stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
0b5d786ddb2a931f12721c9394b05c4e8045de53
git.stella-ops.org/policies/secret-detection.policy.yaml
Codex Assistant 0b5d786ddb warnings fixes, tests fixes, sprints completions
2026-01-08 08:38:27 +02:00

88 lines
3.4 KiB
YAML
Raw Blame History

# Secret Leak Detection Policy Pack
# Sprint: SPRINT_20260104_004_POLICY - Task PSD-010
#
# This policy pack enforces security gates based on secret leak detection findings.
# Uses signals from SecretSignalBinder for policy evaluation.
#
# Available signals:
# secret.has_finding - true if any secret finding exists
# secret.count - total number of findings
# secret.severity.critical - true if any critical finding exists
# secret.severity.high - true if any high severity finding exists
# secret.severity.medium - true if any medium severity finding exists
# secret.severity.low - true if any low severity finding exists
# secret.confidence.high - true if any high confidence finding exists
# secret.confidence.medium - true if any medium confidence finding exists
# secret.confidence.low - true if any low confidence finding exists
# secret.mask.applied - true if masking was applied to all findings
# secret.bundle.version - the active bundle version string
# secret.bundle.id - the active bundle ID
name: secret-detection-gates
version: 1.0.0
description: |
Security gates for secret leak detection.
Blocks deployments when critical or high-severity secrets are detected.
rules:
# Block on any critical severity secret (private keys, service account keys, etc.)
- id: block-critical-secrets
description: Block deployment when critical secrets are detected
severity: critical
when:
signal: secret.severity.critical
equals: true
deny_message: |
CRITICAL: Secrets with critical severity detected.
Review findings and rotate any exposed credentials before proceeding.
Common causes: Private keys, GCP service account keys, Stripe secret keys.
# Block on high severity secrets with high confidence (real credentials)
- id: block-high-confidence-secrets
description: Block deployment when high-confidence high-severity secrets are detected
severity: high
when:
all:
- signal: secret.severity.high
equals: true
- signal: secret.confidence.high
equals: true
deny_message: |
HIGH: High-confidence secrets detected with high severity.
These are likely real credentials. Review and remediate before deployment.
# Warn on medium severity secrets (potential API keys, passwords)
- id: warn-medium-secrets
description: Warn when medium-severity secrets are detected
severity: medium
when:
signal: secret.severity.medium
equals: true
warn_message: |
WARNING: Medium-severity secrets detected.
Review findings to confirm they are not false positives.
Consider adding legitimate patterns to the exception list.
# Warn when any secrets are found (informational)
- id: info-any-secrets
description: Log when any secrets are detected
severity: low
when:
signal: secret.has_finding
equals: true
info_message: |
Secret detection found {{secret.count}} potential secret(s).
Review the findings in the scan results.
# Ensure masking is applied before allowing export
- id: require-masking
description: Block export if masking was not applied
severity: high
context: export
when:
signal: secret.mask.applied
equals: false
deny_message: |
BLOCKED: Secrets must be masked before export.
Ensure revelation policy is not set to FullReveal for exports.
Reference in New Issue View Git Blame Copy Permalink