version: "1.0"
metadata:
  description: Strict policy for serverless workloads
  tags:
    - serverless
    - prod
    - strict
rules:
  - name: Block High And Above
    severity: [High, Critical]
    action: block

  - name: Forbid Unpinned Base Images
    tags: [image:latest-tag]
    action: block

  - name: Require Trusted VEX
    action:
      type: require_vex
      requireVex:
        vendors: [VendorX, VendorY]
        justifications: [component_not_present]

  - name: Quiet Medium Canary
    severity: [Medium]
    environments: [canary]
    action:
      type: ignore
      until: 2025-12-31T00:00:00Z
      justification: "Temporary canary exception"