stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/signed-vex-override-enforcement-in-policy-engine.md

2.8 KiB
Raw Blame History

Signed VEX Override Enforcement in Policy Engine

Module

Policy

Status

IMPLEMENTED

Description

Policy engine requires signed VEX override attestations with DSSE/Rekor validation, exposes override_signed and override_rekor_verified signals to DSL, and supports key trust levels and validity period enforcement.

Implementation Details

  • VexTrustGate: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs (implements IVexTrustGate)
    • Evaluates VEX trust including signature verification status
    • VexTrustStatus with TrustScore and TrustBreakdown (issuer verification, accuracy, freshness)
    • Per-environment thresholds for signature requirements
  • VexTrustGateOptions: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs
    • Production: RequireIssuerVerified=true, MinCompositeScore=0.80, FailureAction=Block
    • Staging: RequireIssuerVerified=true, FailureAction=Warn
    • MissingTrustBehavior: Allow/Warn/Block when VEX trust data absent
  • TrustLatticeEngine: src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs
    • VEX normalization pipeline supports DSSE-signed VEX documents
    • Three normalizers: CycloneDX, OpenVEX, CSAF
    • Signed VEX claims receive higher trust scores in ClaimScoreMerger
  • ClaimScoreMerger: src/Policy/__Libraries/StellaOps.Policy/TrustLattice/ClaimScoreMerger.cs
    • Signed claims scored higher via specificity and score adjustments
    • Conflict penalization (0.25) applies to conflicting signed/unsigned claims
  • EvidenceRequirementValidator: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs
    • DSSE signature verification on VEX override evidence
    • Trust score threshold validation for signed evidence
  • PolicyGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
    • VEX Trust gate evaluates signed override status as part of multi-gate pipeline

E2E Test Plan

  • Submit DSSE-signed VEX override; verify VexTrustGate passes with high TrustScore
  • Submit unsigned VEX override in production; verify VexTrustGate blocks (RequireIssuerVerified=true)
  • Submit unsigned VEX override in development; verify VexTrustGate passes (RequireIssuerVerified=false)
  • Submit signed VEX with expired signing key; verify trust score reduced or gate blocks
  • Submit signed VEX with Rekor inclusion proof; verify higher trust score than without proof
  • Submit conflicting signed and unsigned VEX claims; verify ClaimScoreMerger applies conflict penalty, signed claim wins
  • Verify VexTrustStatus includes TrustBreakdown with issuer verification status
  • Submit VEX override with trust score below MinCompositeScore; verify gate blocks in production
  • Configure MissingTrustBehavior=Block; submit VEX without trust data; verify gate blocks