach rule version so upgraded rules re-evaluate automatically.
### 3.6 Masking / privacy
- Minimum masking: first and last 2 characters retained; remainder replaced with `*`.
- Persist masked payload only; full value never leaves scanner context.
## 4. Security guardrails
- Rule bundle signing: Signer issues DSSE envelope for each ruleset; Policy must verify signature before enabling new bundle.
@@ -62,16 +109,18 @@
### Decision tracker
| Decision | Owner(s) | Target date | Status |
| --- | --- | --- | --- |
| Masking depth (paths vs payloads) | Security Guild | 2025-11-10 | Pending — workshop aligned with Northwind demo |
| Masking depth (paths vs payloads) | Security Guild | 2025-11-10 | Pending |
| Telemetry retention granularity | Policy + Observability Guild | 2025-11-10 | Pending |
| Default rule bundles (cloud creds/SSH/JWT) | Security Guild | 2025-11-10 | Draft proposals under review |
| Tenant override format | Policy Guild | 2025-11-10 | Pending |
| Policy predicates implementation | Policy Guild | 2026-01-04 | **DONE** (SPRINT_20260104_004_POLICY) |
## 7. Next steps
1. Policy Guild drafts predicate specs + policy templates (map to DOCS-SCANNER-BENCH-62-007 exit criteria).
1. ~~Policy Guild drafts predicate specs + policy templates~~ **DONE** — See `spl-secret-block@1.json`, `spl-secret-warn@1.json`.
2. Security Guild reviews signing + masking requirements; align with Surface.Secrets roadmap.
3. Docs Guild (this task) continues maintaining `docs/benchmarks/scanner/deep-dives/secrets.md` with finalized rule taxonomy and references.
3. Docs Guild continues maintaining `docs/benchmarks/scanner/deep-dives/secrets.md` with finalized rule taxonomy and references.
4. Engineering provides prototype fixture outputs for review once SCANNER-ENG-0007 spikes begin.
5. **NEW**: Integration testing between Scanner.Analyzers.Secrets and Policy DSL signals.
## Coordination