Add compensating controls framework and date-based report dirs #320

Merged

eblume merged 2 commits from compensating-controls into main

2026-03-30 17:44:12 -07:00

Author	SHA1	Message	Date
Erich Blume	f6ed751dc2	Organize scan reports into date-based subdirectories Change Prowler (k8s, iac, image) and Kingfisher CronJobs to write reports under YYYY-MM-DD subdirectories instead of a flat directory. Prevents clutter as weekly scans accumulate. Before: /reports/prowler/prowler-output-In-Cluster-20260329030006.html After: /reports/prowler/2026-03-29/prowler-output-In-Cluster-20260329030006.html Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-30 17:39:17 -07:00
Erich Blume	4b85e8ca73	Add compensating controls framework with review tooling Introduce compensating-controls.yaml to track named controls that justify suppressed security findings. Each control has a description, verification notes, and last-reviewed date. Update all Prowler mutelist descriptions to reference controls via "CC: <id>" prefix instead of restating findings. Nine controls cover: single-user-cluster, tailscale-network-isolation, local-registry, sso-gated-admin-tools, operator-managed-pods, ephemeral-privileged-jobs, trusted-ci-only, init-container-isolation, observability-stack-audit. Add mise task (review-compensating-controls) that surfaces the most stale control with all codebase references, and how-to doc ([[review-compensating-controls]]) explaining the review process. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-30 17:35:48 -07:00

Author

SHA1

Message

Date

Erich Blume

f6ed751dc2

Organize scan reports into date-based subdirectories

Change Prowler (k8s, iac, image) and Kingfisher CronJobs to write
reports under YYYY-MM-DD subdirectories instead of a flat directory.
Prevents clutter as weekly scans accumulate.

Before: /reports/prowler/prowler-output-In-Cluster-20260329030006.html
After:  /reports/prowler/2026-03-29/prowler-output-In-Cluster-20260329030006.html

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-30 17:39:17 -07:00

Erich Blume

4b85e8ca73

Add compensating controls framework with review tooling

Introduce compensating-controls.yaml to track named controls that
justify suppressed security findings. Each control has a description,
verification notes, and last-reviewed date.

Update all Prowler mutelist descriptions to reference controls via
"CC: <id>" prefix instead of restating findings. Nine controls cover:
single-user-cluster, tailscale-network-isolation, local-registry,
sso-gated-admin-tools, operator-managed-pods, ephemeral-privileged-jobs,
trusted-ci-only, init-container-isolation, observability-stack-audit.

Add mise task (review-compensating-controls) that surfaces the most
stale control with all codebase references, and how-to doc
([[review-compensating-controls]]) explaining the review process.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-30 17:35:48 -07:00