eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

C0: docs — explanation article on compliance mute categories

Browse source 
Captures the CC vs NA vs RA distinction surfaced during the 2026-05-03
weekly compliance review (CVE-2026-31789), and the image-scan mutelist
gap that blocks acting on it. Links the new article from the
review-compensating-controls how-to so it isn't orphaned.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-05-04 18:19:53 -07:00
commit 074887cd57
3 changed files with 102 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/how-to/operations/review-compensating-controls.md
View file

@ -38,6 +38,8 @@ A compensating control is a security measure that mitigates the risk a finding w
Controls are documented in `compensating-controls.yaml` and referenced from security tool configurations (Prowler mutelist files, Kingfisher config, etc.) using the format `CC: <control-id>`.
A compensating control is only one of three structurally distinct ways to suppress a finding — see [[compliance-mute-categories]] for when to reach for a CC versus a not-applicable (`NA:`) or risk-accepted (`RA:`) tag instead.
## Review Process
For each control up for review: