c2c6b58b41
- Introduced a new document for promotion-time attestations, detailing the purpose, predicate schema, producer workflow, verification flow, APIs, and security considerations. - Implemented the `stella.ops/promotion@v1` predicate schema to capture promotion evidence including image digest, SBOM/VEX artifacts, and Rekor proof. - Defined producer responsibilities and workflows for CLI orchestration, signer responsibilities, and Export Center integration. - Added verification steps for auditors to validate promotion attestations offline. feat: Create Symbol Manifest v1 Specification - Developed a specification for Symbol Manifest v1 to provide a deterministic format for publishing debug symbols and source maps. - Defined the manifest structure, including schema, entries, source maps, toolchain, and provenance. - Outlined upload and verification processes, resolve APIs, runtime proxy, caching, and offline bundle generation. - Included security considerations and related tasks for implementation. chore: Add Ruby Analyzer with Git Sources - Created a Gemfile and Gemfile.lock for Ruby analyzer with dependencies on git-gem, httparty, and path-gem. - Implemented main application logic to utilize the defined gems and output their versions. - Added expected JSON output for the Ruby analyzer to validate the integration of the new gems and their functionalities. - Developed internal observation classes for Ruby packages, runtime edges, and capabilities, including serialization logic for observations. test: Add tests for Ruby Analyzer - Created test fixtures for Ruby analyzer, including Gemfile, Gemfile.lock, main application, and expected JSON output. - Ensured that the tests validate the correct integration and functionality of the Ruby analyzer with the specified gems.
59 lines
1.9 KiB
Plaintext
59 lines
1.9 KiB
Plaintext
policy "Baseline Production Policy" syntax "stella-dsl@1" {
|
|
metadata {
|
|
description = "Block critical, escalate high, enforce VEX justifications."
|
|
tags = ["baseline","production"]
|
|
}
|
|
|
|
profile severity {
|
|
map vendor_weight {
|
|
source "GHSA" => +0.5
|
|
source "OSV" => +0.0
|
|
source "VendorX" => -0.2
|
|
}
|
|
env exposure_adjustments {
|
|
if env.exposure == "internet" then +0.5
|
|
if env.runtime == "legacy" then +0.3
|
|
}
|
|
}
|
|
|
|
rule block_critical priority 5 {
|
|
when severity.normalized >= "Critical"
|
|
then status := "blocked"
|
|
because "Critical severity must be remediated before deploy."
|
|
}
|
|
|
|
rule escalate_high_internet {
|
|
when severity.normalized == "High"
|
|
and env.exposure == "internet"
|
|
then escalate to severity_band("Critical")
|
|
because "High severity on internet-exposed asset escalates to critical."
|
|
}
|
|
|
|
rule require_vex_justification {
|
|
when vex.any(status in ["not_affected","fixed"])
|
|
and vex.justification in ["component_not_present","vulnerable_code_not_present"]
|
|
then status := vex.status
|
|
annotate winning_statement := vex.latest().statementId
|
|
because "Respect strong vendor VEX claims."
|
|
}
|
|
|
|
rule alert_warn_eol_runtime priority 1 {
|
|
when severity.normalized <= "Medium"
|
|
and sbom.has_tag("runtime:eol")
|
|
then warn message "Runtime marked as EOL; upgrade recommended."
|
|
because "Deprecated runtime should be upgraded."
|
|
}
|
|
|
|
rule block_ruby_dev priority 4 {
|
|
when sbom.any_component(ruby.group("development") and ruby.declared_only())
|
|
then status := "blocked"
|
|
because "Development-only Ruby gems without install evidence cannot ship."
|
|
}
|
|
|
|
rule warn_ruby_git_sources {
|
|
when sbom.any_component(ruby.source("git"))
|
|
then warn message "Git-sourced Ruby gem present; review required."
|
|
because "Git-sourced Ruby dependencies require explicit review."
|
|
}
|
|
}
|