|
| 1 | +// AI-BOM Cedar Policy — Example Rules |
| 2 | +// |
| 3 | +// This file defines fine-grained rules for the AI-BOM Cedar policy gate. |
| 4 | +// The gate evaluates discovered AI components against these rules and |
| 5 | +// fails the CI pipeline if any component violates a "forbid" rule. |
| 6 | +// |
| 7 | +// Syntax (simplified Cedar-like): |
| 8 | +// permit|forbid (principal, action, resource) when { conditions }; |
| 9 | +// |
| 10 | +// Supported condition fields: |
| 11 | +// resource.severity — "critical", "high", "medium", "low", "info" |
| 12 | +// resource.provider — e.g. "OpenAI", "Anthropic", "HuggingFace" |
| 13 | +// resource.component_type — "api_key", "model", "endpoint", "sdk", "framework" |
| 14 | +// resource.risk_score — integer 0-100 |
| 15 | +// resource.name — component name string |
| 16 | +// |
| 17 | +// Operators: ==, !=, >, >=, <, <= |
| 18 | + |
| 19 | +// ── Block critical and high-severity findings ────────────────────── |
| 20 | +forbid (principal, action, resource) |
| 21 | +when { resource.severity == "critical" }; |
| 22 | + |
| 23 | +forbid (principal, action, resource) |
| 24 | +when { resource.severity == "high" }; |
| 25 | + |
| 26 | +// ── Block exposed API keys (any severity) ────────────────────────── |
| 27 | +forbid (principal, action, resource) |
| 28 | +when { resource.component_type == "api_key" }; |
| 29 | + |
| 30 | +// ── Block components with risk score above 70 ────────────────────── |
| 31 | +forbid (principal, action, resource) |
| 32 | +when { resource.risk_score > 70 }; |
| 33 | + |
| 34 | +// ── Allow everything else ────────────────────────────────────────── |
| 35 | +permit (principal, action, resource); |
0 commit comments