provisioning-platform/prov-ecosystem/crates/audit/policies/cve_severity.rego

33 lines
971 B
Rego
Raw Normal View History

# CVE Severity Policy
# Enforces CVE severity thresholds
package audit.cve
# Critical and High vulnerabilities are not allowed in production
deny[msg] {
input.environment == "production"
vuln := input.vulnerabilities[_]
vuln.severity in ["critical", "high"]
msg = sprintf("Production deployment blocked: %s vulnerability in %s (%s)", [vuln.severity, vuln.package, vuln.cve_id])
}
# Medium vulnerabilities must have a fix plan
deny[msg] {
vuln := input.vulnerabilities[_]
vuln.severity == "medium"
not vuln.remediation_plan
msg = sprintf("Medium severity %s in %s requires remediation plan", [vuln.cve_id, vuln.package])
}
# All vulnerabilities must have been reviewed
deny[msg] {
vuln := input.vulnerabilities[_]
vuln.reviewed_by == ""
msg = sprintf("Vulnerability %s not reviewed by security team", [vuln.cve_id])
}
# Track vulnerability count
vul_count[count] {
count := count({v | v := input.vulnerabilities[_]})
}