stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
17419ba7c4f8e35ed78033515115088eb40d20a7
git.stella-ops.org/docs/modules/policy/gates/README.md

2.7 KiB
Raw Blame History

Policy Gates

Policy gates are automated checks that evaluate release candidates against configurable security criteria. Each gate produces a pass/fail result with detailed reasoning for policy decisions.

CVE-Aware Gates

Gate ID Description
EPSS Threshold epss-threshold Blocks CVEs above EPSS probability threshold
KEV Blocker kev-blocker Blocks CVEs in CISA Known Exploited Vulnerabilities catalog
Reachable CVE reachable-cve Blocks only CVEs with reachable code paths
CVE Delta cve-delta Blocks releases introducing new high-severity CVEs vs baseline
Release Aggregate CVE release-aggregate-cve Enforces aggregate CVE count limits per release

Gate Configuration

Gates are configured via appsettings.json under the Policy:Gates section:

{
  "Policy": {
    "Gates": {
      "EpssThreshold": {
        "Enabled": true,
        "Threshold": 0.6
      },
      "KevBlocker": {
        "Enabled": true,
        "AllowGracePeriod": true,
        "GracePeriodDays": 14
      },
      "ReachableCve": {
        "Enabled": true,
        "SeverityThreshold": 7.0
      },
      "CveDelta": {
        "Enabled": true,
        "NewCveSeverityThreshold": 7.0,
        "OnlyBlockReachable": false
      },
      "ReleaseAggregateCve": {
        "Enabled": true,
        "MaxCritical": 0,
        "MaxHigh": 3,
        "MaxMedium": 20
      }
    }
  }
}

Environment Overrides

Each gate supports per-environment configuration overrides:

{
  "Policy": {
    "Gates": {
      "CveDelta": {
        "Enabled": true,
        "NewCveSeverityThreshold": 7.0,
        "Environments": {
          "development": {
            "Enabled": false
          },
          "staging": {
            "NewCveSeverityThreshold": 9.0
          },
          "production": {
            "NewCveSeverityThreshold": 7.0,
            "OnlyBlockReachable": true
          }
        }
      }
    }
  }
}

DI Registration

Register all CVE gates:

services.AddCvePolicyGates(configuration);

Or register individual gates:

services.AddEpssThresholdGate(configuration);
services.AddKevBlockerGate(configuration);
services.AddReachableCveGate(configuration);
services.AddCveDeltaGate(configuration);
services.AddReleaseAggregateCveGate(configuration);

Gate Results

All gates return a GateResult containing:

  • GateName: Gate identifier
  • Passed: Boolean pass/fail status
  • Reason: Human-readable explanation
  • Details: Additional metadata (warnings, counts, etc.)

Last updated: 2026-01-19.