master
96d52884e8
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented PolicyDslValidator with command-line options for strict mode and JSON output. - Created PolicySchemaExporter to generate JSON schemas for policy-related models. - Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes. - Added project files and necessary dependencies for each tool. - Ensured proper error handling and usage instructions across tools.
40 lines
1.1 KiB
Plaintext
40 lines
1.1 KiB
Plaintext
policy "Internal Only Policy" syntax "stella-dsl@1" {
|
|
metadata {
|
|
description = "Lenient policy for internal / dev tenants."
|
|
tags = ["internal","dev"]
|
|
}
|
|
|
|
profile severity {
|
|
env exposure_adjustments {
|
|
if env.exposure == "internal" then -0.4
|
|
if env.stage == "dev" then -0.6
|
|
}
|
|
}
|
|
|
|
rule block_kev priority 1 {
|
|
when advisory.has_tag("kev")
|
|
then status := "blocked"
|
|
because "Known exploited vulnerabilities must be remediated."
|
|
}
|
|
|
|
rule allow_medium_with_warning {
|
|
when severity.normalized == "Medium"
|
|
and env.exposure == "internal"
|
|
then warn message "Medium severity permitted in internal environments."
|
|
because "Allow Medium findings with warning for internal workloads."
|
|
}
|
|
|
|
rule accept_vendor_vex {
|
|
when vex.any(status in ["not_affected","fixed"])
|
|
then status := vex.status
|
|
annotate justification := vex.latest().justification
|
|
because "Trust vendor VEX statements for internal scope."
|
|
}
|
|
|
|
rule quiet_low_priority {
|
|
when severity.normalized <= "Low"
|
|
then ignore until "2026-01-01T00:00:00Z"
|
|
because "Quiet low severity until next annual remediation sweep."
|
|
}
|
|
}
|