stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
4e3e575db596a66f01b712f9504d762f2ef07ea2
git.stella-ops.org/docs/examples/policies/serverless.md
master 96d52884e8
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools 
- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.
2025-10-27 08:00:11 +02:00

2.3 KiB
Raw Blame History

Serverless Policy Example (serverless.stella)

Optimised for short-lived serverless workloads: focus on runtime integrity, disallow vulnerable layers entirely, and permit temporary suppressions only with strict justification windows.

policy "Serverless Tight Policy" syntax "stella-dsl@1" {
  metadata {
    description = "Aggressive blocking for serverless runtimes."
    tags = ["serverless","prod","strict"]
  }

  profile severity {
    env runtime_overrides {
      if env.runtime == "serverless" then +0.7
      if env.runtime == "batch" then +0.2
    }
  }

  rule block_any_high {
    when severity.normalized >= "High"
    then status := "blocked"
    because "Serverless workloads block High+ severities."
  }

  rule forbid_unpinned_base {
    when sbom.has_tag("image:latest-tag")
    then status := "blocked"
    because "Base image must be pinned (no :latest)."
  }

  rule zero_tolerance_vex {
    when vex.any(status == "not_affected")
    then requireVex { vendors = ["VendorX","VendorY"], justifications = ["component_not_present"] }
    because "Allow not_affected only from trusted vendors with strongest justification."
  }

  rule temporary_quiet {
    when env.deployment == "canary"
         and severity.normalized == "Medium"
    then ignore until coalesce(env.quietUntil, "2025-12-31T00:00:00Z")
    because "Allow short canary quiet window while fix rolls out."
  }
}

Commentary

  • Designed for serverless tenants where redeploy cost is low and failing fast is preferred.
  • forbid_unpinned_base enforces supply-chain best practices.
  • temporary_quiet ensures quiet windows expire automatically; require deployments to set env.quietUntil.
  • Intended to be layered on top of baseline (override per tenant) or used standalone for serverless-only accounts.

Try it out

stella policy lint examples/policies/serverless.stella
stella policy simulate P-serverless --candidate 1 \
  --sbom sbom:lambda-hello --env runtime=serverless --env deployment=canary

Compliance checklist

  • Quiet window expirations tracked and documented.
  • Trusted VEX vendor list reviewed quarterly.
  • Deployment pipeline enforces pinned base images before approval.
  • Canary deployments monitored for recurrence before ignoring Medium severity.
  • Serverless teams acknowledge runbook for blocked deployments.

Last updated: 2025-10-26.