gh-agentsecops-secopsagentkit/skills/appsec/sca-blackduck/assets/policy_templates/security_policy.json

{
  "$schema": "https://json-schema.org/draft-07/schema#",
  "title": "Black Duck Security Policy",
  "description": "Default security policy for Black Duck SCA scanning",
  "version": "1.0.0",

  "vulnerability_thresholds": {
    "description": "Maximum allowed vulnerabilities by severity",
    "critical": {
      "max_count": 0,
      "action": "fail",
      "description": "No critical vulnerabilities allowed"
    },
    "high": {
      "max_count": 0,
      "action": "fail",
      "description": "No high severity vulnerabilities allowed"
    },
    "medium": {
      "max_count": 10,
      "action": "warn",
      "description": "Up to 10 medium severity vulnerabilities allowed with warning"
    },
    "low": {
      "max_count": 50,
      "action": "info",
      "description": "Up to 50 low severity vulnerabilities allowed"
    }
  },

  "cvss_thresholds": {
    "description": "CVSS score-based policy",
    "max_cvss_score": 7.0,
    "fail_on_exploitable": true,
    "require_exploit_available": false
  },

  "license_policy": {
    "description": "License compliance rules",
    "blocklist": [
      {
        "license": "GPL-2.0",
        "reason": "Strong copyleft incompatible with commercial software",
        "action": "fail"
      },
      {
        "license": "GPL-3.0",
        "reason": "Strong copyleft incompatible with commercial software",
        "action": "fail"
      },
      {
        "license": "AGPL-3.0",
        "reason": "Network copyleft triggers on SaaS usage",
        "action": "fail"
      }
    ],
    "warning_list": [
      {
        "license": "LGPL-2.1",
        "reason": "Weak copyleft - verify dynamic linking",
        "action": "warn"
      },
      {
        "license": "LGPL-3.0",
        "reason": "Weak copyleft - verify dynamic linking",
        "action": "warn"
      },
      {
        "license": "MPL-2.0",
        "reason": "File-level copyleft - verify separation",
        "action": "warn"
      }
    ],
    "approved_list": [
      "MIT",
      "Apache-2.0",
      "BSD-2-Clause",
      "BSD-3-Clause",
      "ISC",
      "0BSD",
      "CC0-1.0",
      "Unlicense"
    ],
    "require_approval_for_new_licenses": true,
    "fail_on_unknown_license": true
  },

  "component_policy": {
    "description": "Component usage and quality rules",
    "blocklist": [
      {
        "name": "event-stream",
        "version": "3.3.6",
        "reason": "Known malicious version with cryptocurrency stealer",
        "action": "fail"
      }
    ],
    "quality_requirements": {
      "min_github_stars": 10,
      "min_contributors": 2,
      "max_age_days": 1095,
      "require_active_maintenance": true,
      "max_days_since_update": 730,
      "fail_on_deprecated": true,
      "fail_on_unmaintained": false
    }
  },

  "operational_risk": {
    "description": "Supply chain and operational risk policies",
    "fail_on_unmaintained": false,
    "max_days_inactive": 730,
    "require_repository_url": true,
    "warn_on_single_maintainer": true,
    "fail_on_no_repository": false
  },

  "sbom_requirements": {
    "description": "Software Bill of Materials requirements",
    "require_sbom_generation": true,
    "sbom_format": "CycloneDX",
    "sbom_version": "1.4",
    "include_transitive_dependencies": true,
    "include_license_info": true
  },

  "compliance_requirements": {
    "description": "Regulatory compliance mappings",
    "frameworks": [
      "SOC2",
      "PCI-DSS",
      "GDPR",
      "HIPAA"
    ],
    "require_vulnerability_tracking": true,
    "require_remediation_timeline": true,
    "max_remediation_days": {
      "critical": 7,
      "high": 30,
      "medium": 90,
      "low": 180
    }
  },

  "exclusions": {
    "description": "Global exclusions and exceptions",
    "paths": [
      "test/**",
      "tests/**",
      "**/test/**",
      "**/__tests__/**",
      "**/*.test.js",
      "**/*.spec.js",
      "node_modules/**/.bin/**"
    ],
    "dev_dependencies": {
      "exclude_from_production_scan": true,
      "apply_relaxed_policy": true
    }
  },

  "notification_settings": {
    "description": "Alert and notification configuration",
    "notify_on_new_vulnerabilities": true,
    "notify_on_policy_violation": true,
    "notify_on_license_violation": true,
    "notification_channels": [
      "email",
      "slack",
      "jira"
    ]
  },

  "remediation_guidance": {
    "description": "Remediation policy and guidance",
    "auto_create_tickets": true,
    "ticket_system": "jira",
    "assign_to_component_owner": true,
    "require_risk_acceptance_approval": true,
    "max_risk_acceptance_duration_days": 90
  }
}