stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
17419ba7c4f8e35ed78033515115088eb40d20a7
git.stella-ops.org/docs/modules/policy/gates/kev-blocker.md

2.8 KiB
Raw Blame History

KEV Blocker Gate

Gate ID: kev-blocker

Blocks CVEs listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. KEV entries represent vulnerabilities with confirmed active exploitation in the wild.

How It Works

  1. For each CVE finding in the release candidate, checks KEV catalog membership
  2. Blocks any CVE present in KEV (with optional grace period)
  3. Reports KEV due dates for remediation tracking
  4. Optionally respects KEV due dates as soft deadlines

Configuration

{
  "Policy": {
    "Gates": {
      "KevBlocker": {
        "Enabled": true,
        "AllowGracePeriod": true,
        "GracePeriodDays": 14,
        "BlockPastDueDate": true,
        "WarnBeforeDueDate": true,
        "WarnDaysBeforeDue": 7,
        "RequireReachability": false,
        "Environments": {
          "development": {
            "Enabled": false
          },
          "production": {
            "AllowGracePeriod": false
          }
        }
      }
    }
  }
}

Options

Option Type Default Description
Enabled bool true Whether the gate is active
AllowGracePeriod bool true Allow grace period after KEV addition
GracePeriodDays int 14 Days after KEV addition before blocking
BlockPastDueDate bool true Block CVEs past their KEV due date
WarnBeforeDueDate bool true Emit warning as due date approaches
WarnDaysBeforeDue int 7 Days before due date to start warning
RequireReachability bool false Only evaluate reachable CVEs
Environments dict {} Per-environment overrides

KEV Catalog Context

The CISA KEV catalog contains:

  • CVEs with confirmed active exploitation
  • Required remediation due dates (typically 2-3 weeks from addition)
  • Affected vendor/product information

KEV inclusion indicates:

  • Real-world exploitation is occurring
  • Federal agencies must remediate by due date (BOD 22-01)
  • High priority for all organizations

Example Gate Results

Pass:

KEV blocker check passed. No KEV entries found in 15 CVE findings

Fail:

KEV entries found: CVE-2024-1234 (due: 2024-02-15, overdue), CVE-2024-5678 (due: 2024-02-28, 5 days remaining)

Warning:

KEV blocker check passed. Warnings: CVE-2024-9012 KEV due date approaching (7 days)

CLI Usage

# Evaluate KEV gate against image
stella policy evaluate --gate kev-blocker --image myapp:v1.2.3

# Check with no grace period
stella policy evaluate --gate kev-blocker --no-grace-period --image myapp:v1.2.3

Data Source

KEV data is fetched from CISA KEV Catalog via the configured IKevDataProvider. The catalog is refreshed daily with catalog update timestamps tracked for staleness detection.

Last updated: 2026-01-19.