7f7eb8b228
Sprints completed: - SPRINT_20260110_012_* (golden set diff layer - 10 sprints) - SPRINT_20260110_013_* (advisory chat - 4 sprints) Build fixes applied: - Fix namespace conflicts with Microsoft.Extensions.Options.Options.Create - Fix VexDecisionReachabilityIntegrationTests API drift (major rewrite) - Fix VexSchemaValidationTests FluentAssertions method name - Fix FixChainGateIntegrationTests ambiguous type references - Fix AdvisoryAI test files required properties and namespace aliases - Add stub types for CveMappingController (ICveSymbolMappingService) - Fix VerdictBuilderService static context issue Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Risk Engine
Risk scoring runtime with pluggable providers and explainability.
Purpose
RiskEngine computes deterministic, explainable risk scores for vulnerabilities by aggregating signals from multiple data sources (EPSS, CVSS, KEV, VEX, reachability). It produces audit trails and explainability payloads for every scoring decision.
Quick Links
- Architecture - Technical design and implementation details
- Guides - Scoring configuration guides
- Samples - Risk profile examples
Status
| Attribute | Value |
|---|---|
| Maturity | Production |
| Last Reviewed | 2025-12-29 |
| Maintainer | Policy Guild |
Key Features
- Pluggable Providers: EPSS, CVSS+KEV, VEX status, fix availability providers
- Deterministic Scoring: Same inputs produce identical scores
- Explainability: Audit trails for every scoring decision
- Offline Support: Air-gapped operation via factor bundles
Dependencies
Upstream (this module depends on)
- Concelier - CVSS, KEV data
- Excititor - VEX status data
- Signals - Reachability data
- Authority - Authentication
Downstream (modules that depend on this)
- Policy Engine - Consumes risk scores for policy evaluation
Configuration
risk_engine:
providers:
- epss
- cvss_kev
- vex_gate
- fix_exposure
cache_ttl_minutes: 60
Notes
RiskEngine does not make PASS/FAIL decisions. It provides scores to the Policy Engine which makes enforcement decisions.