Merge pull request #3 from compliance-framework/feat/add-more-alert-checks

BCH 1033: More alert checks for vulnerabilities.

Author: jonathandavies-CS

examples/dismissed.json

@@ -0,0 +1,21 @@
+package critical_vulnerabilities_count
+
+import future.keywords.in
+
+violation[{}] if {
+	# Build a set of alerts that are open and with a critical severity.
+	open_alerts := [alert |
+		some alert in input.alerts
+		alert.state == "open"
+		alert.security_vulnerability.severity == "critical"
+	]
+
+	# If there are 2 or more such alerts, then deny.
+	count(open_alerts) >= 2
+}
+
+title := "Limit amount of critical vulnerabilities"
+description := `
+Critical severity vulnerabilities should be kept within
+ reasonable limits to avoid a wide footprint of risk
+`

examples/full.json

@@ -0,0 +1,23 @@
+package critical_vulnerabilities_count_test
+
+import data.critical_vulnerabilities_count
+
+test_too_many_critical_vulnerabilities_fail if {
+	count(critical_vulnerabilities_count.violation) == 1 with input as {"alerts": [
+		{
+			"state": "open",
+			"security_vulnerability": {"severity": "critical"},
+		},
+		{
+			"state": "open",
+			"security_vulnerability": {"severity": "critical"},
+		},
+	]}
+}
+
+test_few_critical_vulnerabilities_pass if {
+	count(critical_vulnerabilities_count.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"security_vulnerability": {"severity": "medium"},
+	}]}
+}

examples/redacted.json

@@ -0,0 +1,20 @@
+package critical_vulnerabilities_dismissal
+
+import data.utils.time_ext
+
+violation[{}] if {
+	working_day_now_ns := time_ext.reduce_day_ns(time.now_ns())
+	seven_days_ago := working_day_now_ns - (7 * time_ext.one_day_ns)
+
+	# Check there exists 1 or more critical alerts that have been open for more than 5 working days.
+	some alert in input.alerts
+
+	alert.state == "open"
+	alert.security_vulnerability.severity == "critical"
+	time.parse_rfc3339_ns(alert.created_at) < seven_days_ago
+}
+
+title := "Limit amount of critical vulnerabilities within 5 working days"
+description := `
+Critical severity vulnerabilities should be dealt with within
+ five working days to avoid a wide footprint of risk`

policies/critical_vulnerabilities.rego

@@ -0,0 +1,83 @@
+package critical_vulnerabilities_dismissal_test
+
+import data.critical_vulnerabilities_dismissal
+
+test_over_five_days_violation if {
+	now := time.parse_rfc3339_ns("2025-06-20T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 1 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-06-03T09:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_one_day_ok if {
+	now := time.parse_rfc3339_ns("2025-06-04T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-06-03T09:00:00Z", # one week earlier
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_five_days_over_weekend_ok if {
+	now := time.parse_rfc3339_ns("2025-09-22T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-15T09:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_just_more_than_five_days_violation if {
+	now := time.parse_rfc3339_ns("2025-09-22T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 1 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-15T08:59:59Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_alert_over_weekend_ok if {
+	now := time.parse_rfc3339_ns("2025-09-29T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-26T09:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_alert_over_weekend_marginal_ok if {
+	now := time.parse_rfc3339_ns("2025-09-27T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-21T09:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_alert_over_weekend_violation if {
+	now := time.parse_rfc3339_ns("2025-09-27T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 1 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-18T09:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_alert_over_weekend_marginal_violation if {
+	now := time.parse_rfc3339_ns("2025-09-27T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 1 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-19T06:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}

policies/critical_vulnerabilities_count/critical_vulnerabilities_count.rego

@@ -0,0 +1,19 @@
+package high_vulnerabilities_dismissal
+
+import data.utils.time_ext
+
+violation[{}] if {
+	working_day_now_ns := time_ext.reduce_day_ns(time.now_ns())
+	two_weeks_ago := working_day_now_ns - (14 * time_ext.one_day_ns)
+
+	some alert in input.alerts
+	alert.state == "open"
+	alert.security_vulnerability.severity == "high"
+	time.parse_rfc3339_ns(alert.created_at) < two_weeks_ago
+}
+
+title := "Limit amount of 'high' vulnerabilities that have not been dismissed within 10 working days"
+description := `
+'High' severity vulnerabilities should be dismissed within two weeks (10 working days)
+ to avoid a wide footprint of risk
+`