git.stella-ops.org/docs/features/unchecked/scanner/vex-first-gating-service.md

VEX-First Gating Service (Pre-Triage Filter)

Module

Scanner

Status

IMPLEMENTED

Description

Pre-triage VEX gating service that filters vulnerability findings before reaching triage queue. Gate decisions (Pass/Warn/Block) with 4 default rules (block-exploitable-reachable, warn-high-not-reachable, pass-vendor-not-affected, pass-backport-confirmed). Includes caching observation provider, performance benchmarks, scan pipeline stage integration, bypass for emergency scans, and audit logging.

Implementation Details

• VEX Gate Service:
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateService.cs - VexGateService pre-triage filter evaluating VEX gate rules and producing Pass/Warn/Block decisions
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/IVexGateService.cs - Interface for VEX gate operations
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateResult.cs - VexGateResult capturing gate decision with rule match details
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateDecision.cs - VexGateDecision enum (Pass, Warn, Block)
• Policy Evaluation:
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGatePolicyEvaluator.cs - VexGatePolicyEvaluator evaluating the 4 default rules against findings
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGatePolicy.cs - VexGatePolicy defining gate rules (block-exploitable-reachable, warn-high-not-reachable, pass-vendor-not-affected, pass-backport-confirmed)
• Caching Observation Provider:
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/CachingVexObservationProvider.cs - CachingVexObservationProvider caching VEX observation lookups for performance
• Configuration:
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateOptions.cs - VexGateOptions configuration including emergency bypass settings
• Excititor Adapter:
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateExcititorAdapter.cs - Adapter integrating with the Excititor VEX feed service
• Audit Logging:
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateAuditLogger.cs - VexGateAuditLogger logging all gate decisions for audit trail
• Pipeline Integration:
  • src/Scanner/StellaOps.Scanner.Worker/Processing/VexGateStageExecutor.cs - VexGateStageExecutor scan pipeline stage executing VEX gate evaluation
• WebService:
  • src/Scanner/StellaOps.Scanner.WebService/Controllers/VexGateController.cs - VexGateController REST API for gate queries and overrides
  • src/Scanner/StellaOps.Scanner.WebService/Services/VexGateQueryService.cs - Service for querying gate decisions
  • src/Scanner/StellaOps.Scanner.WebService/Contracts/VexGateContracts.cs - API contracts
• DI Registration:
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateServiceCollectionExtensions.cs - DI registration for gate services
• Tests:
  • src/Scanner/__Tests/StellaOps.Scanner.Gate.Tests/VexGateServiceTests.cs - VEX gate service unit tests
  • src/Scanner/__Tests/StellaOps.Scanner.Gate.Tests/VexGatePolicyEvaluatorTests.cs - Policy evaluator tests
  • src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/VexGateEndpointsTests.cs - API endpoint tests
  • src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/VexGateStageExecutorTests.cs - Pipeline stage tests

E2E Test Plan

• Submit a finding with exploitable-reachable status and verify the gate blocks it (block-exploitable-reachable rule)
• Submit a high-severity finding that is not reachable and verify the gate warns (warn-high-not-reachable rule)
• Submit a finding with vendor VEX "not_affected" and verify the gate passes it (pass-vendor-not-affected rule)
• Submit a finding with confirmed backport and verify the gate passes it (pass-backport-confirmed rule)
• Verify emergency scan bypass correctly skips gate evaluation when configured
• Verify CachingVexObservationProvider caches VEX lookups and performance is within benchmarked thresholds
• Verify audit logging captures all gate decisions with rule match details and timestamps