Blocking Policy One-Pager
This one-pager defines what fails the build, what warns, how exceptions are granted, and the evidence we keep. Tune the thresholds to your risk.
Scope
- Applies to builds run via
make ciand release candidates promoted withmake promote. - Local parity:
makeon a laptop mirrors CI behavior; CI is the source of truth for enforcement.
Gates & Thresholds (default)
| Area | Tool / Source | Blocks Build | Warns Only | Notes |
|---|---|---|---|---|
| Secrets | TruffleHog | Verified credentials | Heuristics/unverified | Verified = provider-validated or high-confidence match |
| SAST | Semgrep (curated) | High/Critical in curated ruleset | Others | Curated rules maintained by Security to keep noise low |
| Dockerfile | Hadolint | All findings | Style & safety hints; fix in PRs | |
| IaC | Checkov | Privileged, runAsRoot, no seccomp, no probes, writable root FS | Others | Fails on high-risk K8s misconfig |
| SCA (images) | Trivy | Critical, High (if fix available) | Unfixed High, Medium/Low | Unfixed tracked separately; see Exceptions |
| Licenses | License scan | DISALLOWED (once tuned) | WARN initially | Start WARN → ENFORCE after review |
| SBOM presence | Syft | Missing SBOM | – | SBOM required for RCs |
| DAST (baseline) | ZAP | WARN | Non-blocking in baseline mode | |
| Admission readiness | Kyverno | Deny bad; Verify images | – | Enforced in cluster; CI checks can lint manifests |
Adjust “Blocks Build” cells as you ratchet. Start permissive, then move to enforce over 4–6 weeks.
Enforcement Matrix
| Pipeline Stage | Secrets | SAST | IaC | SCA | Licenses | SBOM | Notes |
|---|---|---|---|---|---|---|---|
| Local (dev) | Warn | Warn | Warn | Warn | Warn | Required for RC | Keep speed; show parity |
| PR / CI | Block (verified) | Block (curated H/C) | Block (high-risk) | Block (Crit; High if fix) | Warn (then Block) | Required | PR is the contract |
| Release Candidate | Block | Block | Block | Block | Block | Required | Evidence ZIP archived |
Exceptions
- Use the Exception Register (time-boxed, with expiry & rationale).
- Scope narrowly (service/component); require a remediation plan.
- Security approves; Ops implements any compensating control.
- Expired exceptions auto-revert to Block.
SLAs (apply after merge)
- Critical ≤ 7 days · High ≤ 30 days · Medium ≤ 90 days · Low best-effort.
- SLA clock starts when the finding is triaged & assigned.
Evidence
- Store all scanner outputs and policy logs under
./artifacts/and in the Evidence ZIP per build. - Keep at least the last 10 Evidence ZIPs for audit.
Command Examples (reference)
CI should call
maketargets; samples below show intent.
Trivy: fail on CRITICAL (and HIGH if fix available)
docker run --rm \
-v "$PWD":/workspace \
-v "$PWD/.trivy-db":/root/.cache/trivy \
-v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest \
image --ignore-unfixed --severity HIGH,CRITICAL \
--exit-code 1 --format json \
-o /workspace/artifacts/trivy-image.json "$IMAGE"
semgrep: curated ruleset, JSON Output (CI Enforces exit code)
docker run --rm -v "$PWD":/src returntocorp/semgrep semgrep \
--config p/owasp-top-ten --config /src/tools/semgrep \
--json --json-output /src/artifacts/semgrep.json /src/app
# CI: fail if curated High/Critical present
Checkov: K8s directory scan (JSON to Artifacts)
docker run --rm -v "$PWD":/work -w /work bridgecrew/checkov \
-d infra -o json > artifacts/checkov.json
Ownership (mini-RACI)
- Security (A): sets thresholds, curates rules, approves exceptions.
- Dev (R): fixes findings in owned code; proposes RBAC/NetPol changes.
- Ops (R): enforces admission policies, manages keys & base images, archives evidence.
Effective Date & Review
- Policy effective: ____________
- Review cadence: monthly (ratchet), quarterly (policy).
- Approved by: Security ___ · Platform/Ops ___ · Engineering ___