git.stella-ops.org/examples/policies/opa/epss-threshold.rego

# -----------------------------------------------------------------------------
# epss-threshold.rego
# Sprint: SPRINT_20260118_027_Policy_cve_release_gates
# Task: TASK-027-08 - OPA/Rego Policy Examples
# Description: EPSS exploitation probability threshold enforcement
# -----------------------------------------------------------------------------

package stellaops.gates.epss

import future.keywords.if
import future.keywords.in

# Default allow if no CVEs exceed threshold
default allow = true

# Block if any CVE exceeds EPSS threshold
allow = false if {
    some cve in relevant_cves
    cve.epss_score > epss_threshold
}

# Get CVEs to evaluate (optionally filtered by reachability)
relevant_cves := [cve |
    some cve in input.cve_findings
    config_only_reachable
    cve.is_reachable == true
]

relevant_cves := input.cve_findings if {
    not config_only_reachable
}

# Get threshold with environment override support
epss_threshold := env_config.epss_threshold if {
    env_config := input.config.environments[input.environment]
    env_config.epss_threshold
} else := input.config.epss_threshold if {
    input.config.epss_threshold
} else := 0.6  # Default threshold

# Configuration flags
config_only_reachable if {
    input.config.only_reachable == true
}

# Denial messages with CVE details
deny[msg] if {
    some cve in relevant_cves
    cve.epss_score > epss_threshold
    msg := sprintf("CVE %s exceeds EPSS threshold: %.2f > %.2f", [
        cve.cve_id,
        cve.epss_score,
        epss_threshold
    ])
}

# Count CVEs exceeding threshold
exceeding_cves := [cve |
    some cve in relevant_cves
    cve.epss_score > epss_threshold
]

# Summary for reporting
summary := {
    "total_cves": count(relevant_cves),
    "exceeding_count": count(exceeding_cves),
    "threshold": epss_threshold,
    "environment": input.environment,
    "exceeding_cves": [cve.cve_id | some cve in exceeding_cves],
}