compliance-framework · jonathandavies-CS · Sep 16, 2025 · Sep 12, 2025 · Sep 15, 2025 · Sep 15, 2025
diff --git a/examples/dismissed.json b/examples/dismissed.json
diff --git a/examples/full.json b/examples/full.json
diff --git a/examples/redacted.json b/examples/redacted.json
diff --git a/policies/critical_vulnerabilities.rego b/policies/critical_vulnerabilities.rego
diff --git a/policies/critical_vulnerabilities_count/critical_vulnerabilities_count.rego b/policies/critical_vulnerabilities_count/critical_vulnerabilities_count.rego
@@ -0,0 +1,21 @@
+package critical_vulnerabilities_count
+
+import future.keywords.in
+
+violation[{}] if {
+	# Build a set of alerts that are open and with a critical severity.
+	open_alerts := [alert |
+		some alert in input.alerts
+		alert.state == "open"
+		alert.security_vulnerability.severity == "critical"
+	]
+
+	# If there are 2 or more such alerts, then deny.
+	count(open_alerts) >= 2
+}
+
+title := "Limit amount of critical vulnerabilities"
+description := `
+Critical severity vulnerabilities should be kept within
+ reasonable limits to avoid a wide footprint of risk
+`
diff --git a/policies/critical_vulnerabilities_count/critical_vulnerabilities_count_test.rego b/policies/critical_vulnerabilities_count/critical_vulnerabilities_count_test.rego
@@ -0,0 +1,23 @@
+package critical_vulnerabilities_count_test
+
+import data.critical_vulnerabilities_count
+
+test_too_many_critical_vulnerabilities_fail if {
+	count(critical_vulnerabilities_count.violation) == 1 with input as {"alerts": [
+		{
+			"state": "open",
+			"security_vulnerability": {"severity": "critical"},
+		},
+		{
+			"state": "open",
+			"security_vulnerability": {"severity": "critical"},
+		},
+	]}
+}
+
+test_few_critical_vulnerabilities_pass if {
+	count(critical_vulnerabilities_count.violation) == 0 with input as [{
+		"state": "open",
+		"security_vulnerability": {"severity": "medium"},
+	}]
+}
diff --git a/policies/critical_vulnerabilities_dismissal/critical_vulnerabilities_dismissal.rego b/policies/critical_vulnerabilities_dismissal/critical_vulnerabilities_dismissal.rego
@@ -0,0 +1,20 @@
+package critical_vulnerabilities_dismissal
+
+import data.utils.time_ext
+
+violation[{}] if {
+	working_day_now_ns := time_ext.reduce_day_ns(time.now_ns())
+	seven_days_ago := working_day_now_ns - (7 * time_ext.one_day_ns)
+
+	# Check there exists 1 or more critical alerts that have been open for more than 5 working days.
+	some alert in input.alerts
+
+	alert.state == "open"
+	alert.security_vulnerability.severity == "critical"
+	time.parse_rfc3339_ns(alert.created_at) < seven_days_ago
+}
+
+title := "Limit amount of critical vulnerabilities within 5 working days"
+description := `
+Critical severity vulnerabilities should dealth with within
+ five working days to avoid a wide footprint of risk`
diff --git a/policies/critical_vulnerabilities_dismissal/critical_vulnerabilities_dismissal_test.rego b/policies/critical_vulnerabilities_dismissal/critical_vulnerabilities_dismissal_test.rego
@@ -0,0 +1,83 @@
+package critical_vulnerabilities_dismissal_test
+
+import data.critical_vulnerabilities_dismissal
+
+test_over_five_days_violation if {
+	now := time.parse_rfc3339_ns("2025-06-20T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 1 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-06-03T09:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_one_day_ok if {
+	now := time.parse_rfc3339_ns("2025-06-04T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-06-03T09:00:00Z", # one week earlier
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_five_days_over_weekend_ok if {
+	now := time.parse_rfc3339_ns("2025-09-22T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-15T09:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_just_more_than_five_days_violation if {
