stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
17419ba7c4f8e35ed78033515115088eb40d20a7
git.stella-ops.org/examples/policies/opa/input-schema.json

241 lines
7.5 KiB
JSON
Raw Blame History

{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://stellaops.io/schemas/opa/policy-input.json",
"title": "Stella OPA Policy Input Schema",
"description": "Input schema for OPA/Rego CVE gating policies",
"type": "object",
"required": ["attestation", "cve_findings", "environment"],
"properties": {
"attestation": {
"type": "object",
"description": "Attestation data including DSSE envelope and Rekor entry",
"required": ["dsse_envelope"],
"properties": {
"dsse_envelope": {
"type": "object",
"description": "DSSE envelope containing signed statement",
"required": ["payloadType", "payload", "signatures"],
"properties": {
"payloadType": {
"type": "string",
"description": "DSSE payload type URI",
"examples": ["application/vnd.in-toto+json"]
},
"payload": {
"type": "string",
"description": "Base64-encoded payload (in-toto statement)"
},
"signatures": {
"type": "array",
"items": {
"type": "object",
"required": ["keyid", "sig"],
"properties": {
"keyid": {
"type": "string",
"description": "Key identifier"
},
"sig": {
"type": "string",
"description": "Base64-encoded signature"
}
}
}
}
}
},
"rekor_entry": {
"type": "object",
"description": "Rekor transparency log entry (optional)",
"properties": {
"log_index": {
"type": "integer",
"description": "Rekor log index"
},
"log_id": {
"type": "string",
"description": "Rekor log ID (base64 SHA256)"
},
"integrated_time": {
"type": "integer",
"description": "Unix timestamp of log inclusion"
},
"inclusion_proof": {
"type": "object",
"properties": {
"root_hash": { "type": "string" },
"tree_size": { "type": "integer" },
"hashes": {
"type": "array",
"items": { "type": "string" }
}
}
}
}
},
"trusted_keys": {
"type": "array",
"description": "List of trusted signing key IDs",
"items": { "type": "string" }
}
}
},
"cve_findings": {
"type": "array",
"description": "CVE findings from scan results",
"items": {
"type": "object",
"required": ["cve_id"],
"properties": {
"cve_id": {
"type": "string",
"pattern": "^CVE-\\d{4}-\\d{4,}$",
"description": "CVE identifier"
},
"cvss_score": {
"type": "number",
"minimum": 0,
"maximum": 10,
"description": "CVSS v3 base score"
},
"severity": {
"type": "string",
"enum": ["critical", "high", "medium", "low", "unknown"],
"description": "Severity classification"
},
"epss_score": {
"type": "number",
"minimum": 0,
"maximum": 1,
"description": "EPSS exploitation probability (0-1)"
},
"epss_percentile": {
"type": "number",
"minimum": 0,
"maximum": 100,
"description": "EPSS percentile (0-100)"
},
"is_kev": {
"type": "boolean",
"description": "Whether CVE is in CISA KEV catalog"
},
"kev_due_date": {
"type": "string",
"format": "date",
"description": "KEV remediation due date (YYYY-MM-DD)"
},
"is_reachable": {
"type": "boolean",
"description": "Whether vulnerable code is reachable"
},
"reachability_state": {
"type": "string",
"enum": ["confirmed_reachable", "runtime_observed", "statically_reachable", "not_reachable", "unknown"],
"description": "Detailed reachability state"
},
"is_suppressed": {
"type": "boolean",
"description": "Whether CVE is suppressed/excepted"
},
"package_name": {
"type": "string",
"description": "Affected package name"
},
"package_version": {
"type": "string",
"description": "Affected package version"
},
"fix_available": {
"type": "boolean",
"description": "Whether a fix is available"
},
"fixed_version": {
"type": "string",
"description": "Version containing the fix"
}
}
}
},
"baseline_cve_findings": {
"type": "array",
"description": "CVE findings from baseline release (for delta comparison)",
"items": { "$ref": "#/properties/cve_findings/items" }
},
"environment": {
"type": "string",
"description": "Target deployment environment",
"examples": ["development", "staging", "production"]
},
"release": {
"type": "object",
"description": "Release metadata",
"properties": {
"id": { "type": "string" },
"version": { "type": "string" },
"image_digest": { "type": "string" },
"baseline_digest": { "type": "string" }
}
},
"config": {
"type": "object",
"description": "Policy configuration",
"properties": {
"epss_threshold": {
"type": "number",
"description": "EPSS score threshold (0-1)"
},
"epss_percentile_threshold": {
"type": "number",
"description": "EPSS percentile threshold (0-100)"
},
"severity_threshold": {
"type": "number",
"description": "CVSS severity threshold"
},
"max_critical": {
"type": "integer",
"description": "Maximum allowed critical CVEs"
},
"max_high": {
"type": "integer",
"description": "Maximum allowed high CVEs"
},
"max_medium": {
"type": "integer",
"description": "Maximum allowed medium CVEs"
},
"max_low": {
"type": "integer",
"description": "Maximum allowed low CVEs"
},
"max_total": {
"type": "integer",
"description": "Maximum total CVEs"
},
"require_rekor": {
"type": "boolean",
"description": "Require Rekor anchor for attestations"
},
"count_suppressed": {
"type": "boolean",
"description": "Include suppressed CVEs in counts"
},
"only_reachable": {
"type": "boolean",
"description": "Only evaluate reachable CVEs"
},
"environments": {
"type": "object",
"description": "Per-environment configuration overrides",
"additionalProperties": { "$ref": "#/properties/config" }
}
}
},
"current_time": {
"type": "string",
"format": "date-time",
"description": "Current evaluation timestamp (ISO 8601)"
}
}
}
Reference in New Issue View Git Blame Copy Permalink