{ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://stellaops.io/schemas/opa/policy-input.json", "title": "Stella OPA Policy Input Schema", "description": "Input schema for OPA/Rego CVE gating policies", "type": "object", "required": ["attestation", "cve_findings", "environment"], "properties": { "attestation": { "type": "object", "description": "Attestation data including DSSE envelope and Rekor entry", "required": ["dsse_envelope"], "properties": { "dsse_envelope": { "type": "object", "description": "DSSE envelope containing signed statement", "required": ["payloadType", "payload", "signatures"], "properties": { "payloadType": { "type": "string", "description": "DSSE payload type URI", "examples": ["application/vnd.in-toto+json"] }, "payload": { "type": "string", "description": "Base64-encoded payload (in-toto statement)" }, "signatures": { "type": "array", "items": { "type": "object", "required": ["keyid", "sig"], "properties": { "keyid": { "type": "string", "description": "Key identifier" }, "sig": { "type": "string", "description": "Base64-encoded signature" } } } } } }, "rekor_entry": { "type": "object", "description": "Rekor transparency log entry (optional)", "properties": { "log_index": { "type": "integer", "description": "Rekor log index" }, "log_id": { "type": "string", "description": "Rekor log ID (base64 SHA256)" }, "integrated_time": { "type": "integer", "description": "Unix timestamp of log inclusion" }, "inclusion_proof": { "type": "object", "properties": { "root_hash": { "type": "string" }, "tree_size": { "type": "integer" }, "hashes": { "type": "array", "items": { "type": "string" } } } } } }, "trusted_keys": { "type": "array", "description": "List of trusted signing key IDs", "items": { "type": "string" } } } }, "cve_findings": { "type": "array", "description": "CVE findings from scan results", "items": { "type": "object", "required": ["cve_id"], "properties": { "cve_id": { "type": "string", "pattern": "^CVE-\\d{4}-\\d{4,}$", "description": "CVE identifier" }, "cvss_score": { "type": "number", "minimum": 0, "maximum": 10, "description": "CVSS v3 base score" }, "severity": { "type": "string", "enum": ["critical", "high", "medium", "low", "unknown"], "description": "Severity classification" }, "epss_score": { "type": "number", "minimum": 0, "maximum": 1, "description": "EPSS exploitation probability (0-1)" }, "epss_percentile": { "type": "number", "minimum": 0, "maximum": 100, "description": "EPSS percentile (0-100)" }, "is_kev": { "type": "boolean", "description": "Whether CVE is in CISA KEV catalog" }, "kev_due_date": { "type": "string", "format": "date", "description": "KEV remediation due date (YYYY-MM-DD)" }, "is_reachable": { "type": "boolean", "description": "Whether vulnerable code is reachable" }, "reachability_state": { "type": "string", "enum": ["confirmed_reachable", "runtime_observed", "statically_reachable", "not_reachable", "unknown"], "description": "Detailed reachability state" }, "is_suppressed": { "type": "boolean", "description": "Whether CVE is suppressed/excepted" }, "package_name": { "type": "string", "description": "Affected package name" }, "package_version": { "type": "string", "description": "Affected package version" }, "fix_available": { "type": "boolean", "description": "Whether a fix is available" }, "fixed_version": { "type": "string", "description": "Version containing the fix" } } } }, "baseline_cve_findings": { "type": "array", "description": "CVE findings from baseline release (for delta comparison)", "items": { "$ref": "#/properties/cve_findings/items" } }, "environment": { "type": "string", "description": "Target deployment environment", "examples": ["development", "staging", "production"] }, "release": { "type": "object", "description": "Release metadata", "properties": { "id": { "type": "string" }, "version": { "type": "string" }, "image_digest": { "type": "string" }, "baseline_digest": { "type": "string" } } }, "config": { "type": "object", "description": "Policy configuration", "properties": { "epss_threshold": { "type": "number", "description": "EPSS score threshold (0-1)" }, "epss_percentile_threshold": { "type": "number", "description": "EPSS percentile threshold (0-100)" }, "severity_threshold": { "type": "number", "description": "CVSS severity threshold" }, "max_critical": { "type": "integer", "description": "Maximum allowed critical CVEs" }, "max_high": { "type": "integer", "description": "Maximum allowed high CVEs" }, "max_medium": { "type": "integer", "description": "Maximum allowed medium CVEs" }, "max_low": { "type": "integer", "description": "Maximum allowed low CVEs" }, "max_total": { "type": "integer", "description": "Maximum total CVEs" }, "require_rekor": { "type": "boolean", "description": "Require Rekor anchor for attestations" }, "count_suppressed": { "type": "boolean", "description": "Include suppressed CVEs in counts" }, "only_reachable": { "type": "boolean", "description": "Only evaluate reachable CVEs" }, "environments": { "type": "object", "description": "Per-environment configuration overrides", "additionalProperties": { "$ref": "#/properties/config" } } } }, "current_time": { "type": "string", "format": "date-time", "description": "Current evaluation timestamp (ISO 8601)" } } }