git.stella-ops.org/policies/starter-day1/overrides/production.yaml

apiVersion: policy.stellaops.io/v1
kind: PolicyOverride
metadata:
  name: starter-day1-prod
  version: 1.0.0
  parent: starter-day1
  environment: production

spec:
  settings:
    defaultAction: block
    unknownsThreshold: 0.05
    requireSignedSbom: true
    requireSignedVerdict: true

  additionalRules:
    - name: require-approval-for-exceptions
      description: "Require approval for exceptions in production"
      action: block
      match:
        exceptionRequested: true
      message: "Exception approvals are required in production"