Add compensating controls framework with review tooling

Introduce compensating-controls.yaml to track named controls that justify suppressed security findings. Each control has a description, verification notes, and last-reviewed date. Update all Prowler mutelist descriptions to reference controls via "CC: <id>" prefix instead of restating findings. Nine controls cover: single-user-cluster, tailscale-network-isolation, local-registry, sso-gated-admin-tools, operator-managed-pods, ephemeral-privileged-jobs, trusted-ci-only, init-container-isolation, observability-stack-audit. Add mise task (review-compensating-controls) that surfaces the most stale control with all codebase references, and how-to doc ([[review-compensating-controls]]) explaining the review process. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 17:35:48 -07:00 · 2026-03-30 17:35:48 -07:00 · 4b85e8ca73
commit 4b85e8ca73
parent a76e471d54
9 changed files with 487 additions and 44 deletions
--- a/docs/reference/operations/security.md
+++ b/docs/reference/operations/security.md
@ -46,6 +46,14 @@ Security posture and compliance scanning for BlumeOps infrastructure.

 All compliance scan reports are stored on `sifaka:/volume1/reports/`. See [[read-compliance-reports]] for access and interpretation.

+## Compensating controls
+
+Suppressed findings reference named compensating controls tracked in `compensating-controls.yaml` (repo root). Each control has a review date and verification steps. See [[review-compensating-controls]] for the review process.
+
+```bash
+mise run review-compensating-controls
+```
+
 ## Known gaps

 - No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)