# Policy Gates

Policy gates are automated checks that evaluate release candidates against configurable security criteria. Each gate produces a pass/fail result with detailed reasoning for policy decisions.

## CVE-Aware Gates

| Gate | ID | Description |
|------|-----|-------------|
| [EPSS Threshold](epss-threshold.md) | `epss-threshold` | Blocks CVEs above EPSS probability threshold |
| [KEV Blocker](kev-blocker.md) | `kev-blocker` | Blocks CVEs in CISA Known Exploited Vulnerabilities catalog |
| [Reachable CVE](reachable-cve.md) | `reachable-cve` | Blocks only CVEs with reachable code paths |
| [CVE Delta](cve-delta.md) | `cve-delta` | Blocks releases introducing new high-severity CVEs vs baseline |
| [Release Aggregate CVE](release-aggregate-cve.md) | `release-aggregate-cve` | Enforces aggregate CVE count limits per release |

## Gate Configuration

Gates are configured via `appsettings.json` under the `Policy:Gates` section:

```json
{
  "Policy": {
    "Gates": {
      "EpssThreshold": {
        "Enabled": true,
        "Threshold": 0.6
      },
      "KevBlocker": {
        "Enabled": true,
        "AllowGracePeriod": true,
        "GracePeriodDays": 14
      },
      "ReachableCve": {
        "Enabled": true,
        "SeverityThreshold": 7.0
      },
      "CveDelta": {
        "Enabled": true,
        "NewCveSeverityThreshold": 7.0,
        "OnlyBlockReachable": false
      },
      "ReleaseAggregateCve": {
        "Enabled": true,
        "MaxCritical": 0,
        "MaxHigh": 3,
        "MaxMedium": 20
      }
    }
  }
}
```

## Environment Overrides

Each gate supports per-environment configuration overrides:

```json
{
  "Policy": {
    "Gates": {
      "CveDelta": {
        "Enabled": true,
        "NewCveSeverityThreshold": 7.0,
        "Environments": {
          "development": {
            "Enabled": false
          },
          "staging": {
            "NewCveSeverityThreshold": 9.0
          },
          "production": {
            "NewCveSeverityThreshold": 7.0,
            "OnlyBlockReachable": true
          }
        }
      }
    }
  }
}
```

## DI Registration

Register all CVE gates:

```csharp
services.AddCvePolicyGates(configuration);
```

Or register individual gates:

```csharp
services.AddEpssThresholdGate(configuration);
services.AddKevBlockerGate(configuration);
services.AddReachableCveGate(configuration);
services.AddCveDeltaGate(configuration);
services.AddReleaseAggregateCveGate(configuration);
```

## Gate Results

All gates return a `GateResult` containing:

- `GateName`: Gate identifier
- `Passed`: Boolean pass/fail status
- `Reason`: Human-readable explanation
- `Details`: Additional metadata (warnings, counts, etc.)

---

*Last updated: 2026-01-19.*