{ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://stellaops.dev/predicates/policy-verdict@v1", "title": "StellaOps Policy Verdict Attestation Predicate", "description": "Predicate for DSSE-wrapped policy verdict attestations, providing cryptographically-bound proof of policy evaluation outcomes", "type": "object", "required": [ "_type", "tenantId", "policyId", "policyVersion", "runId", "findingId", "evaluatedAt", "verdict", "ruleChain", "evidence" ], "properties": { "_type": { "type": "string", "const": "https://stellaops.dev/predicates/policy-verdict@v1", "description": "Predicate type identifier for policy verdicts" }, "tenantId": { "type": "string", "description": "Tenant identifier scoping this verdict", "pattern": "^[a-z0-9_-]+$" }, "policyId": { "type": "string", "description": "Policy identifier that issued this verdict", "pattern": "^P-[0-9]+$" }, "policyVersion": { "type": "integer", "description": "Policy version number", "minimum": 1 }, "runId": { "type": "string", "description": "Policy run identifier", "pattern": "^run:[^:]+:[0-9]{8}T[0-9]{6}Z:[a-z0-9]+" }, "findingId": { "type": "string", "description": "Finding identifier (SBOM component + vulnerability)", "pattern": "^finding:sbom:[^/]+/pkg:[^@]+@.+$" }, "evaluatedAt": { "type": "string", "format": "date-time", "description": "Timestamp when verdict was evaluated (UTC ISO-8601)" }, "verdict": { "type": "object", "required": ["status", "severity", "score"], "properties": { "status": { "type": "string", "enum": ["passed", "warned", "blocked", "quieted", "ignored"], "description": "Final verdict status from policy evaluation" }, "severity": { "type": "string", "enum": ["critical", "high", "medium", "low", "info", "none"], "description": "Severity level assigned by policy" }, "score": { "type": "number", "minimum": 0, "maximum": 100, "description": "Numeric risk score (0-100)" }, "rationale": { "type": "string", "description": "Human-readable explanation of verdict" } } }, "ruleChain": { "type": "array", "description": "Ordered chain of policy rules evaluated", "minItems": 1, "items": { "type": "object", "required": ["ruleId", "action", "decision"], "properties": { "ruleId": { "type": "string", "description": "Policy rule identifier" }, "action": { "type": "string", "enum": ["allow", "warn", "block", "quiet", "ignore"], "description": "Action specified by rule" }, "decision": { "type": "string", "enum": ["matched", "skipped", "failed"], "description": "Whether rule matched and executed" }, "score": { "type": "number", "description": "Score contribution from this rule" } } } }, "evidence": { "type": "array", "description": "Evidence items considered during evaluation", "items": { "type": "object", "required": ["type", "reference", "source", "status"], "properties": { "type": { "type": "string", "enum": ["advisory", "vex", "reachability", "sbom", "policy", "custom"], "description": "Evidence type" }, "reference": { "type": "string", "description": "Evidence reference identifier (CVE, VEX ID, etc.)" }, "source": { "type": "string", "description": "Evidence source (nvd, ghsa, vendor, internal)" }, "status": { "type": "string", "description": "Evidence status (affected, not_affected, fixed, under_investigation)" }, "digest": { "type": "string", "pattern": "^(sha256|sha384|sha512):[a-f0-9]+$", "description": "Content digest of evidence artifact" }, "weight": { "type": "number", "minimum": 0, "maximum": 1, "description": "Evidence weight in verdict calculation (0-1)" }, "metadata": { "type": "object", "description": "Additional evidence metadata", "additionalProperties": true } } } }, "vexImpacts": { "type": "array", "description": "VEX statement impacts on verdict", "items": { "type": "object", "required": ["statementId", "provider", "status", "accepted"], "properties": { "statementId": { "type": "string", "description": "VEX statement identifier" }, "provider": { "type": "string", "description": "VEX statement provider (vendor, internal, third-party)" }, "status": { "type": "string", "enum": ["affected", "not_affected", "fixed", "under_investigation"], "description": "VEX assessment status" }, "accepted": { "type": "boolean", "description": "Whether policy accepted this VEX statement" }, "justification": { "type": "string", "description": "Justification for VEX impact on verdict" } } } }, "reachability": { "type": "object", "description": "Reachability analysis results", "properties": { "status": { "type": "string", "enum": ["confirmed", "likely", "present", "unreachable", "unknown"], "description": "Reachability confidence tier" }, "paths": { "type": "array", "description": "Reachability paths from entrypoint to sink", "items": { "type": "object", "required": ["entrypoint", "sink"], "properties": { "entrypoint": { "type": "string", "description": "Entry point (API endpoint, CLI command, etc.)" }, "sink": { "type": "string", "description": "Vulnerable sink (function, method)" }, "confidence": { "type": "string", "enum": ["high", "medium", "low"], "description": "Path confidence level" }, "digest": { "type": "string", "pattern": "^sha256:[a-f0-9]+$", "description": "Path evidence digest" } } } } } }, "metadata": { "type": "object", "description": "Additional verdict metadata", "properties": { "componentPurl": { "type": "string", "description": "Component package URL" }, "sbomId": { "type": "string", "description": "SBOM identifier" }, "traceId": { "type": "string", "description": "Distributed trace ID" }, "determinismHash": { "type": "string", "pattern": "^sha256:[a-f0-9]+$", "description": "Determinism hash of verdict computation" } }, "additionalProperties": true } }, "additionalProperties": false }