Reachability-Aware Security as Gate

Module

Cli

VERIFIED

Reachability-aware vulnerability triage with score gating for release decisions is implemented across Scanner, ReachGraph, and CLI modules.

Gate Command: src/Cli/StellaOps.Cli/Commands/GateCommandGroup.cs -- GateCommandGroup for stella gate commands
VEX Gate Scan: src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs -- VEX-gated scan operations
Score Gate: src/Cli/StellaOps.Cli/Commands/ScoreGateCommandGroup.cs -- score-based gating
Tests: src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ScoreGateCommandTests.cs, VexGateCommandTests.cs
Commands:
- stella gate evaluate <digest> -- evaluate all gates for an artifact
- stella gate scan <image> -- scan with gate evaluation
Exit codes: 0=pass, 1=warn, 2=fail/block

Run stella gate evaluate sha256:abc123 and verify gate evaluation with reachability awareness
Verify unreachable CVEs do not trigger gate failures
Verify reachable CVEs with high scores trigger appropriate gate level
Run stella gate scan myregistry/app:v1.0 and verify scan with gate evaluation
Verify exit codes: 0=pass, 1=warn, 2=block
Verify --format json output with gate details

Verified: 2026-02-13T15:30:00Z
Tier 0 (Source): pass -- all referenced source files exist on disk
Tier 1 (Build): pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests
Tier 2d (Integration): pass -- targeted integration tests confirm behavioral correctness
Test Project: src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj
Evidence: docs/qa/feature-checks/runs/cli/reachability-aware-security-as-gate/run-001/tier2-integration-check.json