Introduce compensating-controls.yaml to track named controls that
justify suppressed security findings. Each control has a description,
verification notes, and last-reviewed date.
Update all Prowler mutelist descriptions to reference controls via
"CC: <id>" prefix instead of restating findings. Nine controls cover:
single-user-cluster, tailscale-network-isolation, local-registry,
sso-gated-admin-tools, operator-managed-pods, ephemeral-privileged-jobs,
trusted-ci-only, init-container-isolation, observability-stack-audit.
Add mise task (review-compensating-controls) that surfaces the most
stale control with all codebase references, and how-to doc
([[review-compensating-controls]]) explaining the review process.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Erich Blume
4b85e8ca73