44 lines
3.2 KiB
Markdown
44 lines
3.2 KiB
Markdown
# VEX-gated policy decisions (gate decision with decision hash)
|
|
|
|
## Module
|
|
Cli
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
VEX gate service and policy evaluator for blocking/allowing based on VEX status, with CLI command support and UI gate summary panel. Evaluates findings against policy rules based on vendor status, exploitability, reachability, compensating controls, and severity levels.
|
|
|
|
## Implementation Details
|
|
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs` -- `VexGateScanCommandGroup` (static class)
|
|
- Sprint: SPRINT_20260106_003_002_SCANNER_vex_gate_service (T026, T027)
|
|
- Uses Spectre.Console for rich table output
|
|
- Calls Scanner API: `api/v1/vex-gate/policy` and `api/v1/scans/{scanId}/gate-results`
|
|
- **Commands**:
|
|
- `stella scan gate-policy show [--tenant <id>] [--output table|json|yaml]` -- display current VEX gate policy including rules, priorities, and conditions
|
|
- `stella scan gate-results --scan-id <id> [--decision Pass|Warn|Block] [--output table|json] [--limit <n>]` -- get VEX gate results for a scan with decision filtering
|
|
- **DTOs**: `VexGatePolicyDto` (PolicyId, Version, DefaultDecision, Rules), `VexGatePolicyRuleDto` (RuleId, Priority, Decision, Condition), `VexGatePolicyConditionDto` (VendorStatus, IsExploitable, IsReachable, HasCompensatingControl, SeverityLevels), `VexGateResultsDto` (ScanId, Summary, GatedFindings), `VexGateSummaryDto` (TotalFindings, Passed, Warned, Blocked, EvaluatedAt), `GatedFindingDto` (FindingId, Cve, Purl, Decision, Rationale, PolicyRuleMatched, Evidence)
|
|
- **Decision Types**: Pass (green), Warn (yellow), Block (red)
|
|
- **Output Formats**: Table with Spectre.Console styling, JSON, YAML
|
|
|
|
## E2E Test Plan
|
|
- [ ] Run `stella scan gate-policy show` and verify policy table with Policy ID, Version, Default Decision, Rules Count
|
|
- [ ] Run `stella scan gate-policy show --output json` and verify valid JSON with policy rules
|
|
- [ ] Run `stella scan gate-policy show --output yaml` and verify YAML output with rule hierarchy
|
|
- [ ] Run `stella scan gate-policy show --tenant <id>` and verify tenant-specific policy
|
|
- [ ] Run `stella scan gate-results --scan-id <id>` and verify summary table (Total, Passed, Warned, Blocked) and findings table
|
|
- [ ] Run `stella scan gate-results --scan-id <id> --decision Block` and verify only blocked findings shown
|
|
- [ ] Run `stella scan gate-results --scan-id <id> --output json` and verify JSON with gateSummary and gatedFindings
|
|
- [ ] Run `stella scan gate-results --scan-id <id> --limit 5` and verify at most 5 findings
|
|
- [ ] Verify 404 response for unknown scan ID returns warning, not error
|
|
- [ ] Verify exit code 0 on success, 1 on API error
|
|
|
|
## Verification
|
|
|
|
- **Verified**: 2026-02-13T15:30:00Z
|
|
- **Tier 0 (Source)**: pass -- all referenced source files exist on disk
|
|
- **Tier 1 (Build)**: pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests
|
|
- **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness
|
|
- **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj`
|
|
- **Evidence**: `docs/qa/feature-checks/runs/cli/vex-gated-policy-decisions/run-001/tier2-integration-check.json`
|