101 lines
2.8 KiB
Markdown
101 lines
2.8 KiB
Markdown
# KEV Blocker Gate
|
|
|
|
**Gate ID:** `kev-blocker`
|
|
|
|
Blocks CVEs listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. KEV entries represent vulnerabilities with confirmed active exploitation in the wild.
|
|
|
|
## How It Works
|
|
|
|
1. For each CVE finding in the release candidate, checks KEV catalog membership
|
|
2. Blocks any CVE present in KEV (with optional grace period)
|
|
3. Reports KEV due dates for remediation tracking
|
|
4. Optionally respects KEV due dates as soft deadlines
|
|
|
|
## Configuration
|
|
|
|
```json
|
|
{
|
|
"Policy": {
|
|
"Gates": {
|
|
"KevBlocker": {
|
|
"Enabled": true,
|
|
"AllowGracePeriod": true,
|
|
"GracePeriodDays": 14,
|
|
"BlockPastDueDate": true,
|
|
"WarnBeforeDueDate": true,
|
|
"WarnDaysBeforeDue": 7,
|
|
"RequireReachability": false,
|
|
"Environments": {
|
|
"development": {
|
|
"Enabled": false
|
|
},
|
|
"production": {
|
|
"AllowGracePeriod": false
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
### Options
|
|
|
|
| Option | Type | Default | Description |
|
|
|--------|------|---------|-------------|
|
|
| `Enabled` | bool | `true` | Whether the gate is active |
|
|
| `AllowGracePeriod` | bool | `true` | Allow grace period after KEV addition |
|
|
| `GracePeriodDays` | int | `14` | Days after KEV addition before blocking |
|
|
| `BlockPastDueDate` | bool | `true` | Block CVEs past their KEV due date |
|
|
| `WarnBeforeDueDate` | bool | `true` | Emit warning as due date approaches |
|
|
| `WarnDaysBeforeDue` | int | `7` | Days before due date to start warning |
|
|
| `RequireReachability` | bool | `false` | Only evaluate reachable CVEs |
|
|
| `Environments` | dict | `{}` | Per-environment overrides |
|
|
|
|
## KEV Catalog Context
|
|
|
|
The CISA KEV catalog contains:
|
|
- CVEs with confirmed active exploitation
|
|
- Required remediation due dates (typically 2-3 weeks from addition)
|
|
- Affected vendor/product information
|
|
|
|
KEV inclusion indicates:
|
|
- Real-world exploitation is occurring
|
|
- Federal agencies must remediate by due date (BOD 22-01)
|
|
- High priority for all organizations
|
|
|
|
## Example Gate Results
|
|
|
|
**Pass:**
|
|
```
|
|
KEV blocker check passed. No KEV entries found in 15 CVE findings
|
|
```
|
|
|
|
**Fail:**
|
|
```
|
|
KEV entries found: CVE-2024-1234 (due: 2024-02-15, overdue), CVE-2024-5678 (due: 2024-02-28, 5 days remaining)
|
|
```
|
|
|
|
**Warning:**
|
|
```
|
|
KEV blocker check passed. Warnings: CVE-2024-9012 KEV due date approaching (7 days)
|
|
```
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
# Evaluate KEV gate against image
|
|
stella policy evaluate --gate kev-blocker --image myapp:v1.2.3
|
|
|
|
# Check with no grace period
|
|
stella policy evaluate --gate kev-blocker --no-grace-period --image myapp:v1.2.3
|
|
```
|
|
|
|
## Data Source
|
|
|
|
KEV data is fetched from [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) via the configured `IKevDataProvider`. The catalog is refreshed daily with catalog update timestamps tracked for staleness detection.
|
|
|
|
---
|
|
|
|
*Last updated: 2026-01-19.*
|