git.stella-ops.org/scripts/ci/reachability-thresholds.yaml

# =============================================================================
# Reachability Quality Gate Thresholds
# Reference: Testing and Quality Guardrails Technical Reference
# 
# These thresholds are enforced by CI quality gates. Violations will block PRs
# unless an override is explicitly approved.
# =============================================================================

thresholds:
  # Runtime dependency recall: percentage of runtime dependency vulns detected
  runtime_dependency_recall:
    min: 0.95
    description: "Percentage of runtime dependency vulnerabilities detected"
    severity: "critical"
    
  # OS package recall: percentage of OS package vulns detected
  os_package_recall:
    min: 0.97
    description: "Percentage of OS package vulnerabilities detected"
    severity: "critical"

  # Code vulnerability recall: percentage of code-level vulns detected
  code_vulnerability_recall:
    min: 0.90
    description: "Percentage of code vulnerabilities detected"
    severity: "high"

  # Configuration vulnerability recall
  config_vulnerability_recall:
    min: 0.85
    description: "Percentage of configuration vulnerabilities detected"
    severity: "medium"

  # False positive rate for unreachable findings
  unreachable_false_positives:
    max: 0.05
    description: "Rate of false positives for unreachable findings"
    severity: "high"

  # Reachability underreport rate: missed reachable findings
  reachability_underreport:
    max: 0.10
    description: "Rate of reachable findings incorrectly marked unreachable"
    severity: "critical"

  # Overall precision across all classes
  overall_precision:
    min: 0.90
    description: "Overall precision across all vulnerability classes"
    severity: "high"

  # F1 score threshold
  f1_score_min:
    min: 0.90
    description: "Minimum F1 score across vulnerability classes"
    severity: "high"

# Class-specific thresholds
class_thresholds:
  runtime_dep:
    recall_min: 0.95
    precision_min: 0.92
    f1_min: 0.93

  os_pkg:
    recall_min: 0.97
    precision_min: 0.95
    f1_min: 0.96

  code:
    recall_min: 0.90
    precision_min: 0.88
    f1_min: 0.89

  config:
    recall_min: 0.85
    precision_min: 0.80
    f1_min: 0.82

# Regression detection settings
regression:
  # Maximum allowed regression from baseline (percentage points)
  max_recall_regression: 0.02
  max_precision_regression: 0.03
  
  # Path to baseline metrics file
  baseline_path: "bench/baselines/reachability-baseline.json"
  
  # How many consecutive failures before blocking
  failure_threshold: 2

# Override configuration
overrides:
  # Allow temporary bypass for specific PR labels
  bypass_labels:
    - "quality-gate-override"
    - "wip"
  
  # Require explicit approval from these teams
  required_approvers:
    - "platform"
    - "reachability"