stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
5146204f1b7fe56b25cfa643685e2de55581ff71
git.stella-ops.org/etc/policy-engine.yaml.sample
StellaOps Bot 5146204f1b feat: add security sink detection patterns for JavaScript/TypeScript 
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00

105 lines
3.2 KiB
Plaintext
Raw Blame History

# StellaOps Policy Engine configuration template.
# Copy to ../etc/policy-engine.yaml (relative to the Policy Engine content root)
# and adjust values to fit your environment. Environment variables prefixed with
# STELLAOPS_POLICY_ENGINE_ override these values at runtime.
schemaVersion: 1
authority:
enabled: true
issuer: "https://authority.stella-ops.local"
clientId: "policy-engine"
clientSecret: "change-me"
scopes: [ "policy:run", "findings:read", "effective:write" ]
backchannelTimeoutSeconds: 30
storage:
connectionString: "mongodb://localhost:27017/policy-engine"
databaseName: "policy_engine"
commandTimeoutSeconds: 30
workers:
schedulerIntervalSeconds: 15
maxConcurrentEvaluations: 4
activation:
forceTwoPersonApproval: false
defaultRequiresTwoPersonApproval: false
emitAuditLogs: true
resourceServer:
authority: "https://authority.stella-ops.local"
requireHttpsMetadata: true
audiences: [ "api://policy-engine" ]
requiredScopes: [ "policy:run" ]
requiredTenants: [ ]
bypassNetworks:
- "127.0.0.1/32"
- "::1/128"
# Rate limiting for simulation endpoints (WEB-POLICY-20-004)
rateLimiting:
enabled: true
simulationPermitLimit: 100 # Maximum requests per window
windowSeconds: 60 # Window duration in seconds
queueLimit: 10 # Requests queued when limit reached
tenantPartitioning: true # Enable per-tenant rate limits
# Unknown budget configuration (SPRINT_4300_0002_0001)
# Controls enforcement of unknown thresholds by environment.
UnknownBudgets:
enforceBudgets: true # Set to false to log warnings only
budgets:
# Production: Strict limits, block on exceed
production:
environment: "production"
totalLimit: 5
reasonLimits:
Reachability: 0 # No reachability unknowns allowed
Identity: 2 # Max 2 identity unknowns
Provenance: 2 # Max 2 provenance unknowns
VexConflict: 0 # No VEX conflicts allowed
FeedGap: 5 # Some feed gaps tolerated
ConfigUnknown: 3 # Some config unknowns allowed
AnalyzerLimit: 5 # Analyzer limits are less critical
action: Block
exceededMessage: "Production deployment blocked: unknown budget exceeded."
# Staging: Moderate limits, warn on exceed
staging:
environment: "staging"
totalLimit: 20
reasonLimits:
Reachability: 5
Identity: 10
Provenance: 10
VexConflict: 5
FeedGap: 15
ConfigUnknown: 10
AnalyzerLimit: 15
action: Warn
exceededMessage: "Staging warning: unknown budget exceeded."
# Development: Permissive limits
development:
environment: "development"
totalLimit: 100
reasonLimits:
Reachability: 25
Identity: 50
Provenance: 50
VexConflict: 25
FeedGap: 50
ConfigUnknown: 50
AnalyzerLimit: 50
action: Warn
exceededMessage: "Development environment unknown budget exceeded."
# Default: Fallback for unknown environments
default:
environment: "default"
totalLimit: 50
action: Warn
exceededMessage: "Unknown budget exceeded."
Reference in New Issue View Git Blame Copy Permalink