version: "1.0"
metadata:
  description: Strict policy for serverless workloads
  tags:
    - serverless
    - prod
    - strict
exceptions:
  effects:
    - id: suppress-canary
      name: Canary Freeze
      effect: suppress
      routingTemplate: secops-approvers
      maxDurationDays: 14
  routingTemplates:
    - id: secops-approvers
      authorityRouteId: governance.secops
      requireMfa: true
rules:
  - name: Block High And Above
    severity: [High, Critical]
    action: block

  - name: Forbid Unpinned Base Images
    tags: [image:latest-tag]
    action: block

  - name: Require Trusted VEX
    action:
      type: require_vex
      requireVex:
        vendors: [VendorX, VendorY]
        justifications: [component_not_present]

  - name: Quiet Medium Canary
    severity: [Medium]
    environments: [canary]
    action:
      type: ignore
      until: 2025-12-31T00:00:00Z
      justification: "Temporary canary exception"