29 lines
1.3 KiB
Markdown
29 lines
1.3 KiB
Markdown
# Reachability-Aware Security as Gate
|
|
|
|
## Module
|
|
Cli
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Reachability-aware vulnerability triage with score gating for release decisions is implemented across Scanner, ReachGraph, and CLI modules.
|
|
|
|
## Implementation Details
|
|
- **Gate Command**: `src/Cli/StellaOps.Cli/Commands/GateCommandGroup.cs` -- `GateCommandGroup` for `stella gate` commands
|
|
- **VEX Gate Scan**: `src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs` -- VEX-gated scan operations
|
|
- **Score Gate**: `src/Cli/StellaOps.Cli/Commands/ScoreGateCommandGroup.cs` -- score-based gating
|
|
- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ScoreGateCommandTests.cs`, `VexGateCommandTests.cs`
|
|
- **Commands**:
|
|
- `stella gate evaluate <digest>` -- evaluate all gates for an artifact
|
|
- `stella gate scan <image>` -- scan with gate evaluation
|
|
- **Exit codes**: 0=pass, 1=warn, 2=fail/block
|
|
|
|
## E2E Test Plan
|
|
- [ ] Run `stella gate evaluate sha256:abc123` and verify gate evaluation with reachability awareness
|
|
- [ ] Verify unreachable CVEs do not trigger gate failures
|
|
- [ ] Verify reachable CVEs with high scores trigger appropriate gate level
|
|
- [ ] Run `stella gate scan myregistry/app:v1.0` and verify scan with gate evaluation
|
|
- [ ] Verify exit codes: 0=pass, 1=warn, 2=block
|
|
- [ ] Verify `--format json` output with gate details
|