stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
21337f4de64c8bbdf261e5e0071e482ee9cb7d2a
git.stella-ops.org/policies/starter-day1/overrides/production.yaml
StellaOps Bot 5146204f1b feat: add security sink detection patterns for JavaScript/TypeScript 
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00

45 lines
1.3 KiB
YAML
Raw Blame History

# Stella Ops Starter Policy - Production Override
# Version: 1.0.0
#
# Production environment has the strictest settings:
# - All blocking rules enforced
# - Lower unknowns threshold
# - Signed artifacts required
# - Higher VEX trust score required
apiVersion: policy.stellaops.io/v1
kind: PolicyOverride
metadata:
name: starter-day1-production
version: "1.0.0"
parent: starter-day1
environment: production
description: "Strict settings for production deployments"
spec:
# Production settings - stricter than defaults
settings:
defaultAction: block # Block by default in production
unknownsThreshold: 0.03 # Only 3% unknowns allowed
requireSignedSbom: true
requireSignedVerdict: true
minimumVexTrustScore: 0.7 # Higher trust required
# No rule overrides - production uses base rules at full strictness
ruleOverrides: []
# Additional production-only rules
additionalRules:
# Require explicit approval for any blocked findings
- name: require-approval-for-exceptions
priority: 400
description: "Any exception in production requires documented approval"
match:
hasException: true
require:
exceptionApproval: true
exceptionExpiry:
maxDays: 30
action: block
message: "Production exceptions require approval and must expire within 30 days"
Reference in New Issue View Git Blame Copy Permalink