github.com/gemaraproj/gemara@v1.3.0

docs/tutorials/policy/risk-catalog-example.yaml raw

 1# Organization Risk Catalog for Cloud and Container Workloads (Layer 3)
 2# Conforms to Gemara #RiskCatalog (riskcatalog.cue).
 3# gemara-version: v1.2.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.2.0
 4# Risks drawn from Threat Assessment Guide: CCC (CCC.Core.TH14) and SEC.SLAM.CM (SEC.SLAM.CM.THR01).
 5title: "Organization Risk Catalog for Cloud and Container Workloads"
 6metadata:
 7  id: "org-risk-catalog-001"
 8  type: RiskCatalog
 9  gemara-version: "1.2.0"
10  description: "Risks relevant to cloud and container management; threats linked to CCC Core and SEC.SLAM.CM threat catalog."
11  version: "1.0.0"
12  author:
13    id: security-team
14    name: "Security Team"
15    type: Human
16  mapping-references:
17    - id: CCC
18      title: Common Cloud Controls Core
19      version: v2025.10
20      url: https://github.com/finos/common-cloud-controls/releases
21      description: |
22        Foundational repository of reusable security controls, capabilities,
23        and threat models maintained by FINOS.
24    - id: "SEC.SLAM.CM"
25      title: "Container Management Tool Security Threat Catalog"
26      version: "1.0.0"
27      description: "Threat catalog from the Threat Assessment Guide (SEC.SLAM.CM)."
28
29groups:
30  - id: "infrastructure"
31    title: "Infrastructure and Operations"
32    description: "Risks related to cloud infrastructure, container platforms, and operational security."
33    appetite: "Low"
34    max-severity: "High"
35  - id: "data"
36    title: "Data and Privacy"
37    description: "Risks related to data exposure, residency, and compliance."
38    appetite: "Minimal"
39    max-severity: "Low"
40
41risks:
42  - id: "R01"
43    title: "Older or Compromised Container Images in Use"
44    description: "Mutable image tags or lack of verification can lead to pulling stale or compromised images, increasing supply chain and runtime risk."
45    group: "infrastructure"
46    severity: "High"
47    rank: 2
48    impact: "Supply chain compromise, unauthorized code execution, or data exfiltration."
49    owner:
50      responsible:
51        - name: "Platform Engineering"
52          affiliation: "Engineering"
53      accountable:
54        - name: "CISO"
55          affiliation: "Security"
56    threats:
57      - reference-id: CCC
58        entries:
59          - reference-id: CCC.Core.TH14
60            remarks: "Older Resource Versions are Used"
61  - id: "R02"
62    title: "Container Image Tampering or Poisoning"
63    description: "Images may be tampered with in transit or at rest, or built from poisoned dependencies or build pipelines."
64    group: "infrastructure"
65    severity: "High"
66    rank: 1
67    threats:
68      - reference-id: CCC
69        entries:
70          - reference-id: CCC.Core.TH14
71            remarks: "Older Resource Versions are Used"
72      - reference-id: "SEC.SLAM.CM"
73        entries:
74          - reference-id: "SEC.SLAM.CM.THR01"
75            remarks: "Container Image Tampering or Poisoning"