git.stella-ops.org/policies/starter-day1.yaml

# Starter Day-1 Policy Pack
# Sprint: SPRINT_20260104_004_POLICY - Task PSD-010
#
# This is a comprehensive starter policy for day-1 security controls.
# It includes gates for vulnerabilities, secret detection, and SBOM quality.

name: starter-day1
version: 1.0.0
description: |
  Starter policy pack for day-1 security controls.
  Includes essential gates for vulnerabilities, secrets, and SBOM validation.

rules:
  # === VULNERABILITY GATES ===
  
  - id: block-critical-cves
    description: Block images with critical vulnerabilities
    severity: critical
    when:
      signal: vuln.severity.critical
      operator: gt
      value: 0
    deny_message: |
      BLOCKED: Image contains critical vulnerabilities.
      Review CVEs and apply patches before deployment.

  - id: block-kev-vulnerabilities
    description: Block images with Known Exploited Vulnerabilities
    severity: critical
    when:
      signal: vuln.kev.count
      operator: gt
      value: 0
    deny_message: |
      BLOCKED: Image contains Known Exploited Vulnerabilities (KEV).
      These vulnerabilities are actively being exploited in the wild.
      Immediate remediation required.

  # === SECRET DETECTION GATES ===
  
  - id: block-critical-secrets
    description: Block deployment when critical secrets are detected
    severity: critical
    when:
      signal: secret.severity.critical
      equals: true
    deny_message: |
      BLOCKED: Critical secrets detected (private keys, service account keys).
      Rotate exposed credentials and remove from container image.

  - id: block-high-secrets
    description: Block deployment when high-severity secrets are detected
    severity: high
    when:
      all:
        - signal: secret.severity.high
          equals: true
        - signal: secret.confidence.high
          equals: true
    deny_message: |
      BLOCKED: High-severity secrets detected with high confidence.
      These appear to be real credentials. Remediate before deployment.

  - id: warn-secret-findings
    description: Warn when any secrets are detected
    severity: medium
    when:
      signal: secret.has_finding
      equals: true
    warn_message: |
      WARNING: Secret detection found {{secret.count}} potential secret(s).
      Review findings and add legitimate patterns to the exception list.

  # === SBOM QUALITY GATES ===
  
  - id: require-sbom
    description: Require a valid SBOM for all images
    severity: high
    when:
      signal: sbom.present
      equals: false
    deny_message: |
      BLOCKED: No SBOM found for image.
      Generate an SBOM before deployment (CycloneDX or SPDX format).

  - id: warn-unknown-components
    description: Warn when SBOM contains many unknown components
    severity: medium
    when:
      signal: sbom.unknown_ratio
      operator: gt
      value: 0.2
    warn_message: |
      WARNING: Over 20% of SBOM components could not be identified.
      Consider improving build process for better provenance.

  # === IMAGE CONFIGURATION GATES ===
  
  - id: block-root-user
    description: Block images that run as root by default
    severity: high
    when:
      signal: image.runs_as_root
      equals: true
    deny_message: |
      BLOCKED: Image runs as root user.
      Configure a non-root USER in the Dockerfile.

  - id: warn-old-base-image
    description: Warn when base image is outdated
    severity: medium
    when:
      signal: image.base_age_days
      operator: gt
      value: 90
    warn_message: |
      WARNING: Base image is over 90 days old.
      Consider updating to get latest security patches.