stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/exception-recheck-build-gate.md

2.8 KiB
Raw Blame History

Exception Recheck Build Gate

Module

Policy

Status

IMPLEMENTED

Description

CI/CD build gate that evaluates recheck policies for all active exceptions on an artifact before deployment. Fails the pipeline if any Block-action conditions are triggered (e.g., EPSS exceeds threshold, KEV flagged). Returns warnings for non-blocking conditions.

Implementation Details

  • ExceptionRecheckGate: src/Policy/StellaOps.Policy.Engine/BuildGate/ExceptionRecheckGate.cs (sealed class implements IBuildGate)
    • GateName: "exception-recheck", Priority: 100
    • EvaluateAsync(BuildGateContext) evaluates all active exceptions for the artifact
    • Uses IExceptionEvaluator to find matching exceptions, then IRecheckEvaluationService to evaluate recheck conditions
    • Aggregates blockers (Block, Revoke, RequireReapproval actions) and warnings (Warn action)
    • Returns BuildGateResult with Passed=false if any blockers exist; Passed=true otherwise
    • Message includes blocker details: "Recheck policy blocking: {details}"
  • IBuildGate interface: defined in same file
    • GateName (string), Priority (int), EvaluateAsync(BuildGateContext, CancellationToken)
  • BuildGateContext: record with ArtifactDigest, Environment, Branch, PipelineId, TenantId, EvaluatedAt, and all recheck signal fields (ReachGraphChanged, EpssScore, CvssScore, UnknownsCount, NewCveInPackage, KevFlagged, VexStatusChanged, PackageVersionChanged)
  • BuildGateResult: record with Passed, GateName, Message, Blockers (ImmutableArray<string>), Warnings (ImmutableArray<string>)
  • RecheckEvaluationService: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/RecheckEvaluationService.cs -- evaluates recheck conditions (see exception-recheck-policy-system feature)

E2E Test Plan

  • Create exception with RecheckPolicy containing EPSSAbove=0.80 (Block action); set EpssScore=0.85 in BuildGateContext; verify EvaluateAsync returns Passed=false with blocker message mentioning EPSS
  • Create exception with RecheckPolicy containing KEVFlagged (Block action); set KevFlagged=true; verify gate returns Passed=false
  • Create exception with no RecheckPolicy; verify gate returns Passed=true with message "All exception recheck policies satisfied"
  • Create exception with RecheckPolicy containing CVSSAbove=9.0 (Warn action); set CvssScore=9.5; verify gate returns Passed=true with 1 warning
  • Create 2 exceptions: one with Block condition triggered, one with Warn condition triggered; verify gate returns Passed=false with 1 blocker and 1 warning
  • Create exception with environment-scoped condition (prod only); evaluate in staging; verify condition does not trigger
  • Create exception with RequireReapproval action triggered; verify it is classified as a blocker (not a warning)
  • Verify gate includes exception ID in blocker/warning messages for traceability