stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
68da90a11a3f12708a9492c56f3cf439732978af
git.stella-ops.org/docs/examples/policies/internal-only.md
root 68da90a11a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Restructure solution layout by module
2025-10-28 15:10:40 +02:00

2.4 KiB
Raw Blame History

Internal-Only Policy Example (internal-only.stella)

A relaxed profile for internal services and development environments: allow Medium severities with warnings, rely on VEX more heavily, but still block KEV/actively exploited advisories.

policy "Internal Only Policy" syntax "stella-dsl@1" {
  metadata {
    description = "Lenient policy for internal / dev tenants."
    tags = ["internal","dev"]
  }

  profile severity {
    env exposure_adjustments {
      if env.exposure == "internal" then -0.4
      if env.stage == "dev" then -0.6
    }
  }

  rule block_kev priority 1 {
    when advisory.has_tag("kev")
    then status := "blocked"
    because "Known exploited vulnerabilities must be remediated."
  }

  rule allow_medium_with_warning {
    when severity.normalized == "Medium"
         and env.exposure == "internal"
    then warn message "Medium severity permitted in internal environments."
    because "Allow Medium findings with warning for internal workloads."
  }

  rule accept_vendor_vex {
    when vex.any(status in ["not_affected","fixed"])
    then status := vex.status
         annotate justification := vex.latest().justification
    because "Trust vendor VEX statements for internal scope."
  }

  rule quiet_low_priority {
    when severity.normalized <= "Low"
    then ignore until "2026-01-01T00:00:00Z"
    because "Quiet low severity until next annual remediation sweep."
  }
}

Commentary

  • Suitable for staging/dev tenants with lower blast radius.
  • KEV advisories override lenient behaviour to maintain minimum security bar.
  • Warnings ensure Medium findings stay visible in dashboards and CLI outputs.
  • Quiet rule enforces planned clean-up date; update before expiry.

Try it out

stella policy lint examples/policies/internal-only.stella
stella policy simulate P-internal --candidate 1 \
  --sbom sbom:internal-service --env exposure=internal --env stage=dev

Compliance checklist

  • Tenant classified as internal-only with documented risk acceptance.
  • KEV feed synced (Concelier) and tags confirmed before relying on rule.
  • Quiet expiry tracked; remediation backlog updated prior to deadline.
  • Developers informed that warnings still affect quality score.
  • Policy not used for production or internet-exposed services.

Last updated: 2025-10-26.