111 lines
2.7 KiB
Markdown
111 lines
2.7 KiB
Markdown
# Policy Gates
|
|
|
|
Policy gates are automated checks that evaluate release candidates against configurable security criteria. Each gate produces a pass/fail result with detailed reasoning for policy decisions.
|
|
|
|
## CVE-Aware Gates
|
|
|
|
| Gate | ID | Description |
|
|
|------|-----|-------------|
|
|
| [EPSS Threshold](epss-threshold.md) | `epss-threshold` | Blocks CVEs above EPSS probability threshold |
|
|
| [KEV Blocker](kev-blocker.md) | `kev-blocker` | Blocks CVEs in CISA Known Exploited Vulnerabilities catalog |
|
|
| [Reachable CVE](reachable-cve.md) | `reachable-cve` | Blocks only CVEs with reachable code paths |
|
|
| [CVE Delta](cve-delta.md) | `cve-delta` | Blocks releases introducing new high-severity CVEs vs baseline |
|
|
| [Release Aggregate CVE](release-aggregate-cve.md) | `release-aggregate-cve` | Enforces aggregate CVE count limits per release |
|
|
|
|
## Gate Configuration
|
|
|
|
Gates are configured via `appsettings.json` under the `Policy:Gates` section:
|
|
|
|
```json
|
|
{
|
|
"Policy": {
|
|
"Gates": {
|
|
"EpssThreshold": {
|
|
"Enabled": true,
|
|
"Threshold": 0.6
|
|
},
|
|
"KevBlocker": {
|
|
"Enabled": true,
|
|
"AllowGracePeriod": true,
|
|
"GracePeriodDays": 14
|
|
},
|
|
"ReachableCve": {
|
|
"Enabled": true,
|
|
"SeverityThreshold": 7.0
|
|
},
|
|
"CveDelta": {
|
|
"Enabled": true,
|
|
"NewCveSeverityThreshold": 7.0,
|
|
"OnlyBlockReachable": false
|
|
},
|
|
"ReleaseAggregateCve": {
|
|
"Enabled": true,
|
|
"MaxCritical": 0,
|
|
"MaxHigh": 3,
|
|
"MaxMedium": 20
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## Environment Overrides
|
|
|
|
Each gate supports per-environment configuration overrides:
|
|
|
|
```json
|
|
{
|
|
"Policy": {
|
|
"Gates": {
|
|
"CveDelta": {
|
|
"Enabled": true,
|
|
"NewCveSeverityThreshold": 7.0,
|
|
"Environments": {
|
|
"development": {
|
|
"Enabled": false
|
|
},
|
|
"staging": {
|
|
"NewCveSeverityThreshold": 9.0
|
|
},
|
|
"production": {
|
|
"NewCveSeverityThreshold": 7.0,
|
|
"OnlyBlockReachable": true
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## DI Registration
|
|
|
|
Register all CVE gates:
|
|
|
|
```csharp
|
|
services.AddCvePolicyGates(configuration);
|
|
```
|
|
|
|
Or register individual gates:
|
|
|
|
```csharp
|
|
services.AddEpssThresholdGate(configuration);
|
|
services.AddKevBlockerGate(configuration);
|
|
services.AddReachableCveGate(configuration);
|
|
services.AddCveDeltaGate(configuration);
|
|
services.AddReleaseAggregateCveGate(configuration);
|
|
```
|
|
|
|
## Gate Results
|
|
|
|
All gates return a `GateResult` containing:
|
|
|
|
- `GateName`: Gate identifier
|
|
- `Passed`: Boolean pass/fail status
|
|
- `Reason`: Human-readable explanation
|
|
- `Details`: Additional metadata (warnings, counts, etc.)
|
|
|
|
---
|
|
|
|
*Last updated: 2026-01-19.*
|