# Path-Level Reachability Gates Policy # Sprint: SPRINT_20260112_007_POLICY_path_gate_inputs (PW-POL-003) # # Demonstrates path-level gates using pathHash, nodeHashes, and runtime freshness. # Requires scanner path witness evidence with node hash fields. apiVersion: policy.stellaops.io/v1 kind: PolicyPack metadata: name: path-gates-advanced version: 1.0.0 description: | Advanced policy pack demonstrating path-level reachability gates. Uses pathHash, nodeHashes, and runtime evidence freshness for fine-grained control. Sprint: SPRINT_20260112_007_POLICY_path_gate_inputs spec: settings: defaultAction: warn requirePathWitness: true runtimeFreshnessMaxHours: 24 trustedEntrypoints: - "main" - "api.handler" - "web.controller" rules: # Block if a specific vulnerable path is reachable and confirmed at runtime - name: block-runtime-confirmed-path description: "Block paths confirmed reachable at runtime with CRITICAL vulns" priority: 100 match: severity: CRITICAL reachability: status: reachable observedAtRuntime: true action: block message: "Runtime-confirmed reachable path to CRITICAL {cve} via {pathHash}" # Require fresh runtime evidence for high-severity findings - name: require-fresh-runtime-evidence description: "Require runtime evidence younger than threshold for HIGH vulns" priority: 95 match: severity: HIGH reachability: status: reachable pathHash: exists: true runtimeEvidenceAge: gt: ${settings.runtimeFreshnessMaxHours}h action: warn message: "Runtime evidence for {cve} is stale ({runtimeEvidenceAge} hours old)" # Allow paths with trusted entry nodes - name: allow-trusted-entrypoints description: "Allow paths starting from trusted entrypoints" priority: 90 match: severity: - MEDIUM - LOW reachability: status: reachable entryNodeHash: in: ${settings.trustedEntrypoints} action: allow log: true message: "Vulnerability {cve} reachable from trusted entrypoint - allowed" # Block paths with specific node hashes in critical code areas - name: block-critical-node-paths description: "Block paths through critical code nodes" priority: 85 match: severity: - CRITICAL - HIGH reachability: nodeHashes: contains_any: - ${critical.authentication_handler} - ${critical.payment_processor} - ${critical.data_exporter} action: block message: "Vulnerability {cve} path traverses critical node {matchedNodeHash}" # Warn if path witness is missing for reachable findings - name: warn-missing-path-witness description: "Warn when reachable finding lacks path witness" priority: 80 match: severity: - CRITICAL - HIGH - MEDIUM reachability: status: reachable pathHash: exists: false action: warn message: "Reachable {cve} lacks path witness - reanalysis recommended" # Aggregate gate: block if too many runtime-confirmed paths - name: fail-on-runtime-confirmed-count description: "Block deployment if too many runtime-confirmed vulns" priority: 75 type: aggregate match: runtimeConfirmedCount: gt: 5 action: block message: "Too many runtime-confirmed vulnerabilities ({runtimeConfirmedCount} > 5)" # Allow paths not observed at runtime with reduced confidence - name: allow-static-only-paths description: "Allow static-only reachable paths with warning" priority: 70 match: severity: - HIGH - MEDIUM reachability: status: reachable observedAtRuntime: false confidence: lt: 0.7 action: warn message: "Static-only path to {cve} (confidence {confidence}) - review recommended" # Path hash pinning: allow specific known-safe paths - name: allow-pinned-safe-paths description: "Allow paths matching known-safe path hashes" priority: 65 match: reachability: pathHash: in: ${known_safe_paths} action: allow message: "Path {pathHash} matches known-safe path - allowed" # Variables for path hash references variables: critical: authentication_handler: "sha256:auth-handler-node-hash" payment_processor: "sha256:payment-proc-node-hash" data_exporter: "sha256:data-export-node-hash" known_safe_paths: - "sha256:validated-path-1" - "sha256:validated-path-2"