version: "1.0"
metadata:
  description: Baseline production policy
  tags:
    - baseline
    - production
rules:
  - name: Block Critical
    severity: [Critical]
    action: block

  - name: Escalate High Internet
    severity: [High]
    environments: [internet]
    action:
      type: escalate
      escalate:
        minimumSeverity: Critical

  - name: Require VEX justification
    sources: [NVD, GHSA]
    action:
      type: requireVex
      requireVex:
        vendors: [VendorX, VendorY]
        justifications:
          - component_not_present
          - vulnerable_code_not_present

  - name: Alert warn EOL runtime
    priority: 1
    severity: [Low, Medium]
    tags: [runtime:eol]
    action: warn