# CVE Severity Policy # Enforces CVE severity thresholds package audit.cve # Critical and High vulnerabilities are not allowed in production deny[msg] { input.environment == "production" vuln := input.vulnerabilities[_] vuln.severity in ["critical", "high"] msg = sprintf("Production deployment blocked: %s vulnerability in %s (%s)", [vuln.severity, vuln.package, vuln.cve_id]) } # Medium vulnerabilities must have a fix plan deny[msg] { vuln := input.vulnerabilities[_] vuln.severity == "medium" not vuln.remediation_plan msg = sprintf("Medium severity %s in %s requires remediation plan", [vuln.cve_id, vuln.package]) } # All vulnerabilities must have been reviewed deny[msg] { vuln := input.vulnerabilities[_] vuln.reviewed_by == "" msg = sprintf("Vulnerability %s not reviewed by security team", [vuln.cve_id]) } # Track vulnerability count vul_count[count] { count := count({v | v := input.vulnerabilities[_]}) }