Erich Blume
4b85e8ca73
Introduce compensating-controls.yaml to track named controls that justify suppressed security findings. Each control has a description, verification notes, and last-reviewed date. Update all Prowler mutelist descriptions to reference controls via "CC: <id>" prefix instead of restating findings. Nine controls cover: single-user-cluster, tailscale-network-isolation, local-registry, sso-gated-admin-tools, operator-managed-pods, ephemeral-privileged-jobs, trusted-ci-only, init-container-isolation, observability-stack-audit. Add mise task (review-compensating-controls) that surfaces the most stale control with all codebase references, and how-to doc ([[review-compensating-controls]]) explaining the review process. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
156 B
156 B
Add compensating controls framework: tracking file, review mise task, and how-to doc. Map all Prowler mutelist entries to named controls with CC: prefixes.