73 lines
2.4 KiB
Markdown
73 lines
2.4 KiB
Markdown
# Serverless Policy Example (`serverless.stella`)
|
|
|
|
Optimised for short-lived serverless workloads: focus on runtime integrity, disallow vulnerable layers entirely, and permit temporary suppressions only with strict justification windows.
|
|
|
|
```dsl
|
|
policy "Serverless Tight Policy" syntax "stella-dsl@1" {
|
|
metadata {
|
|
description = "Aggressive blocking for serverless runtimes."
|
|
tags = ["serverless","prod","strict"]
|
|
}
|
|
|
|
profile severity {
|
|
env runtime_overrides {
|
|
if env.runtime == "serverless" then +0.7
|
|
if env.runtime == "batch" then +0.2
|
|
}
|
|
}
|
|
|
|
rule block_any_high {
|
|
when severity.normalized >= "High"
|
|
then status := "blocked"
|
|
because "Serverless workloads block High+ severities."
|
|
}
|
|
|
|
rule forbid_unpinned_base {
|
|
when sbom.has_tag("image:latest-tag")
|
|
then status := "blocked"
|
|
because "Base image must be pinned (no :latest)."
|
|
}
|
|
|
|
rule zero_tolerance_vex {
|
|
when vex.any(status == "not_affected")
|
|
then requireVex { vendors = ["VendorX","VendorY"], justifications = ["component_not_present"] }
|
|
because "Allow not_affected only from trusted vendors with strongest justification."
|
|
}
|
|
|
|
rule temporary_quiet {
|
|
when env.deployment == "canary"
|
|
and severity.normalized == "Medium"
|
|
then ignore until coalesce(env.quietUntil, "2025-12-31T00:00:00Z")
|
|
because "Allow short canary quiet window while fix rolls out."
|
|
}
|
|
}
|
|
```
|
|
|
|
## Commentary
|
|
|
|
- Designed for serverless tenants where redeploy cost is low and failing fast is preferred.
|
|
- `forbid_unpinned_base` enforces supply-chain best practices.
|
|
- `temporary_quiet` ensures quiet windows expire automatically; require deployments to set `env.quietUntil`.
|
|
- Intended to be layered on top of baseline (override per tenant) or used standalone for serverless-only accounts.
|
|
|
|
## Try it out
|
|
|
|
```bash
|
|
stella policy lint examples/policies/serverless.stella
|
|
stella policy simulate P-serverless --candidate 1 \
|
|
--sbom sbom:lambda-hello --env runtime=serverless --env deployment=canary
|
|
```
|
|
|
|
## Compliance checklist
|
|
|
|
- [ ] Quiet window expirations tracked and documented.
|
|
- [ ] Trusted VEX vendor list reviewed quarterly.
|
|
- [ ] Deployment pipeline enforces pinned base images before approval.
|
|
- [ ] Canary deployments monitored for recurrence before ignoring Medium severity.
|
|
- [ ] Serverless teams acknowledge runbook for blocked deployments.
|
|
|
|
---
|
|
|
|
*Last updated: 2025-10-26.*
|
|
|