47 lines
1.5 KiB
Plaintext
47 lines
1.5 KiB
Plaintext
policy "Baseline Production Policy" syntax "stella-dsl@1" {
|
|
metadata {
|
|
description = "Block critical, escalate high, enforce VEX justifications."
|
|
tags = ["baseline","production"]
|
|
}
|
|
|
|
profile severity {
|
|
map vendor_weight {
|
|
source "GHSA" => +0.5
|
|
source "OSV" => +0.0
|
|
source "VendorX" => -0.2
|
|
}
|
|
env exposure_adjustments {
|
|
if env.exposure == "internet" then +0.5
|
|
if env.runtime == "legacy" then +0.3
|
|
}
|
|
}
|
|
|
|
rule block_critical priority 5 {
|
|
when severity.normalized >= "Critical"
|
|
then status := "blocked"
|
|
because "Critical severity must be remediated before deploy."
|
|
}
|
|
|
|
rule escalate_high_internet {
|
|
when severity.normalized == "High"
|
|
and env.exposure == "internet"
|
|
then escalate to severity_band("Critical")
|
|
because "High severity on internet-exposed asset escalates to critical."
|
|
}
|
|
|
|
rule require_vex_justification {
|
|
when vex.any(status in ["not_affected","fixed"])
|
|
and vex.justification in ["component_not_present","vulnerable_code_not_present"]
|
|
then status := vex.status
|
|
annotate winning_statement := vex.latest().statementId
|
|
because "Respect strong vendor VEX claims."
|
|
}
|
|
|
|
rule alert_warn_eol_runtime priority 1 {
|
|
when severity.normalized <= "Medium"
|
|
and sbom.has_tag("runtime:eol")
|
|
then warn message "Runtime marked as EOL; upgrade recommended."
|
|
because "Deprecated runtime should be upgraded."
|
|
}
|
|
}
|