eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/mise-tasks
History
Exact
Erich Blume 4059b3d27b Add compensating controls framework and date-based report dirs (#320) 
## Summary

- Add `compensating-controls.yaml` tracking 9 named controls that justify suppressed security findings
- Update all Prowler mutelist descriptions with `CC: <id>` references to named controls
- Add `mise run review-compensating-controls` task — surfaces stalest control with all codebase references
- Add [[review-compensating-controls]] how-to doc
- Organize Prowler and Kingfisher reports into `YYYY-MM-DD` subdirectories

### Compensating controls

| ID | Mitigates |
|----|-----------|
| `single-user-cluster` | Image cache abuse, RBAC breadth, system pod privileges |
| `tailscale-network-isolation` | Profiling endpoints, weak TLS, debug ports |
| `local-registry` | AlwaysPullImages gap |
| `sso-gated-admin-tools` | ArgoCD wildcard RBAC |
| `operator-managed-pods` | Tailscale proxy pod security settings |
| `ephemeral-privileged-jobs` | Prowler hostPID exposure |
| `trusted-ci-only` | Forgejo runner DinD |
| `init-container-isolation` | Grafana root init container |
| `observability-stack-audit` | Missing apiserver audit logging |

## Test plan

- [ ] `mise run review-compensating-controls` shows table and references
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders correctly
- [ ] Sync prowler and kingfisher, verify next scan writes to dated subdirectory
- [ ] Grep for `CC:` in mutelist files — every muted finding should have at least one

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #320
2026-03-30 17:44:11 -07:00
..
ai-docs Add ai-sources task, update ai-docs to include all docs 2026-03-15 18:37:50 -07:00
ai-sources Exclude docs from ai-sources, mention ai-sources in CLAUDE.md 2026-03-15 18:40:35 -07:00
blumeops-tasks Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
branch-cleanup Add preserve/* branch protection and document Pyroscope blocker 2026-03-26 15:32:25 -07:00
changelog-check Add pre-commit check for changelog fragment placement 2026-03-03 10:49:01 -08:00
container-build-and-release Deploy Prowler CIS scanner (#310) 2026-03-24 16:08:09 -07:00
container-list Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
container-version-check Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
dns-preview Add plan and reference card for UniFi Express 7 Pulumi stack (#145) 2026-02-10 15:36:13 -08:00
dns-up Add plan and reference card for UniFi Express 7 Pulumi stack (#145) 2026-02-10 15:36:13 -08:00
docs-check-frontmatter Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-check-links Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-mikado Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-preview Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-review Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-review-stale Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-review-tags Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
ensure-k3s-ringtail-kubectl-config Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail (#209) 2026-02-18 21:15:30 -08:00
ensure-minikube-indri-kubectl-config P5.1: Migrate minikube from podman to QEMU2 driver (#38) 2026-01-21 16:03:37 -08:00
fly-deploy Add Fly.io public reverse proxy for docs.eblu.me (#120) 2026-02-08 02:36:19 -08:00
fly-setup Expose Forgejo publicly at forge.eblu.me (#278) 2026-03-03 08:40:41 -08:00
fly-shutoff Add Fly.io public reverse proxy for docs.eblu.me (#120) 2026-02-08 02:36:19 -08:00
frigate-export-model Fix dagger call hanging in mise tasks on interactive terminals (#256) 2026-02-23 14:15:58 -08:00
mikado-branch-invariant-check Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
mirror-create Expose Forgejo publicly at forge.eblu.me (#278) 2026-03-03 08:40:41 -08:00
mirror-update-pats Fix mirror-update-pats corrupting all GitHub mirror URLs 2026-03-03 11:46:41 -08:00
op-backup Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
pr-comments Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
provision-indri Set MISE_TASK_OUTPUT=interleave in provision-indri 2026-01-14 14:15:11 -08:00
provision-ringtail Fix dagger call hanging in mise tasks on interactive terminals (#256) 2026-02-23 14:15:58 -08:00
provision-sifaka Operations and observability for sifaka NAS (#135) 2026-02-09 17:44:05 -08:00
prune-ringtail-generations Add ringtail post-deploy maintenance: kernel check, generation pruning, GC 2026-03-27 07:55:45 -07:00
review-compensating-controls Add compensating controls framework and date-based report dirs (#320) 2026-03-30 17:44:11 -07:00
runner-logs Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
service-review Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
services-check Update services-check: forgejo uses launchctl not brew 2026-03-28 08:21:51 -07:00
spork-create spork-create: check for conflicting branch names before sporking 2026-03-29 09:36:53 -07:00
tailnet-preview Add plan and reference card for UniFi Express 7 Pulumi stack (#145) 2026-02-10 15:36:13 -08:00
tailnet-up Add plan and reference card for UniFi Express 7 Pulumi stack (#145) 2026-02-10 15:36:13 -08:00
validate-workflows Fix dagger call hanging in mise tasks on interactive terminals (#256) 2026-02-23 14:15:58 -08:00