1.9 KiB
checkId, plugin, severity, tags
| checkId | plugin | severity | tags | ||||
|---|---|---|---|---|---|---|---|
| check.verification.policy.engine | stellaops.doctor.verification | fail |
|
Policy Engine Evaluation
What It Checks
Requires the verification plugin plus a configured test artifact. In offline mode it looks for policy results inside the exported bundle. In online mode it validates Policy:Engine:Enabled, a policy reference, and Policy:VexAware.
The check fails when the policy engine is disabled, warns when no policy reference is configured or when VEX-aware evaluation is off, and passes when the prerequisites are present.
Why It Matters
Release verification is only trustworthy if the same policy engine and VEX rules used in production can be exercised by Doctor.
Common Causes
Policy__Engine__Enabledis false- No default or test policy reference is configured
- Policy rules were not updated to account for VEX justifications
How to Fix
Docker Compose
services:
doctor-web:
environment:
Policy__Engine__Enabled: "true"
Policy__DefaultPolicyRef: policy://default/release-gate
Policy__VexAware: "true"
Doctor__Plugins__Verification__PolicyTest__PolicyRef: policy://default/release-gate
If you use offline verification, export the bundle with policy data included before copying it into the air-gapped environment.
Bare Metal / systemd
Keep the Doctor policy reference aligned with the policy engine configuration used by release orchestration.
Kubernetes / Helm
Store the policy ref in ConfigMaps and enforce the same value across the policy engine and Doctor service.
Verification
stella doctor --check check.verification.policy.engine
Related Checks
check.verification.vex.validation- VEX-aware policy only helps if VEX collection workscheck.verification.sbom.validation- policy evaluation usually consumes SBOM and vulnerability evidence