Add compensating controls framework and date-based report dirs #320

Merged

eblume merged 2 commits from compensating-controls into main 2026-03-30 17:44:12 -07:00

Conversation 0 Commits 2 Files changed 13 +516 -77

eblume commented 2026-03-30 17:41:00 -07:00

Owner

Copy link

Summary

• Add compensating-controls.yaml tracking 9 named controls that justify suppressed security findings
• Update all Prowler mutelist descriptions with CC: <id> references to named controls
• Add mise run review-compensating-controls task — surfaces stalest control with all codebase references
• Add review-compensating-controls how-to doc
• Organize Prowler and Kingfisher reports into YYYY-MM-DD subdirectories

Compensating controls

ID	Mitigates
single-user-cluster	Image cache abuse, RBAC breadth, system pod privileges
tailscale-network-isolation	Profiling endpoints, weak TLS, debug ports
local-registry	AlwaysPullImages gap
sso-gated-admin-tools	ArgoCD wildcard RBAC
operator-managed-pods	Tailscale proxy pod security settings
ephemeral-privileged-jobs	Prowler hostPID exposure
trusted-ci-only	Forgejo runner DinD
init-container-isolation	Grafana root init container
observability-stack-audit	Missing apiserver audit logging

Test plan

• mise run review-compensating-controls shows table and references
• kubectl kustomize argocd/manifests/prowler/ renders correctly
• Sync prowler and kingfisher, verify next scan writes to dated subdirectory
• Grep for CC: in mutelist files — every muted finding should have at least one

🤖 Generated with Claude Code

## Summary - Add `compensating-controls.yaml` tracking 9 named controls that justify suppressed security findings - Update all Prowler mutelist descriptions with `CC: <id>` references to named controls - Add `mise run review-compensating-controls` task — surfaces stalest control with all codebase references - Add [[review-compensating-controls]] how-to doc - Organize Prowler and Kingfisher reports into `YYYY-MM-DD` subdirectories ### Compensating controls | ID | Mitigates | |----|-----------| | `single-user-cluster` | Image cache abuse, RBAC breadth, system pod privileges | | `tailscale-network-isolation` | Profiling endpoints, weak TLS, debug ports | | `local-registry` | AlwaysPullImages gap | | `sso-gated-admin-tools` | ArgoCD wildcard RBAC | | `operator-managed-pods` | Tailscale proxy pod security settings | | `ephemeral-privileged-jobs` | Prowler hostPID exposure | | `trusted-ci-only` | Forgejo runner DinD | | `init-container-isolation` | Grafana root init container | | `observability-stack-audit` | Missing apiserver audit logging | ## Test plan - [ ] `mise run review-compensating-controls` shows table and references - [ ] `kubectl kustomize argocd/manifests/prowler/` renders correctly - [ ] Sync prowler and kingfisher, verify next scan writes to dated subdirectory - [ ] Grep for `CC:` in mutelist files — every muted finding should have at least one 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 2 commits 2026-03-30 17:41:00 -07:00

Add compensating controls framework with review tooling ... 4b85e8ca73

Introduce compensating-controls.yaml to track named controls that
justify suppressed security findings. Each control has a description,
verification notes, and last-reviewed date.

Update all Prowler mutelist descriptions to reference controls via
"CC: <id>" prefix instead of restating findings. Nine controls cover:
single-user-cluster, tailscale-network-isolation, local-registry,
sso-gated-admin-tools, operator-managed-pods, ephemeral-privileged-jobs,
trusted-ci-only, init-container-isolation, observability-stack-audit.

Add mise task (review-compensating-controls) that surfaces the most
stale control with all codebase references, and how-to doc
([[review-compensating-controls]]) explaining the review process.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Organize scan reports into date-based subdirectories ... f6ed751dc2

Change Prowler (k8s, iac, image) and Kingfisher CronJobs to write
reports under YYYY-MM-DD subdirectories instead of a flat directory.
Prevents clutter as weekly scans accumulate.

Before: /reports/prowler/prowler-output-In-Cluster-20260329030006.html
After:  /reports/prowler/2026-03-29/prowler-output-In-Cluster-20260329030006.html

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume merged commit 4059b3d27b into main 2026-03-30 17:44:12 -07:00

eblume referenced this pull request from a commit 2026-03-30 17:44:13 -07:00

Add compensating controls framework and date-based report dirs (#320)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!320

No description provided.