+	now := time.parse_rfc3339_ns("2025-09-22T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 1 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-15T08:59:59Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_alert_over_weekend_ok if {
+	now := time.parse_rfc3339_ns("2025-09-29T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-260T09:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_alert_over_weekend_marginal_ok if {
+	now := time.parse_rfc3339_ns("2025-09-27T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-21T09:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_alert_over_weekend_violation if {
+	now := time.parse_rfc3339_ns("2025-09-27T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 1 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-18T09:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
+
+test_alert_over_weekend_marginal_violation if {
+	now := time.parse_rfc3339_ns("2025-09-27T09:00:00Z")
+	count(critical_vulnerabilities_dismissal.violation) == 1 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-19T06:00:00Z",
+		"security_vulnerability": {"severity": "critical"},
+	}]}
+		with time.now_ns as now
+}
diff --git a/policies/critical_vulnerabilities_test.rego b/policies/critical_vulnerabilities_test.rego
diff --git a/policies/high_vulnerabilities_dismissal/high_vulnerabilities_dismissal.rego b/policies/high_vulnerabilities_dismissal/high_vulnerabilities_dismissal.rego
@@ -0,0 +1,19 @@
+package high_vulnerabilities_dismissal
+
+import data.utils.time_ext
+
+violation[{}] if {
+	working_day_now_ns := time_ext.reduce_day_ns(time.now_ns())
+	two_weeks_ago := working_day_now_ns - (14 * time_ext.one_day_ns)
+
+	some alert in input.alerts
+	alert.state == "open"
+	alert.security_vulnerability.severity == "high"
+	time.parse_rfc3339_ns(alert.created_at) < two_weeks_ago
+}
+
+title := "Limit amount of 'high' vulnerabilities that have not been dismissed within 10 working days"
+description := `
+'High' severity vulnerabilities should be dismissed within two weeks (10 working days)
+ to avoid a wide footprint of risk
+`
diff --git a/policies/high_vulnerabilities_dismissal/high_vulnerabilities_dismissal_test.rego b/policies/high_vulnerabilities_dismissal/high_vulnerabilities_dismissal_test.rego
@@ -0,0 +1,43 @@
+package high_vulnerabilities_dismissal_test
+
+import data.high_vulnerabilities_dismissal
+
+test_over_two_weeks_violation if {
+	now := time.parse_rfc3339_ns("2025-06-20T09:00:00Z")
+	count(high_vulnerabilities_dismissal.violation) == 1 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-06-03T09:00:00Z",
+		"security_vulnerability": {"severity": "high"},
+	}]}
+		with time.now_ns as now
+}
+
+test_one_day_ok if {
+	now := time.parse_rfc3339_ns("2025-06-04T09:00:00Z")
+	count(high_vulnerabilities_dismissal.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-06-03T09:00:00Z", # one week earlier
+		"security_vulnerability": {"severity": "high"},
+	}]}
+		with time.now_ns as now
+}
+
+test_two_weeks_over_weekend_ok if {
+	now := time.parse_rfc3339_ns("2025-09-22T09:00:00Z")
+	count(high_vulnerabilities_dismissal.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-08T09:00:00Z",
+		"security_vulnerability": {"severity": "high"},
+	}]}
+		with time.now_ns as now
+}
+
+test_just_more_than_two_weeks_violation if {
+	now := time.parse_rfc3339_ns("2025-09-22T09:00:00Z")
+	count(high_vulnerabilities_dismissal.violation) == 1 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-09-08T08:59:59Z",
+		"security_vulnerability": {"severity": "high"},
+	}]}
+		with time.now_ns as now
+}
diff --git a/policies/low_vulnerabilities_dismissal/low_vulnerabilities_dismissal.rego b/policies/low_vulnerabilities_dismissal/low_vulnerabilities_dismissal.rego
@@ -0,0 +1,20 @@
+package low_vulnerabilities_dismissal
+
+import data.utils.time_ext
+
+violation[{}] if {
+	working_day_now_ns := time_ext.reduce_day_ns(time.now_ns())
+	three_months_ago := working_day_now_ns - (84 * time_ext.one_day_ns)
+
+	# Check there exists a low alert that has been open for more than 5 working days.
