stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/cli/vex-gated-policy-decisions.md

2.6 KiB
Raw Blame History

VEX-gated policy decisions (gate decision with decision hash)

Module

Cli

Status

IMPLEMENTED

Description

VEX gate service and policy evaluator for blocking/allowing based on VEX status, with CLI command support and UI gate summary panel. Evaluates findings against policy rules based on vendor status, exploitability, reachability, compensating controls, and severity levels.

Implementation Details

  • Command Group: src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs -- VexGateScanCommandGroup (static class)
    • Sprint: SPRINT_20260106_003_002_SCANNER_vex_gate_service (T026, T027)
    • Uses Spectre.Console for rich table output
    • Calls Scanner API: api/v1/vex-gate/policy and api/v1/scans/{scanId}/gate-results
  • Commands:
    • stella scan gate-policy show [--tenant <id>] [--output table|json|yaml] -- display current VEX gate policy including rules, priorities, and conditions
    • stella scan gate-results --scan-id <id> [--decision Pass|Warn|Block] [--output table|json] [--limit <n>] -- get VEX gate results for a scan with decision filtering
  • DTOs: VexGatePolicyDto (PolicyId, Version, DefaultDecision, Rules), VexGatePolicyRuleDto (RuleId, Priority, Decision, Condition), VexGatePolicyConditionDto (VendorStatus, IsExploitable, IsReachable, HasCompensatingControl, SeverityLevels), VexGateResultsDto (ScanId, Summary, GatedFindings), VexGateSummaryDto (TotalFindings, Passed, Warned, Blocked, EvaluatedAt), GatedFindingDto (FindingId, Cve, Purl, Decision, Rationale, PolicyRuleMatched, Evidence)
  • Decision Types: Pass (green), Warn (yellow), Block (red)
  • Output Formats: Table with Spectre.Console styling, JSON, YAML

E2E Test Plan

  • Run stella scan gate-policy show and verify policy table with Policy ID, Version, Default Decision, Rules Count
  • Run stella scan gate-policy show --output json and verify valid JSON with policy rules
  • Run stella scan gate-policy show --output yaml and verify YAML output with rule hierarchy
  • Run stella scan gate-policy show --tenant <id> and verify tenant-specific policy
  • Run stella scan gate-results --scan-id <id> and verify summary table (Total, Passed, Warned, Blocked) and findings table
  • Run stella scan gate-results --scan-id <id> --decision Block and verify only blocked findings shown
  • Run stella scan gate-results --scan-id <id> --output json and verify JSON with gateSummary and gatedFindings
  • Run stella scan gate-results --scan-id <id> --limit 5 and verify at most 5 findings
  • Verify 404 response for unknown scan ID returns warning, not error
  • Verify exit code 0 on success, 1 on API error