1# Container Management Tool Security Control Catalog
2# Conforms to Gemara #ControlCatalog (schema tag v1.2.0; see controlcatalog.cue).
3# See control-catalog-guide.md for the full tutorial and this scenario.
4
5title: Container Management Tool Security Control Catalog
6
7metadata:
8 id: SEC.SLAM.CM
9 type: ControlCatalog
10 gemara-version: "1.2.0"
11 description: |
12 Control catalog for container management tool security; mitigates threats
13 from the SEC.SLAM.CM threat catalog.
14 version: 1.0.0
15 author:
16 id: example
17 name: Example
18 type: Human
19 mapping-references:
20 - id: SEC.SLAM.CM
21 title: Container Management Tool Security Threat Catalog
22 version: "1.0.0"
23 url: https://example.org/catalogs/SEC.SLAM.CM-threats.yaml
24 description: |
25 Threat catalog for the same scope; provides threat IDs referenced from each
26 control's threats.
27 - id: CCC
28 title: Common Cloud Controls Core
29 version: v2025.10
30 url: https://github.com/finos/common-cloud-controls/releases
31 description: |
32 Foundational repository of reusable security controls, capabilities,
33 and threat models maintained by FINOS.
34 applicability-groups:
35 - id: production
36 title: Production
37 description: |
38 Production container workloads and clusters; controls apply to
39 live environments where security posture is enforced.
40 - id: all_deployments
41 title: All Deployments
42 description: |
43 Requirements that apply whenever container images are built, pulled, or run—
44 regardless of environment (dev, staging, production) or pipeline stage.
45 - id: untrusted_networks
46 title: Untrusted Networks
47 description: |
48 Applies when registry or image traffic traverses untrusted networks.
49 - id: ci_cd
50 title: CI/CD
51 description: |
52 Applies in continuous integration and deployment pipelines.
53
54groups:
55 - id: SEC.SLAM.CM.FAM01
56 title: Image Integrity and Supply Chain
57 description: |
58 Controls that ensure container images are authentic, unmodified,
59 and from trusted sources throughout retrieval and use.
60
61imports:
62 - reference-id: CCC
63 entries:
64 - reference-id: CCC.Core.CTL42
65 remarks: Image signing and verification
66
67controls:
68 - id: SEC.SLAM.CM.CTL01
69 title: Use Immutable Image References by Digest
70 objective: |
71 Require signature validation so that only legitimate, trusted images are
72 accepted; then pin each image to an immutable digest (e.g., sha256)
73 after the check so that what is used matches what was verified and
74 TOCTOU (time-of-check to time-of-use) attacks are prevented.
75 group: SEC.SLAM.CM.FAM01
76 assessment-requirements:
77 - id: SEC.SLAM.CM.CTL01.AR01
78 text: |
79 The system MUST verify image signature before pull or run, then pin
80 the image to a digest (e.g., sha256:...) after the check and use that
81 digest for all subsequent use.
82 applicability: ["all_deployments"]
83 - id: SEC.SLAM.CM.CTL01.AR02
84 text: |
85 Configuration and policies MUST disallow or override use of tag-only
86 references for production or sensitive workloads where supported.
87 applicability: ["production"]
88 threats:
89 - reference-id: SEC.SLAM.CM
90 entries:
91 - reference-id: SEC.SLAM.CM.THR01
92 - reference-id: SEC.SLAM.CM.THR03
93 - reference-id: SEC.SLAM.CM.THR04
94 - reference-id: CCC
95 entries:
96 - reference-id: CCC.Core.TH14
97 - id: SEC.SLAM.CM.CTL02
98 title: Require TLS/SSL with Certificate Pinning
99 objective: |
100 Mitigate MITM Container Image Interception by protecting registry
101 traffic and verifying artifact integrity: use TLS/SSL with certificate
102 pinning for all registry communication, use VPNs on untrusted networks
103 to reduce interception risk, and verify artifact signatures or hashes so
104 that tampered or redirected content is detected even if the channel is
105 compromised.
106 group: SEC.SLAM.CM.FAM01
107 state: Active
108 assessment-requirements:
109 - id: SEC.SLAM.CM.CTL02.AR01
110 text: |
111 The system MUST use TLS/SSL for all registry communication and MUST
112 pin to the expected server certificate or public key (or certificate
113 chain) for the registry.
114 applicability: ["all_deployments"]
115 state: Active
116 - id: SEC.SLAM.CM.CTL02.AR02
117 text: |
118 On untrusted networks, the system or deployment pipeline MUST use a
119 VPN or other trusted path for registry traffic, or MUST restrict
120 image pulls to environments where the network is trusted.
121 applicability: ["untrusted_networks", "ci_cd"]
122 state: Active
123 - id: SEC.SLAM.CM.CTL02.AR03
124 text: |
125 The system MUST verify artifact signatures or hashes (e.g. signature
126 verification, digest check) before use so that tampered or redirected
127 artifacts are rejected.
128 applicability: ["all_deployments"]
129 state: Active
130 threats:
131 - reference-id: SEC.SLAM.CM
132 entries:
133 - reference-id: SEC.SLAM.CM.THR02
134 - reference-id: CCC
135 entries:
136 - reference-id: CCC.Core.TH02