+	some alert in input.alerts
+	alert.state == "open"
+	alert.security_vulnerability.severity == "low"
+	time.parse_rfc3339_ns(alert.created_at) < three_months_ago
+}
+
+title := "Limit amount of 'low' vulnerabilities that have not been dismissed within three months"
+description := `
+'Low' severity vulnerabilities should be dismissed within three months (60 working days)
+ to avoid a wide footprint of risk
+`
diff --git a/policies/low_vulnerabilities_dismissal/low_vulnerabilities_dismissal_test.rego b/policies/low_vulnerabilities_dismissal/low_vulnerabilities_dismissal_test.rego
@@ -0,0 +1,24 @@
+package low_vulnerabilities_dismissal_test
+
+import data.low_vulnerabilities_dismissal
+
+test_over_three_months_violation if {
+	now := time.parse_rfc3339_ns("2025-06-20T09:00:00Z")
+	count(low_vulnerabilities_dismissal.violation) == 1 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-03-19T09:00:00Z",
+		"security_vulnerability": {"severity": "low"},
+	}]}
+		with time.now_ns as now
+}
+
+test_one_month_ok if {
+	now := time.parse_rfc3339_ns("2025-06-20T09:00:00Z")
+
+	count(low_vulnerabilities_dismissal.violation) == 0 with input as {"alerts": [{
+		"state": "open",
+		"created_at": "2025-05-20T09:00:00Z",
+		"security_vulnerability": {"severity": "low"},
+	}]}
+		with time.now_ns as now
+}
diff --git a/policies/medium_vulnerabilities.rego b/policies/medium_vulnerabilities.rego
diff --git a/policies/medium_vulnerabilities_count/medium_vulnerabilities_count.rego b/policies/medium_vulnerabilities_count/medium_vulnerabilities_count.rego
@@ -0,0 +1,18 @@
+package medium_vulnerabilities_count
+
+import future.keywords.in
+
+violation[{}] if {
+	# Build a set of alerts that are open and with a medium severity.
+	open_alerts := [alert |
+		some alert in input.alerts
+		alert.state == "open"
+		alert.security_vulnerability.severity == "medium"
+	]
+
+	count(open_alerts) >= 5
+}
+
+title := "Limit amount of medium vulnerabilities"
+description := `Medium severity vulnerabilities should be kept within 
+ 				reasonable limits to avoid a wide footprint of risk`
diff --git a/policies/medium_vulnerabilities_count/medium_vulnerabilities_count_test.rego b/policies/medium_vulnerabilities_count/medium_vulnerabilities_count_test.rego
@@ -0,0 +1,35 @@
+package medium_vulnerabilities_count_test
+
+import data.medium_vulnerabilities_count
+
+test_too_many_medium_vulnerabilities_fail if {
+	count(medium_vulnerabilities_count.violation) == 1 with input as {"alerts": [
+		{
+			"state": "open",
+			"security_vulnerability": {"severity": "medium"},
+		},
+		{
+			"state": "open",
+			"security_vulnerability": {"severity": "medium"},
+		},
+		{
+			"state": "open",
+			"security_vulnerability": {"severity": "medium"},
+		},
+		{
+			"state": "open",
+			"security_vulnerability": {"severity": "medium"},
+		},
+		{
+			"state": "open",
+			"security_vulnerability": {"severity": "medium"},
+		}, 
+	]}
+}
+
+test_few_medium_vulnerabilities_pass if {
+	count(medium_vulnerabilities_count.violation) == 0 with input as [{
+		"state": "open",
+		"security_vulnerability": {"severity": "medium"},
+	}]
+}
diff --git a/policies/medium_vulnerabilities_dismissal/medium_vulnerabilities_dismissal.rego b/policies/medium_vulnerabilities_dismissal/medium_vulnerabilities_dismissal.rego
@@ -0,0 +1,20 @@
+package medium_vulnerabilities_dismissal
+
+import data.utils.time_ext
+
+violation[{}] if {
+	working_day_now_ns := time_ext.reduce_day_ns(time.now_ns())
+	one_month_ago := working_day_now_ns - (28 * time_ext.one_day_ns)
+
+	# Check there exists a medium alert that has been open for more than a month
+	some alert in input.alerts
+	alert.state == "open"
+	alert.security_vulnerability.severity == "medium"
+	time.parse_rfc3339_ns(alert.created_at) < one_month_ago
+}
+
+title := "Limit amount of 'medium' vulnerabilities that have not been dismissed within one month"
+description := `
+'Medium' severity vulnerabilities should be dismissed within one month (20 working days)
+ to avoid a wide footprint of risk
+`