311 lines
10 KiB
JSON
311 lines
10 KiB
JSON
{
|
|
"schema_version": "package_supply_chain_owner_policy_gate_v1",
|
|
"status": "draft_waiting_owner_policy_response",
|
|
"mode": "repo_snapshot_policy_gate_no_install_no_network_no_cve_scan",
|
|
"generated_at": "2026-06-15T07:05:00+08:00",
|
|
"baseline_ref": "docs/security/package-supply-chain-baseline.snapshot.json",
|
|
"baseline_git_commit": "1ab85f51",
|
|
"summary": {
|
|
"baseline_gap_count": 5,
|
|
"owner_policy_request_count": 6,
|
|
"c0_policy_request_count": 2,
|
|
"write_capable_policy_request_count": 6,
|
|
"required_owner_field_count": 8,
|
|
"reviewer_check_count": 12,
|
|
"blocked_action_count": 20,
|
|
"owner_policy_request_sent_count": 0,
|
|
"owner_response_received_count": 0,
|
|
"owner_response_accepted_count": 0,
|
|
"owner_response_rejected_count": 0,
|
|
"runtime_gate_count": 0,
|
|
"action_button_count": 0
|
|
},
|
|
"baseline_gaps": [
|
|
"python_lockfile_absent",
|
|
"docker_base_images_not_all_digest_pinned",
|
|
"docker_copy_from_images_not_all_digest_pinned",
|
|
"compose_images_not_all_digest_pinned",
|
|
"requirements_unpinned_entries_present"
|
|
],
|
|
"required_owner_fields": [
|
|
"package_manager_policy",
|
|
"lockfile_owner",
|
|
"python_lock_policy",
|
|
"docker_base_image_policy",
|
|
"compose_image_policy",
|
|
"registry_owner",
|
|
"cve_scan_window",
|
|
"rollback_owner"
|
|
],
|
|
"reviewer_checks": [
|
|
"owner_role_or_team_present",
|
|
"decision_present",
|
|
"decision_reason_present",
|
|
"affected_scope_present",
|
|
"redacted_evidence_refs_present",
|
|
"followup_owner_present",
|
|
"rollback_owner_present",
|
|
"package_manager_policy_consistent",
|
|
"python_lock_policy_consistent",
|
|
"image_digest_policy_consistent",
|
|
"cve_license_sbom_window_metadata_only",
|
|
"no_runtime_or_secret_request_embedded"
|
|
],
|
|
"blocked_actions": [
|
|
"install_package",
|
|
"upgrade_package",
|
|
"downgrade_package",
|
|
"rewrite_lockfile",
|
|
"pin_requirements_without_owner_policy",
|
|
"run_npm_audit",
|
|
"run_pip_audit",
|
|
"run_external_cve_lookup",
|
|
"run_external_license_lookup",
|
|
"generate_sbom",
|
|
"docker_pull",
|
|
"docker_build",
|
|
"docker_push",
|
|
"change_image_tag",
|
|
"pin_image_digest_without_owner_policy",
|
|
"registry_login",
|
|
"change_workflow",
|
|
"change_secret",
|
|
"production_deploy",
|
|
"open_runtime_gate"
|
|
],
|
|
"owner_policy_requests": [
|
|
{
|
|
"request_id": "supply_chain_owner_policy:package_manager_lockfile_owner",
|
|
"label": "Node / pnpm package manager 與 lockfile owner policy",
|
|
"control_tier": "C1",
|
|
"status": "draft_waiting_owner_policy_response",
|
|
"baseline_gap_refs": [
|
|
"package_manager_policy_required"
|
|
],
|
|
"evidence_refs": [
|
|
"package.json",
|
|
"pnpm-lock.yaml",
|
|
"docs/security/package-supply-chain-baseline.snapshot.json"
|
|
],
|
|
"required_owner_fields": [
|
|
"package_manager_policy",
|
|
"lockfile_owner",
|
|
"python_lock_policy",
|
|
"docker_base_image_policy",
|
|
"compose_image_policy",
|
|
"registry_owner",
|
|
"cve_scan_window",
|
|
"rollback_owner"
|
|
],
|
|
"blocked_until": [
|
|
"owner confirms pnpm lockfile owner",
|
|
"owner defines lockfile update window",
|
|
"rollback owner is assigned"
|
|
],
|
|
"request_sent": false,
|
|
"owner_response_received": false,
