# Serverless Policy Example (`serverless.stella`)

Optimised for short-lived serverless workloads: focus on runtime integrity, disallow vulnerable layers entirely, and permit temporary suppressions only with strict justification windows.

```dsl
policy "Serverless Tight Policy" syntax "stella-dsl@1" {
  metadata {
    description = "Aggressive blocking for serverless runtimes."
    tags = ["serverless","prod","strict"]
  }

  profile severity {
    env runtime_overrides {
      if env.runtime == "serverless" then +0.7
      if env.runtime == "batch" then +0.2
    }
  }

  rule block_any_high {
    when severity.normalized >= "High"
    then status := "blocked"
    because "Serverless workloads block High+ severities."
  }

  rule forbid_unpinned_base {
    when sbom.has_tag("image:latest-tag")
    then status := "blocked"
    because "Base image must be pinned (no :latest)."
  }

  rule zero_tolerance_vex {
    when vex.any(status == "not_affected")
    then requireVex { vendors = ["VendorX","VendorY"], justifications = ["component_not_present"] }
    because "Allow not_affected only from trusted vendors with strongest justification."
  }

  rule temporary_quiet {
    when env.deployment == "canary"
         and severity.normalized == "Medium"
    then ignore until coalesce(env.quietUntil, "2025-12-31T00:00:00Z")
    because "Allow short canary quiet window while fix rolls out."
  }
}
```

## Commentary

- Designed for serverless tenants where redeploy cost is low and failing fast is preferred.
- `forbid_unpinned_base` enforces supply-chain best practices.
- `temporary_quiet` ensures quiet windows expire automatically; require deployments to set `env.quietUntil`.
- Intended to be layered on top of baseline (override per tenant) or used standalone for serverless-only accounts.

## Try it out

```bash
stella policy lint examples/policies/serverless.stella
stella policy simulate P-serverless --candidate 1 \
  --sbom sbom:lambda-hello --env runtime=serverless --env deployment=canary
```

## Compliance checklist

- [ ] Quiet window expirations tracked and documented.
- [ ] Trusted VEX vendor list reviewed quarterly.
- [ ] Deployment pipeline enforces pinned base images before approval.
- [ ] Canary deployments monitored for recurrence before ignoring Medium severity.
- [ ] Serverless teams acknowledge runbook for blocked deployments.

---

*Last updated: 2025-10-26.*