CUE Central Registry

github.com/gemaraproj/gemara@v0.23.0

test/test-data/good-risk-catalog.yaml raw

 1metadata:
 2  id: EXAMPLE-RISK-CATALOG
 3  type: RiskCatalog
 4  gemara-version: "0.20.0"
 5  version: "1.0.0"
 6  description: Example Risk Catalog for cloud-native container environments
 7  author:
 8    id: risk-management-team
 9    name: Risk Management Team
10    type: Human
11  mapping-references:
12    - id: EXAMPLE-THREAT-CATALOG
13      title: Example Threat Catalog
14      version: "1.0.0"
15      description: Container security threat catalog
16
17title: Cloud-Native Container Risk Catalog
18
19groups:
20  - id: CAT-OPERATIONAL
21    title: Operational Risk
22    description: Risks arising from failures in internal processes, systems, or external events that affect service availability and reliability
23    appetite: Moderate
24  - id: CAT-SECURITY
25    title: Security Risk
26    description: Risks arising from unauthorized access, data breaches, or exploitation of system vulnerabilities
27    appetite: Low
28    max-severity: High
29  - id: CAT-COMPLIANCE
30    title: Compliance Risk
31    description: Risks arising from failure to comply with applicable laws, regulations, or industry standards
32    appetite: Minimal
33
34risks:
35  - id: RISK-001
36    title: Container Image Supply Chain Compromise
37    description: Third-party or base container images may contain known vulnerabilities or malicious code, leading to exploitation at runtime.
38    group: CAT-SECURITY
39    severity: High
40    owner:
41      responsible:
42        - name: Platform Engineering Lead
43          affiliation: Platform Team
44          email: platform-lead@example.org
45      accountable:
46        - name: Chief Information Security Officer
47          affiliation: Security
48          email: ciso@example.org
49    impact: Unauthorized code execution in production workloads, potential data exfiltration, and lateral movement across the cluster.
50    threats:
51      - reference-id: EXAMPLE-THREAT-CATALOG
52        entries:
53          - reference-id: THREAT-001
54
55  - id: RISK-002
56    title: Container Escape Leading to Host Compromise
57    description: Misconfigured or unpatched container runtimes may allow an attacker to escape container isolation and access the host.
58    group: CAT-SECURITY
59    severity: Critical
60    owner:
61      responsible:
62        - name: Platform Engineering Lead
63          affiliation: Platform Team
64          email: platform-lead@example.org
65      accountable:
66        - name: Chief Information Security Officer
67          affiliation: Security
68          email: ciso@example.org
69      consulted:
70        - name: Infrastructure Architect
71          affiliation: Architecture
72    impact: Full compromise of the underlying node, access to secrets, and disruption of co-located workloads.
73    threats:
74      - reference-id: EXAMPLE-THREAT-CATALOG
75        entries:
76          - reference-id: THREAT-002
77
78  - id: RISK-003
79    title: Regulatory Non-Compliance from Unaudited Deployments
80    description: Deploying workloads without automated compliance gates may result in violations of regulatory requirements.
81    group: CAT-COMPLIANCE
82    severity: Medium
83    impact: Regulatory fines, audit findings, and reputational damage.