stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf6ad22ebf4ed8bf18ca14d575cadfe3f158ea75
git.stella-ops.org/src/Policy/StellaOps.PolicyDsl/SecretSignalContextExtensions.cs
StellaOps Bot f7d27c6fda feat(secrets): Implement secret leak policies and signal binding 
- Added `spl-secret-block@1.json` to block deployments with critical or high severity secret findings.
- Introduced `spl-secret-warn@1.json` to warn on secret findings without blocking deployments.
- Created `SecretSignalBinder.cs` to bind secret evidence to policy evaluation signals.
- Developed unit tests for `SecretEvidenceContext` and `SecretSignalBinder` to ensure correct functionality.
- Enhanced `SecretSignalContextExtensions` to integrate secret evidence into signal contexts.
2026-01-04 15:44:49 +02:00

107 lines
3.9 KiB
C#
Raw Blame History

// -----------------------------------------------------------------------------
// SecretSignalContextExtensions.cs
// Sprint: SPRINT_20260104_004_POLICY (Secret DSL Integration)
// Task: PSD-008 - Register predicates in PolicyDslRegistry (via signal context)
// -----------------------------------------------------------------------------
using StellaOps.Policy.Secrets;
namespace StellaOps.PolicyDsl;
/// <summary>
/// Extension methods for integrating secret evidence with PolicyDsl SignalContext.
/// </summary>
public static class SecretSignalContextExtensions
{
/// <summary>
/// Adds secret evidence signals to the signal context.
/// </summary>
/// <param name="context">The signal context.</param>
/// <param name="evidenceContext">The secret evidence context.</param>
/// <returns>The signal context for chaining.</returns>
public static SignalContext WithSecretEvidence(
this SignalContext context,
SecretEvidenceContext evidenceContext)
{
ArgumentNullException.ThrowIfNull(context);
ArgumentNullException.ThrowIfNull(evidenceContext);
// Add flat signals
var signals = SecretSignalBinder.BindToSignals(evidenceContext);
foreach (var (name, value) in signals)
{
context.SetSignal(name, value);
}
// Add nested object for member access (secret.severity.high, etc.)
var nested = SecretSignalBinder.BindToNestedObject(evidenceContext);
context.SetSignal("secret", nested);
return context;
}
/// <summary>
/// Adds secret evidence signals to the signal context builder.
/// </summary>
/// <param name="builder">The signal context builder.</param>
/// <param name="evidenceContext">The secret evidence context.</param>
/// <returns>The builder for chaining.</returns>
public static SignalContextBuilder WithSecretEvidence(
this SignalContextBuilder builder,
SecretEvidenceContext evidenceContext)
{
ArgumentNullException.ThrowIfNull(builder);
ArgumentNullException.ThrowIfNull(evidenceContext);
// Add flat signals
var signals = SecretSignalBinder.BindToSignals(evidenceContext);
foreach (var (name, value) in signals)
{
builder.WithSignal(name, value);
}
// Add nested object for member access
var nested = SecretSignalBinder.BindToNestedObject(evidenceContext);
builder.WithSignal("secret", nested);
return builder;
}
/// <summary>
/// Adds secret evidence signals from a provider.
/// </summary>
/// <param name="builder">The signal context builder.</param>
/// <param name="provider">The secret evidence provider.</param>
/// <returns>The builder for chaining.</returns>
public static SignalContextBuilder WithSecretEvidence(
this SignalContextBuilder builder,
ISecretEvidenceProvider provider)
{
ArgumentNullException.ThrowIfNull(builder);
ArgumentNullException.ThrowIfNull(provider);
var context = new SecretEvidenceContext(provider);
return builder.WithSecretEvidence(context);
}
/// <summary>
/// Creates a signal context builder with secret evidence.
/// </summary>
/// <param name="evidenceContext">The secret evidence context.</param>
/// <returns>A new builder with secret signals.</returns>
public static SignalContextBuilder CreateBuilderWithSecrets(SecretEvidenceContext evidenceContext)
{
return SignalContext.Builder().WithSecretEvidence(evidenceContext);
}
/// <summary>
/// Creates a signal context with secret evidence.
/// </summary>
/// <param name="evidenceContext">The secret evidence context.</param>
/// <returns>A new signal context with secret signals.</returns>
public static SignalContext CreateContextWithSecrets(SecretEvidenceContext evidenceContext)
{
return CreateBuilderWithSecrets(evidenceContext).Build();
}
}
Reference in New Issue View Git Blame Copy Permalink