|
|
"owner_response_accepted": false,
|
|
"runtime_gate_open": false
|
|
},
|
|
{
|
|
"request_id": "supply_chain_owner_policy:python_lockfile_policy",
|
|
"label": "Python lockfile policy",
|
|
"control_tier": "C1",
|
|
"status": "draft_waiting_owner_policy_response",
|
|
"baseline_gap_refs": [
|
|
"python_lockfile_absent"
|
|
],
|
|
"evidence_refs": [
|
|
"apps/api/pyproject.toml",
|
|
"packages/lewooogo-brain/pyproject.toml",
|
|
"packages/lewooogo-data/pyproject.toml",
|
|
"scripts/aider_watch_client/pyproject.toml",
|
|
"docs/security/package-supply-chain-baseline.snapshot.json"
|
|
],
|
|
"required_owner_fields": [
|
|
"package_manager_policy",
|
|
"lockfile_owner",
|
|
"python_lock_policy",
|
|
"docker_base_image_policy",
|
|
"compose_image_policy",
|
|
"registry_owner",
|
|
"cve_scan_window",
|
|
"rollback_owner"
|
|
],
|
|
"blocked_until": [
|
|
"owner selects poetry.lock / uv.lock / Pipfile.lock policy",
|
|
"compatibility owner confirms scope",
|
|
"rollback owner is assigned"
|
|
],
|
|
"request_sent": false,
|
|
"owner_response_received": false,
|
|
"owner_response_accepted": false,
|
|
"runtime_gate_open": false
|
|
},
|
|
{
|
|
"request_id": "supply_chain_owner_policy:requirements_pin_policy",
|
|
"label": "requirements pinning policy",
|
|
"control_tier": "C1",
|
|
"status": "draft_waiting_owner_policy_response",
|
|
"baseline_gap_refs": [
|
|
"requirements_unpinned_entries_present"
|
|
],
|
|
"evidence_refs": [
|
|
"apps/api/requirements.txt",
|
|
"apps/sensor/requirements.txt",
|
|
"docs/security/package-supply-chain-baseline.snapshot.json"
|
|
],
|
|
"required_owner_fields": [
|
|
"package_manager_policy",
|
|
"lockfile_owner",
|
|
"python_lock_policy",
|
|
"docker_base_image_policy",
|
|
"compose_image_policy",
|
|
"registry_owner",
|
|
"cve_scan_window",
|
|
"rollback_owner"
|
|
],
|
|
"blocked_until": [
|
|
"owner defines pinning approach",
|
|
"compatibility test owner is assigned",
|
|
"rollback owner is assigned"
|
|
],
|
|
"request_sent": false,
|
|
"owner_response_received": false,
|
|
"owner_response_accepted": false,
|
|
"runtime_gate_open": false
|
|
},
|
|
{
|
|
"request_id": "supply_chain_owner_policy:dockerfile_digest_pin_policy",
|
|
"label": "Dockerfile base image / COPY --from digest policy",
|
|
"control_tier": "C0",
|
|
"status": "draft_waiting_owner_policy_response",
|
|
"baseline_gap_refs": [
|
|
"docker_base_images_not_all_digest_pinned",
|
|
"docker_copy_from_images_not_all_digest_pinned"
|
|
],
|
|
"evidence_refs": [
|
|
"apps/api/Dockerfile",
|
|
"apps/web/Dockerfile",
|
|
"docs/security/package-supply-chain-baseline.snapshot.json"
|
|
],
|
|
"required_owner_fields": [
|
|
"package_manager_policy",
|
|
"lockfile_owner",
|
|
"python_lock_policy",
|
|
"docker_base_image_policy",
|
|
"compose_image_policy",
|
|
"registry_owner",
|
|
"cve_scan_window",
|
|
"rollback_owner"
|
|
],
|
|
"blocked_until": [
|
|
"registry owner confirms digest source",
|
|
"image compatibility owner confirms scope",
|
|
"rollback owner is assigned"
|
|
],
|
|
"request_sent": false,
|
|
"owner_response_received": false,
|
|
"owner_response_accepted": false,
|
|
"runtime_gate_open": false
|
|
},
|
|
{
|
|
"request_id": "supply_chain_owner_policy:compose_image_digest_pin_policy",
|
|
"label": "docker-compose image digest policy",
