master
96d52884e8
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented PolicyDslValidator with command-line options for strict mode and JSON output. - Created PolicySchemaExporter to generate JSON schemas for policy-related models. - Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes. - Added project files and necessary dependencies for each tool. - Ensured proper error handling and usage instructions across tools.
40 lines
1.1 KiB
Plaintext
40 lines
1.1 KiB
Plaintext
policy "Serverless Tight Policy" syntax "stella-dsl@1" {
|
|
metadata {
|
|
description = "Aggressive blocking for serverless runtimes."
|
|
tags = ["serverless","prod","strict"]
|
|
}
|
|
|
|
profile severity {
|
|
env runtime_overrides {
|
|
if env.runtime == "serverless" then +0.7
|
|
if env.runtime == "batch" then +0.2
|
|
}
|
|
}
|
|
|
|
rule block_any_high {
|
|
when severity.normalized >= "High"
|
|
then status := "blocked"
|
|
because "Serverless workloads block High+ severities."
|
|
}
|
|
|
|
rule forbid_unpinned_base {
|
|
when sbom.has_tag("image:latest-tag")
|
|
then status := "blocked"
|
|
because "Base image must be pinned (no :latest)."
|
|
}
|
|
|
|
rule zero_tolerance_vex {
|
|
when vex.any(status == "not_affected")
|
|
then requireVex { vendors = ["VendorX","VendorY"], justifications = ["component_not_present"] }
|
|
because "Allow not_affected only from trusted vendors with strongest justification."
|
|
}
|
|
|
|
rule temporary_quiet {
|
|
when env.deployment == "canary"
|
|
and severity.normalized == "Medium"
|
|
then ignore until coalesce(env.quietUntil, "2025-12-31T00:00:00Z")
|
|
because "Allow short canary quiet window while fix rolls out."
|
|
}
|
|
}
|
|
|