151 lines
4.7 KiB
YAML
151 lines
4.7 KiB
YAML
# Path-Level Reachability Gates Policy
|
|
# Sprint: SPRINT_20260112_007_POLICY_path_gate_inputs (PW-POL-003)
|
|
#
|
|
# Demonstrates path-level gates using pathHash, nodeHashes, and runtime freshness.
|
|
# Requires scanner path witness evidence with node hash fields.
|
|
|
|
apiVersion: policy.stellaops.io/v1
|
|
kind: PolicyPack
|
|
metadata:
|
|
name: path-gates-advanced
|
|
version: 1.0.0
|
|
description: |
|
|
Advanced policy pack demonstrating path-level reachability gates.
|
|
Uses pathHash, nodeHashes, and runtime evidence freshness for fine-grained control.
|
|
Sprint: SPRINT_20260112_007_POLICY_path_gate_inputs
|
|
|
|
spec:
|
|
settings:
|
|
defaultAction: warn
|
|
requirePathWitness: true
|
|
runtimeFreshnessMaxHours: 24
|
|
trustedEntrypoints:
|
|
- "main"
|
|
- "api.handler"
|
|
- "web.controller"
|
|
|
|
rules:
|
|
# Block if a specific vulnerable path is reachable and confirmed at runtime
|
|
- name: block-runtime-confirmed-path
|
|
description: "Block paths confirmed reachable at runtime with CRITICAL vulns"
|
|
priority: 100
|
|
match:
|
|
severity: CRITICAL
|
|
reachability:
|
|
status: reachable
|
|
observedAtRuntime: true
|
|
action: block
|
|
message: "Runtime-confirmed reachable path to CRITICAL {cve} via {pathHash}"
|
|
|
|
# Require fresh runtime evidence for high-severity findings
|
|
- name: require-fresh-runtime-evidence
|
|
description: "Require runtime evidence younger than threshold for HIGH vulns"
|
|
priority: 95
|
|
match:
|
|
severity: HIGH
|
|
reachability:
|
|
status: reachable
|
|
pathHash:
|
|
exists: true
|
|
runtimeEvidenceAge:
|
|
gt: ${settings.runtimeFreshnessMaxHours}h
|
|
action: warn
|
|
message: "Runtime evidence for {cve} is stale ({runtimeEvidenceAge} hours old)"
|
|
|
|
# Allow paths with trusted entry nodes
|
|
- name: allow-trusted-entrypoints
|
|
description: "Allow paths starting from trusted entrypoints"
|
|
priority: 90
|
|
match:
|
|
severity:
|
|
- MEDIUM
|
|
- LOW
|
|
reachability:
|
|
status: reachable
|
|
entryNodeHash:
|
|
in: ${settings.trustedEntrypoints}
|
|
action: allow
|
|
log: true
|
|
message: "Vulnerability {cve} reachable from trusted entrypoint - allowed"
|
|
|
|
# Block paths with specific node hashes in critical code areas
|
|
- name: block-critical-node-paths
|
|
description: "Block paths through critical code nodes"
|
|
priority: 85
|
|
match:
|
|
severity:
|
|
- CRITICAL
|
|
- HIGH
|
|
reachability:
|
|
nodeHashes:
|
|
contains_any:
|
|
- ${critical.authentication_handler}
|
|
- ${critical.payment_processor}
|
|
- ${critical.data_exporter}
|
|
action: block
|
|
message: "Vulnerability {cve} path traverses critical node {matchedNodeHash}"
|
|
|
|
# Warn if path witness is missing for reachable findings
|
|
- name: warn-missing-path-witness
|
|
description: "Warn when reachable finding lacks path witness"
|
|
priority: 80
|
|
match:
|
|
severity:
|
|
- CRITICAL
|
|
- HIGH
|
|
- MEDIUM
|
|
reachability:
|
|
status: reachable
|
|
pathHash:
|
|
exists: false
|
|
action: warn
|
|
message: "Reachable {cve} lacks path witness - reanalysis recommended"
|
|
|
|
# Aggregate gate: block if too many runtime-confirmed paths
|
|
- name: fail-on-runtime-confirmed-count
|
|
description: "Block deployment if too many runtime-confirmed vulns"
|
|
priority: 75
|
|
type: aggregate
|
|
match:
|
|
runtimeConfirmedCount:
|
|
gt: 5
|
|
action: block
|
|
message: "Too many runtime-confirmed vulnerabilities ({runtimeConfirmedCount} > 5)"
|
|
|
|
# Allow paths not observed at runtime with reduced confidence
|
|
- name: allow-static-only-paths
|
|
description: "Allow static-only reachable paths with warning"
|
|
priority: 70
|
|
match:
|
|
severity:
|
|
- HIGH
|
|
- MEDIUM
|
|
reachability:
|
|
status: reachable
|
|
observedAtRuntime: false
|
|
confidence:
|
|
lt: 0.7
|
|
action: warn
|
|
message: "Static-only path to {cve} (confidence {confidence}) - review recommended"
|
|
|
|
# Path hash pinning: allow specific known-safe paths
|
|
- name: allow-pinned-safe-paths
|
|
description: "Allow paths matching known-safe path hashes"
|
|
priority: 65
|
|
match:
|
|
reachability:
|
|
pathHash:
|
|
in: ${known_safe_paths}
|
|
action: allow
|
|
message: "Path {pathHash} matches known-safe path - allowed"
|
|
|
|
# Variables for path hash references
|
|
variables:
|
|
critical:
|
|
authentication_handler: "sha256:auth-handler-node-hash"
|
|
payment_processor: "sha256:payment-proc-node-hash"
|
|
data_exporter: "sha256:data-export-node-hash"
|
|
known_safe_paths:
|
|
- "sha256:validated-path-1"
|
|
- "sha256:validated-path-2"
|