|
|
"control_tier": "C0",
|
|
"status": "draft_waiting_owner_policy_response",
|
|
"baseline_gap_refs": [
|
|
"compose_images_not_all_digest_pinned"
|
|
],
|
|
"evidence_refs": [
|
|
"apps/api/docker-compose.test.yml",
|
|
"docker-compose.yml",
|
|
"infra/langfuse/docker-compose.yml",
|
|
"k8s/monitoring/docker-compose-110.yml",
|
|
"ops/monitoring/docker-compose.exporters.yaml",
|
|
"ops/sentry-self-hosted/docker-compose.yml",
|
|
"docs/security/package-supply-chain-baseline.snapshot.json"
|
|
],
|
|
"required_owner_fields": [
|
|
"package_manager_policy",
|
|
"lockfile_owner",
|
|
"python_lock_policy",
|
|
"docker_base_image_policy",
|
|
"compose_image_policy",
|
|
"registry_owner",
|
|
"cve_scan_window",
|
|
"rollback_owner"
|
|
],
|
|
"blocked_until": [
|
|
"registry owner confirms digest source",
|
|
"compose service owner confirms blast radius",
|
|
"rollback owner is assigned"
|
|
],
|
|
"request_sent": false,
|
|
"owner_response_received": false,
|
|
"owner_response_accepted": false,
|
|
"runtime_gate_open": false
|
|
},
|
|
{
|
|
"request_id": "supply_chain_owner_policy:cve_license_sbom_window",
|
|
"label": "CVE / license / SBOM 驗證窗口 policy",
|
|
"control_tier": "C1",
|
|
"status": "draft_waiting_owner_policy_response",
|
|
"baseline_gap_refs": [
|
|
"cve_license_sbom_not_run"
|
|
],
|
|
"evidence_refs": [
|
|
"docs/security/PACKAGE-SUPPLY-CHAIN-BASELINE.md",
|
|
"docs/security/package-supply-chain-baseline.snapshot.json"
|
|
],
|
|
"required_owner_fields": [
|
|
"package_manager_policy",
|
|
"lockfile_owner",
|
|
"python_lock_policy",
|
|
"docker_base_image_policy",
|
|
"compose_image_policy",
|
|
"registry_owner",
|
|
"cve_scan_window",
|
|
"rollback_owner"
|
|
],
|
|
"blocked_until": [
|
|
"owner selects allowed tools",
|
|
"network / cost / runtime boundary is confirmed",
|
|
"rollback owner is assigned"
|
|
],
|
|
"request_sent": false,
|
|
"owner_response_received": false,
|
|
"owner_response_accepted": false,
|
|
"runtime_gate_open": false
|
|
}
|
|
],
|
|
"execution_boundaries": {
|
|
"package_installation_allowed": false,
|
|
"package_upgrade_allowed": false,
|
|
"lockfile_write_allowed": false,
|
|
"requirements_pin_change_allowed": false,
|
|
"external_cve_lookup_allowed": false,
|
|
"external_license_lookup_allowed": false,
|
|
"sbom_generation_allowed": false,
|
|
"docker_pull_allowed": false,
|
|
"docker_build_allowed": false,
|
|
"docker_push_allowed": false,
|
|
"image_tag_change_allowed": false,
|
|
"image_digest_pin_change_allowed": false,
|
|
"registry_login_allowed": false,
|
|
"workflow_modification_authorized": false,
|
|
"production_deploy_authorized": false,
|
|
"runtime_execution_authorized": false,
|
|
"action_buttons_allowed": false,
|
|
"secret_value_collection_allowed": false,
|
|
"runtime_gate_count": 0,
|
|
"not_authorization": true
|
|
},
|
|
"operator_interpretation": [
|
|
"此 owner policy gate 只把 package / Docker baseline 缺口轉成 owner metadata 收件草案。",
|
|
"通過此 gate 不代表可 install、upgrade、pin requirements、寫 lockfile、pull / build / push image、跑 CVE / license / SBOM 或登入 registry。",
|
|
"C0 Docker / compose digest policy 仍需 registry owner、rollback owner 與相容性證據,不得自動改 tag 或 digest。",
|
|
"owner policy request sent、received、accepted、runtime gate 與 action button 全部維持 0 / false。"
|
|
]
|
|
}
|