stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
dfaa2079aa9d25cf04ceaffd70dacd298b46106f
git.stella-ops.org/docs/modules/policy/recheck-policy.md
StellaOps Bot dfaa2079aa test
2025-12-22 09:56:20 +02:00

5.5 KiB
Raw Blame History

Recheck Policy Reference

Overview

A Recheck Policy defines conditions that trigger automatic re-evaluation of an exception. When conditions are met, the exception may be flagged for review, require re-approval, or be automatically revoked.

Policy Model

recheckPolicy:
  policyId: "policy-critical-cves"
  name: "Critical CVE Recheck"
  conditions:
    - type: EPSSAbove
      threshold: 0.5
      action: RequireReapproval
    - type: ReachGraphChange
      action: Block
    - type: KEVFlagged
      action: Block
    - type: ExpiryWithin
      threshold: 7  # days
      action: Warn
  defaultAction: Warn
  isActive: true

Condition Types

EPSSAbove

Triggers when EPSS score exceeds threshold.

Parameter Type Description
threshold decimal EPSS score threshold (0.0-1.0)
action RecheckAction Action when triggered

Example:

- type: EPSSAbove
  threshold: 0.5
  action: RequireReapproval

CVSSAbove

Triggers when CVSS score exceeds threshold.

Parameter Type Description
threshold decimal CVSS score threshold (0.0-10.0)
action RecheckAction Action when triggered

ReachGraphChange

Triggers when reachability graph changes (new paths discovered).

Parameter Type Description
action RecheckAction Action when triggered

Use case: Exception was based on "unreachable" status; new analysis shows reachability.

UnknownsAbove

Triggers when unknown budget exceeds threshold.

Parameter Type Description
threshold integer Maximum allowed unknowns
action RecheckAction Action when triggered

KEVFlagged

Triggers when CVE is added to CISA KEV catalog.

Parameter Type Description
action RecheckAction Action when triggered

Best practice: Always use Block action for KEV additions.

VEXStatusChange

Triggers when VEX status changes (e.g., NotAffected → Affected).

Parameter Type Description
action RecheckAction Action when triggered

NewCVEInPackage

Triggers when new CVE is discovered in the same package.

Parameter Type Description
action RecheckAction Action when triggered

ExpiryWithin

Triggers when exception nears expiry.

Parameter Type Description
threshold integer Days before expiry
action RecheckAction Action when triggered

PackageVersionChange

Triggers when package version changes in artifact.

Parameter Type Description
action RecheckAction Action when triggered

Actions

Warn

Log warning but allow exception to remain active.

  • Appears in audit log
  • Visible in exception details
  • Does not block deployment

RequireReapproval

Move exception back to "pending" status requiring re-approval.

  • Notifies original approvers
  • Exception inactive until re-approved
  • Evidence may need updating

Revoke

Automatically revoke the exception.

  • Exception becomes inactive immediately
  • Audit log entry created
  • Notification sent

Block

Fail build/deployment pipeline.

  • CI/CD gate returns failure
  • Requires manual intervention
  • Most severe action

Environment Scoping

Conditions can be scoped to specific environments:

- type: EPSSAbove
  threshold: 0.3
  environmentScope:
    - prod
    - staging
  action: Block
- type: EPSSAbove
  threshold: 0.7
  environmentScope:
    - dev
  action: Warn

Evaluation Flow

1. Scan triggered
2. Get active exceptions for artifact
3. For each exception with recheck policy:
   a. Evaluate each condition
   b. Check environment scope
   c. Record triggered conditions
4. Determine highest-priority action
5. Apply action (warn/reapproval/revoke/block)
6. Update exception with recheck result

Build Gate Integration

Recheck policies integrate with build gates:

# In CI/CD pipeline
- name: check-exceptions
  uses: stellaops/exception-gate@v1
  with:
    artifact: ${{ env.IMAGE_DIGEST }}
    environment: production
    fail-on: block

Best Practices

  1. Start with Warn: Begin with warning actions, escalate based on data
  2. KEV = Block: Always block on KEV additions
  3. Environment Tiers: Stricter policies for production
  4. Regular Review: Review triggered conditions monthly
  5. Document Rationale: Explain threshold choices

Example Policies

High-Security Policy

recheckPolicy:
  policyId: "high-security"
  name: "High Security Recheck"
  conditions:
    - type: EPSSAbove
      threshold: 0.3
      action: Block
    - type: CVSSAbove
      threshold: 7.0
      action: RequireReapproval
    - type: KEVFlagged
      action: Block
    - type: ReachGraphChange
      action: Block
    - type: VEXStatusChange
      action: RequireReapproval
  defaultAction: Warn

Standard Policy

recheckPolicy:
  policyId: "standard"
  name: "Standard Recheck"
  conditions:
    - type: EPSSAbove
      threshold: 0.7
      action: RequireReapproval
    - type: KEVFlagged
      action: Block
    - type: ExpiryWithin
      threshold: 14
      action: Warn
  defaultAction: Warn

Related Documentation