32 lines
971 B
Rego
32 lines
971 B
Rego
# CVE Severity Policy
|
|
# Enforces CVE severity thresholds
|
|
|
|
package audit.cve
|
|
|
|
# Critical and High vulnerabilities are not allowed in production
|
|
deny[msg] {
|
|
input.environment == "production"
|
|
vuln := input.vulnerabilities[_]
|
|
vuln.severity in ["critical", "high"]
|
|
msg = sprintf("Production deployment blocked: %s vulnerability in %s (%s)", [vuln.severity, vuln.package, vuln.cve_id])
|
|
}
|
|
|
|
# Medium vulnerabilities must have a fix plan
|
|
deny[msg] {
|
|
vuln := input.vulnerabilities[_]
|
|
vuln.severity == "medium"
|
|
not vuln.remediation_plan
|
|
msg = sprintf("Medium severity %s in %s requires remediation plan", [vuln.cve_id, vuln.package])
|
|
}
|
|
|
|
# All vulnerabilities must have been reviewed
|
|
deny[msg] {
|
|
vuln := input.vulnerabilities[_]
|
|
vuln.reviewed_by == ""
|
|
msg = sprintf("Vulnerability %s not reviewed by security team", [vuln.cve_id])
|
|
}
|
|
|
|
# Track vulnerability count
|
|
vul_count[count] {
|
|
count := count({v | v := input.vulnerabilities[_]})
|
|
}
|