stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/policy/exception-recheck-build-gate.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

35 lines
2.8 KiB
Markdown
Raw Blame History

# Exception Recheck Build Gate
## Module
Policy
## Status
IMPLEMENTED
## Description
CI/CD build gate that evaluates recheck policies for all active exceptions on an artifact before deployment. Fails the pipeline if any Block-action conditions are triggered (e.g., EPSS exceeds threshold, KEV flagged). Returns warnings for non-blocking conditions.
## Implementation Details
- **ExceptionRecheckGate**: `src/Policy/StellaOps.Policy.Engine/BuildGate/ExceptionRecheckGate.cs` (sealed class implements `IBuildGate`)
- GateName: `"exception-recheck"`, Priority: 100
- `EvaluateAsync(BuildGateContext)` evaluates all active exceptions for the artifact
- Uses `IExceptionEvaluator` to find matching exceptions, then `IRecheckEvaluationService` to evaluate recheck conditions
- Aggregates blockers (Block, Revoke, RequireReapproval actions) and warnings (Warn action)
- Returns `BuildGateResult` with Passed=false if any blockers exist; Passed=true otherwise
- Message includes blocker details: `"Recheck policy blocking: {details}"`
- **IBuildGate interface**: defined in same file
- `GateName` (string), `Priority` (int), `EvaluateAsync(BuildGateContext, CancellationToken)`
- **BuildGateContext**: record with ArtifactDigest, Environment, Branch, PipelineId, TenantId, EvaluatedAt, and all recheck signal fields (ReachGraphChanged, EpssScore, CvssScore, UnknownsCount, NewCveInPackage, KevFlagged, VexStatusChanged, PackageVersionChanged)
- **BuildGateResult**: record with Passed, GateName, Message, Blockers (`ImmutableArray<string>`), Warnings (`ImmutableArray<string>`)
- **RecheckEvaluationService**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/RecheckEvaluationService.cs` -- evaluates recheck conditions (see exception-recheck-policy-system feature)
## E2E Test Plan
- [ ] Create exception with RecheckPolicy containing EPSSAbove=0.80 (Block action); set EpssScore=0.85 in BuildGateContext; verify EvaluateAsync returns Passed=false with blocker message mentioning EPSS
- [ ] Create exception with RecheckPolicy containing KEVFlagged (Block action); set KevFlagged=true; verify gate returns Passed=false
- [ ] Create exception with no RecheckPolicy; verify gate returns Passed=true with message "All exception recheck policies satisfied"
- [ ] Create exception with RecheckPolicy containing CVSSAbove=9.0 (Warn action); set CvssScore=9.5; verify gate returns Passed=true with 1 warning
- [ ] Create 2 exceptions: one with Block condition triggered, one with Warn condition triggered; verify gate returns Passed=false with 1 blocker and 1 warning
- [ ] Create exception with environment-scoped condition (prod only); evaluate in staging; verify condition does not trigger
- [ ] Create exception with RequireReapproval action triggered; verify it is classified as a blocker (not a warning)
- [ ] Verify gate includes exception ID in blocker/warning messages for traceability
Reference in New Issue View Git Blame Copy Permalink