github.com/gemaraproj/gemara@v1.3.0

docs/tutorials/controls/control-catalog.yaml raw

  1# Container Management Tool Security Control Catalog
  2# Conforms to Gemara #ControlCatalog (schema tag v1.2.0; see controlcatalog.cue).
  3# See control-catalog-guide.md for the full tutorial and this scenario.
  4
  5title: Container Management Tool Security Control Catalog
  6
  7metadata:
  8  id: SEC.SLAM.CM
  9  type: ControlCatalog
 10  gemara-version: "1.2.0"
 11  description: |
 12    Control catalog for container management tool security; mitigates threats
 13    from the SEC.SLAM.CM threat catalog.
 14  version: 1.0.0
 15  author:
 16    id: example
 17    name: Example
 18    type: Human
 19  mapping-references:
 20    - id: SEC.SLAM.CM
 21      title: Container Management Tool Security Threat Catalog
 22      version: "1.0.0"
 23      url: https://example.org/catalogs/SEC.SLAM.CM-threats.yaml
 24      description: |
 25        Threat catalog for the same scope; provides threat IDs referenced from each
 26        control's threats.
 27    - id: CCC
 28      title: Common Cloud Controls Core
 29      version: v2025.10
 30      url: https://github.com/finos/common-cloud-controls/releases
 31      description: |
 32        Foundational repository of reusable security controls, capabilities,
 33        and threat models maintained by FINOS.
 34  applicability-groups:
 35    - id: production
 36      title: Production
 37      description: |
 38        Production container workloads and clusters; controls apply to
 39        live environments where security posture is enforced.
 40    - id: all_deployments
 41      title: All Deployments
 42      description: |
 43        Requirements that apply whenever container images are built, pulled, or run—
 44        regardless of environment (dev, staging, production) or pipeline stage.
 45    - id: untrusted_networks
 46      title: Untrusted Networks
 47      description: |
 48        Applies when registry or image traffic traverses untrusted networks.
 49    - id: ci_cd
 50      title: CI/CD
 51      description: |
 52        Applies in continuous integration and deployment pipelines.
 53
 54groups:
 55  - id: SEC.SLAM.CM.FAM01
 56    title: Image Integrity and Supply Chain
 57    description: |
 58      Controls that ensure container images are authentic, unmodified,
 59      and from trusted sources throughout retrieval and use.
 60
 61imports:
 62  - reference-id: CCC
 63    entries:
 64      - reference-id: CCC.Core.CTL42
 65        remarks: Image signing and verification
 66
 67controls:
 68  - id: SEC.SLAM.CM.CTL01
 69    title: Use Immutable Image References by Digest
 70    objective: |
 71      Require signature validation so that only legitimate, trusted images are
 72      accepted; then pin each image to an immutable digest (e.g., sha256)
 73      after the check so that what is used matches what was verified and
 74      TOCTOU (time-of-check to time-of-use) attacks are prevented.
 75    group: SEC.SLAM.CM.FAM01
 76    assessment-requirements:
 77      - id: SEC.SLAM.CM.CTL01.AR01
 78        text: |
 79          The system MUST verify image signature before pull or run, then pin
 80          the image to a digest (e.g., sha256:...) after the check and use that
 81          digest for all subsequent use.
 82        applicability: ["all_deployments"]
 83      - id: SEC.SLAM.CM.CTL01.AR02
 84        text: |
 85          Configuration and policies MUST disallow or override use of tag-only
 86          references for production or sensitive workloads where supported.
 87        applicability: ["production"]
 88    threats:
 89      - reference-id: SEC.SLAM.CM
 90        entries:
 91          - reference-id: SEC.SLAM.CM.THR01
 92          - reference-id: SEC.SLAM.CM.THR03
 93          - reference-id: SEC.SLAM.CM.THR04
 94      - reference-id: CCC
 95        entries:
 96          - reference-id: CCC.Core.TH14
 97  - id: SEC.SLAM.CM.CTL02
 98    title: Require TLS/SSL with Certificate Pinning
 99    objective: |
100      Mitigate MITM Container Image Interception by protecting registry
101      traffic and verifying artifact integrity: use TLS/SSL with certificate
102      pinning for all registry communication, use VPNs on untrusted networks
103      to reduce interception risk, and verify artifact signatures or hashes so
104      that tampered or redirected content is detected even if the channel is
105      compromised.
106    group: SEC.SLAM.CM.FAM01
107    state: Active
108    assessment-requirements:
109      - id: SEC.SLAM.CM.CTL02.AR01
110        text: |
111          The system MUST use TLS/SSL for all registry communication and MUST
112          pin to the expected server certificate or public key (or certificate
113          chain) for the registry.
114        applicability: ["all_deployments"]
115        state: Active
116      - id: SEC.SLAM.CM.CTL02.AR02
117        text: |
118          On untrusted networks, the system or deployment pipeline MUST use a
119          VPN or other trusted path for registry traffic, or MUST restrict
120          image pulls to environments where the network is trusted.
121        applicability: ["untrusted_networks", "ci_cd"]
122        state: Active
123      - id: SEC.SLAM.CM.CTL02.AR03
124        text: |
125          The system MUST verify artifact signatures or hashes (e.g. signature
126          verification, digest check) before use so that tampered or redirected
127          artifacts are rejected.
128        applicability: ["all_deployments"]
129        state: Active
130    threats:
131      - reference-id: SEC.SLAM.CM
132        entries:
133          - reference-id: SEC.SLAM.CM.THR02
134      - reference-id: CCC
135        entries:
136          - reference-id: CCC.Core.TH02