CUE Central Registry

github.com/gemaraproj/gemara@v0.23.0

docs/tutorials/guidance/guidance-example.yaml raw

 1# Minimal Secure Software Development Guidance
 2# Conforms to Gemara Layer 1 #GuidanceCatalog (layer-1.cue).
 3# See guidance-guide.md for the full guide.
 4
 5title: Secure Software Development Guidance
 6metadata:
 7  id: ORG.SSD.001
 8  type: GuidanceCatalog
 9  gemara-version: "0.20.0"
10  description: Internal secure development and supply chain security guidelines (dependencies, images, and development practices) aligned to industry standards
11  version: 1.0.0
12  author:
13    id: example
14    name: Example
15    type: Human
16  mapping-references:
17    - id: OWASP
18      title: OWASP Top 10
19      version: "2021"
20      url: https://owasp.org/Top10
21      description: OWASP Top 10 Web Application Security Risks
22  applicability-groups:
23    - id: containerized_workloads
24      title: Containerized Workloads
25      description: Guidelines that apply to container-based deployments and images.
26    - id: ci_cd
27      title: CI/CD
28      description: Guidelines that apply in continuous integration and deployment pipelines.
29    - id: github_repositories
30      title: GitHub Repositories
31      description: Guidelines that apply to projects using GitHub for source and collaboration.
32type: Best Practice
33front-matter: Example best-practices text for tutorials developed by Gemara maintainers.
34groups:
35  - id: ORG.SSD.FAM01
36    title: Secure Dependencies and Supply Chain
37    description: Guidelines for selecting, updating, and verifying dependencies and images.
38
39guidelines:
40  - id: ORG.SSD.GL01
41    title: Prefer Immutable Image References
42    objective: |
43      Use digest-based or immutable references for container images to prevent
44      tampering and ensure repeatable deployments.
45    group: ORG.SSD.FAM01
46    state: Active
47    recommendations:
48      - Prefer pull-by-digest over tags for production.
49      - Pin base image digests in Dockerfiles or equivalent.
50    applicability: ["containerized_workloads", "ci_cd"]
51    see-also:
52      - ORG.SSD.GL02
53      - ORG.SSD.GL03
54  - id: ORG.SSD.GL02
55    title: Prefer GitHub Branch Protection Rules
56    objective: |
57      Use branch protection so only approved changes reach the main branch and
58      malicious code cannot be merged without review.
59    group: ORG.SSD.FAM01
60    state: Active
61    recommendations:
62      - Prefer pull requests submitted from fork branch.
63      - Required maintainer/non-author review and approval for merge.
64      - Prefer GitHub Actions Quality checks in CI on pull request.
65    applicability: ["containerized_workloads", "ci_cd", "github_repositories"]
66    see-also:
67      - ORG.SSD.GL01
68  - id: ORG.SSD.GL03
69    title: Prefer VPN on Untrusted Networks
70    objective: |
71      Use a VPN on untrusted networks to protect traffic from interception and
72      DNS spoofing.
73    group: ORG.SSD.FAM01
74    state: Active
75    recommendations:
76      - Use a VPN for registry and build traffic on untrusted networks.
77    applicability: ["containerized_workloads", "ci_cd"]
78    see-also:
79      - ORG.SSD.GL02