stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
17419ba7c4f8e35ed78033515115088eb40d20a7
git.stella-ops.org/examples/policies/opa/cve-gate-base.rego

100 lines
2.6 KiB
Rego
Raw Blame History

# -----------------------------------------------------------------------------
# cve-gate-base.rego
# Sprint: SPRINT_20260118_027_Policy_cve_release_gates
# Task: TASK-027-08 - OPA/Rego Policy Examples
# Description: Base policy for DSSE signature and Rekor anchor verification
# -----------------------------------------------------------------------------
package stellaops.gates.base
import future.keywords.if
import future.keywords.in
# Default deny - require explicit allow
default valid_attestation = false
# Attestation is valid if DSSE envelope has valid signature from trusted key
valid_attestation if {
valid_dsse_envelope
valid_signature
valid_rekor_anchor
}
# Allow without Rekor if not required
valid_attestation if {
valid_dsse_envelope
valid_signature
not config_require_rekor
}
# DSSE envelope structure validation
valid_dsse_envelope if {
input.attestation.dsse_envelope.payloadType
input.attestation.dsse_envelope.payload
count(input.attestation.dsse_envelope.signatures) > 0
}
# Signature validation - at least one signature from trusted key
valid_signature if {
some sig in input.attestation.dsse_envelope.signatures
sig.keyid in trusted_keys
sig.sig != ""
}
# Rekor anchor validation
valid_rekor_anchor if {
input.attestation.rekor_entry.log_index >= 0
input.attestation.rekor_entry.integrated_time > 0
input.attestation.rekor_entry.inclusion_proof.root_hash != ""
}
# Configuration helpers
config_require_rekor if {
input.config.require_rekor == true
}
# Get trusted keys from input or use default
trusted_keys := input.attestation.trusted_keys if {
input.attestation.trusted_keys
} else := []
# Denial messages
deny[msg] if {
not input.attestation.dsse_envelope
msg := "Missing DSSE envelope in attestation"
}
deny[msg] if {
input.attestation.dsse_envelope
not valid_dsse_envelope
msg := "Invalid DSSE envelope structure"
}
deny[msg] if {
valid_dsse_envelope
not valid_signature
msg := "No valid signature from trusted key"
}
deny[msg] if {
config_require_rekor
not input.attestation.rekor_entry
msg := "Rekor anchor required but not present"
}
deny[msg] if {
config_require_rekor
input.attestation.rekor_entry
not valid_rekor_anchor
msg := "Invalid Rekor inclusion proof"
}
# Metadata for debugging
attestation_info := {
"has_dsse": valid_dsse_envelope,
"has_valid_sig": valid_signature,
"has_rekor": valid_rekor_anchor,
"signature_count": count(input.attestation.dsse_envelope.signatures),
"trusted_key_count": count(trusted_keys),
}
Reference in New Issue View Git Blame Copy Permalink