stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
4bdc298ec1fc821ee0d9dda6d2d4643dcedf6b35
git.stella-ops.org/docs/features/unchecked/cli/reachability-aware-security-as-gate.md

1.3 KiB
Raw Blame History

Reachability-Aware Security as Gate

Module

Cli

Status

IMPLEMENTED

Description

Reachability-aware vulnerability triage with score gating for release decisions is implemented across Scanner, ReachGraph, and CLI modules.

Implementation Details

  • Gate Command: src/Cli/StellaOps.Cli/Commands/GateCommandGroup.cs -- GateCommandGroup for stella gate commands
  • VEX Gate Scan: src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs -- VEX-gated scan operations
  • Score Gate: src/Cli/StellaOps.Cli/Commands/ScoreGateCommandGroup.cs -- score-based gating
  • Tests: src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ScoreGateCommandTests.cs, VexGateCommandTests.cs
  • Commands:
    • stella gate evaluate <digest> -- evaluate all gates for an artifact
    • stella gate scan <image> -- scan with gate evaluation
  • Exit codes: 0=pass, 1=warn, 2=fail/block

E2E Test Plan

  • Run stella gate evaluate sha256:abc123 and verify gate evaluation with reachability awareness
  • Verify unreachable CVEs do not trigger gate failures
  • Verify reachable CVEs with high scores trigger appropriate gate level
  • Run stella gate scan myregistry/app:v1.0 and verify scan with gate evaluation
  • Verify exit codes: 0=pass, 1=warn, 2=block
  • Verify --format json output with gate details