stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
c2c6b58b416bc36020cc9d593f44c75e7401fbb7
git.stella-ops.org/docs/examples/policies/baseline.md
master c2c6b58b41 feat: Add Promotion-Time Attestations for Stella Ops 
- Introduced a new document for promotion-time attestations, detailing the purpose, predicate schema, producer workflow, verification flow, APIs, and security considerations.
- Implemented the `stella.ops/promotion@v1` predicate schema to capture promotion evidence including image digest, SBOM/VEX artifacts, and Rekor proof.
- Defined producer responsibilities and workflows for CLI orchestration, signer responsibilities, and Export Center integration.
- Added verification steps for auditors to validate promotion attestations offline.

feat: Create Symbol Manifest v1 Specification

- Developed a specification for Symbol Manifest v1 to provide a deterministic format for publishing debug symbols and source maps.
- Defined the manifest structure, including schema, entries, source maps, toolchain, and provenance.
- Outlined upload and verification processes, resolve APIs, runtime proxy, caching, and offline bundle generation.
- Included security considerations and related tasks for implementation.

chore: Add Ruby Analyzer with Git Sources

- Created a Gemfile and Gemfile.lock for Ruby analyzer with dependencies on git-gem, httparty, and path-gem.
- Implemented main application logic to utilize the defined gems and output their versions.
- Added expected JSON output for the Ruby analyzer to validate the integration of the new gems and their functionalities.
- Developed internal observation classes for Ruby packages, runtime edges, and capabilities, including serialization logic for observations.

test: Add tests for Ruby Analyzer

- Created test fixtures for Ruby analyzer, including Gemfile, Gemfile.lock, main application, and expected JSON output.
- Ensured that the tests validate the correct integration and functionality of the Ruby analyzer with the specified gems.
2025-11-11 15:30:22 +02:00

3.5 KiB
Raw Blame History

Baseline Policy Example (baseline.stella)

This sample policy provides a balanced default for production workloads: block critical findings, require strong VEX justifications to suppress advisories, and warn on deprecated runtimes. Use it as a starting point for tenants that want guardrails without excessive noise.

policy "Baseline Production Policy" syntax "stella-dsl@1" {
  metadata {
    description = "Block critical, escalate high, enforce VEX justifications."
    tags = ["baseline","production"]
  }

  profile severity {
    map vendor_weight {
      source "GHSA" => +0.5
      source "OSV" => +0.0
      source "VendorX" => -0.2
    }
    env exposure_adjustments {
      if env.exposure == "internet" then +0.5
      if env.runtime == "legacy" then +0.3
    }
  }

  rule block_critical priority 5 {
    when severity.normalized >= "Critical"
    then status := "blocked"
    because "Critical severity must be remediated before deploy."
  }

  rule escalate_high_internet {
    when severity.normalized == "High"
         and env.exposure == "internet"
    then escalate to severity_band("Critical")
    because "High severity on internet-exposed asset escalates to critical."
  }

  rule require_vex_justification {
    when vex.any(status in ["not_affected","fixed"])
         and vex.justification in ["component_not_present","vulnerable_code_not_present"]
    then status := vex.status
         annotate winning_statement := vex.latest().statementId
    because "Respect strong vendor VEX claims."
  }

  rule alert_warn_eol_runtime priority 1 {
    when severity.normalized <= "Medium"
         and sbom.has_tag("runtime:eol")
    then warn message "Runtime marked as EOL; upgrade recommended."
    because "Deprecated runtime should be upgraded."
  }

  rule block_ruby_dev priority 4 {
    when sbom.any_component(ruby.group("development") and ruby.declared_only())
    then status := "blocked"
    because "Development-only Ruby gems without install evidence cannot ship."
  }

  rule warn_ruby_git_sources {
    when sbom.any_component(ruby.source("git"))
    then warn message "Git-sourced Ruby gem present; review required."
    because "Git-sourced Ruby dependencies require explicit review."
  }
}

Commentary

  • Severity profile tightens vendor weights and applies exposure modifiers so internet-facing/high severity pairs escalate automatically.
  • VEX rule only honours strong justifications, preventing weaker claims from hiding issues.
  • Warnings first The alert_warn_eol_runtime rule name ensures it sorts before the require-VEX rule, keeping alerts visible without flipping to RequiresVex.
  • Ruby supply-chain guardrails enforce Bundler groups and provenance: development-only gems without install evidence are blocked and git-sourced gems trigger review warnings.
  • Works well as shared tenant-global baseline; use tenant overrides for stricter tolerant environments.

Try it out

stella policy new --policy-id P-baseline --template blank --open
stella policy lint examples/policies/baseline.stella
stella policy simulate P-baseline --candidate 1 --sbom sbom:sample-prod

Compliance checklist

  • Policy compiled via stella policy lint without diagnostics.
  • Simulation diff reviewed against golden SBOM set.
  • Approval note documents rationale before promoting to production.
  • EOL runtime tags kept up to date in SBOM metadata.
  • VEX vendor allow-list reviewed quarterly.

Last updated: 2025-11-10.