CUE Central Registry

github.com/gemaraproj/gemara@v0.23.0

docs/tutorials/controls/control-catalog.yaml raw

  1# Container Management Tool Security Control Catalog
  2# Conforms to Gemara Layer 2 #ControlCatalog (layer-2.cue).
  3# See control-catalog-guide.md for the full tutorial and this scenario.
  4
  5title: Container Management Tool Security Control Catalog
  6
  7metadata:
  8  id: SEC.SLAM.CM
  9  description: |
 10    Control catalog for container management tool security; mitigates threats
 11    from the SEC.SLAM.CM threat catalog.
 12  version: 1.0.0
 13  author:
 14    id: example
 15    name: Example
 16    type: Human
 17  mapping-references:
 18    - id: SEC.SLAM.CM
 19      title: Container Management Tool Security Threat Catalog
 20      version: "1.0.0"
 21      url: https://example.org/catalogs/SEC.SLAM.CM-threats.yaml
 22      description: |
 23        Threat catalog for the same scope; provides threat IDs for threat-mappings.
 24    - id: CCC
 25      title: Common Cloud Controls Core
 26      version: v2025.10
 27      url: https://github.com/finos/common-cloud-controls/releases
 28      description: |
 29        Foundational repository of reusable security controls, capabilities,
 30        and threat models maintained by FINOS.
 31  applicability-groups:
 32    - id: production
 33      title: Production
 34      description: |
 35        Production container workloads and clusters; controls apply to
 36        live environments where security posture is enforced.
 37    - id: all_deployments
 38      title: All Deployments
 39      description: |
 40        Requirements that apply whenever container images are built, pulled, or run—
 41        regardless of environment (dev, staging, production) or pipeline stage.
 42    - id: untrusted_networks
 43      title: Untrusted Networks
 44      description: |
 45        Applies when registry or image traffic traverses untrusted networks.
 46    - id: ci_cd
 47      title: CI/CD
 48      description: |
 49        Applies in continuous integration and deployment pipelines.
 50
 51groups:
 52  - id: SEC.SLAM.CM.FAM01
 53    title: Image Integrity and Supply Chain
 54    description: |
 55      Controls that ensure container images are authentic, unmodified,
 56      and from trusted sources throughout retrieval and use.
 57
 58imports:
 59  controls:
 60    - reference-id: CCC
 61      entries:
 62        - reference-id: CCC.Core.CTL42
 63          remarks: Image signing and verification
 64
 65controls:
 66  - id: SEC.SLAM.CM.CTL01
 67    title: Use Immutable Image References by Digest
 68    objective: |
 69      Require signature validation so that only legitimate, trusted images are
 70      accepted; then pin each image to an immutable digest (e.g., sha256)
 71      after the check so that what is used matches what was verified and
 72      TOCTOU (time-of-check to time-of-use) attacks are prevented.
 73    group: SEC.SLAM.CM.FAM01
 74    assessment-requirements:
 75      - id: SEC.SLAM.CM.CTL01.AR01
 76        text: |
 77          The system MUST verify image signature before pull or run, then pin
 78          the image to a digest (e.g., sha256:...) after the check and use that
 79          digest for all subsequent use.
 80        applicability: ["all_deployments"]
 81      - id: SEC.SLAM.CM.CTL01.AR02
 82        text: |
 83          Configuration and policies MUST disallow or override use of tag-only
 84          references for production or sensitive workloads where supported.
 85        applicability: ["production"]
 86    threats:
 87      - reference-id: SEC.SLAM.CM
 88        entries:
 89          - reference-id: SEC.SLAM.CM.THR01
 90          - reference-id: SEC.SLAM.CM.THR03
 91          - reference-id: SEC.SLAM.CM.THR04
 92      - reference-id: CCC
 93        entries:
 94          - reference-id: CCC.Core.TH14
 95  - id: SEC.SLAM.CM.CTL02
 96    title: Require TLS/SSL with Certificate Pinning
 97    objective: |
 98      Mitigate MITM Container Image Interception by protecting registry
 99      traffic and verifying artifact integrity: use TLS/SSL with certificate
100      pinning for all registry communication, use VPNs on untrusted networks
101      to reduce interception risk, and verify artifact signatures or hashes so
102      that tampered or redirected content is detected even if the channel is
103      compromised.
104    group: SEC.SLAM.CM.FAM01
105    state: Active
106    assessment-requirements:
107      - id: SEC.SLAM.CM.CTL02.AR01
108        text: |
109          The system MUST use TLS/SSL for all registry communication and MUST
110          pin to the expected server certificate or public key (or certificate
111          chain) for the registry.
112        applicability: ["all_deployments"]
113        state: Active
114      - id: SEC.SLAM.CM.CTL02.AR02
115        text: |
116          On untrusted networks, the system or deployment pipeline MUST use a
117          VPN or other trusted path for registry traffic, or MUST restrict
118          image pulls to environments where the network is trusted.
119        applicability: ["untrusted_networks", "ci_cd"]
120        state: Active
121      - id: SEC.SLAM.CM.CTL02.AR03
122        text: |
123          The system MUST verify artifact signatures or hashes (e.g. signature
124          verification, digest check) before use so that tampered or redirected
125          artifacts are rejected.
126        applicability: ["all_deployments"]
127        state: Active
128    threat-mappings:
129      - reference-id: SEC.SLAM.CM
130        entries:
131          - reference-id: SEC.SLAM.CM.THR02
132      - reference-id: CCC
133        entries:
134          - reference-id: CCC.Core.TH02