stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
4d932cc1baccec2ca7e7c3acc98200f6796660dc
git.stella-ops.org/docs/examples/policies/internal-only.md
master 96d52884e8
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools 
- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.
2025-10-27 08:00:11 +02:00

73 lines
2.3 KiB
Markdown
Raw Blame History

# Internal-Only Policy Example (`internal-only.stella`)
A relaxed profile for internal services and development environments: allow Medium severities with warnings, rely on VEX more heavily, but still block KEV/actively exploited advisories.
```dsl
policy "Internal Only Policy" syntax "stella-dsl@1" {
metadata {
description = "Lenient policy for internal / dev tenants."
tags = ["internal","dev"]
}
profile severity {
env exposure_adjustments {
if env.exposure == "internal" then -0.4
if env.stage == "dev" then -0.6
}
}
rule block_kev priority 1 {
when advisory.has_tag("kev")
then status := "blocked"
because "Known exploited vulnerabilities must be remediated."
}
rule allow_medium_with_warning {
when severity.normalized == "Medium"
and env.exposure == "internal"
then warn message "Medium severity permitted in internal environments."
because "Allow Medium findings with warning for internal workloads."
}
rule accept_vendor_vex {
when vex.any(status in ["not_affected","fixed"])
then status := vex.status
annotate justification := vex.latest().justification
because "Trust vendor VEX statements for internal scope."
}
rule quiet_low_priority {
when severity.normalized <= "Low"
then ignore until "2026-01-01T00:00:00Z"
because "Quiet low severity until next annual remediation sweep."
}
}
```
## Commentary
- Suitable for staging/dev tenants with lower blast radius.
- KEV advisories override lenient behaviour to maintain minimum security bar.
- Warnings ensure Medium findings stay visible in dashboards and CLI outputs.
- Quiet rule enforces planned clean-up date; update before expiry.
## Try it out
```bash
stella policy lint examples/policies/internal-only.stella
stella policy simulate P-internal --candidate 1 \
--sbom sbom:internal-service --env exposure=internal --env stage=dev
```
## Compliance checklist
- [ ] Tenant classified as internal-only with documented risk acceptance.
- [ ] KEV feed synced (Concelier) and tags confirmed before relying on rule.
- [ ] Quiet expiry tracked; remediation backlog updated prior to deadline.
- [ ] Developers informed that warnings still affect quality score.
- [ ] Policy not used for production or internet-exposed services.
---
*Last updated: 2025-10-26.*
Reference in New Issue View Git Blame Copy Permalink