From 5cb8a265c0f8e5eb35fc59c2bc02a3b83024a853 Mon Sep 17 00:00:00 2001 From: Dolpme <60126646+Dolpme@users.noreply.github.com> Date: Mon, 8 Jun 2026 08:06:04 +0800 Subject: [PATCH] Add container image provenance evidence gates --- skills/cloud/container-security/SKILL.md | 56 +++++++++++++++- .../container-security/cis-benchmarks.md | 64 +++++++++++++++++++ 2 files changed, 117 insertions(+), 3 deletions(-) diff --git a/skills/cloud/container-security/SKILL.md b/skills/cloud/container-security/SKILL.md index eb43ecf0..a0020232 100644 --- a/skills/cloud/container-security/SKILL.md +++ b/skills/cloud/container-security/SKILL.md @@ -58,10 +58,13 @@ NIST SP 800-190 identifies five risk categories: image risks, registry risks, or - Access to Dockerfiles and container build configurations - Kubernetes manifests (YAML), Helm charts, or Kustomize overlays +- Rendered production manifests or release artifacts that show the image reference + actually deployed - RBAC configuration files (Roles, ClusterRoles, RoleBindings) - NetworkPolicy definitions - Pod Security Standard configurations or OPA/Gatekeeper policies -- Container registry configurations (if available) +- Container registry configurations, signature verification output, SBOMs, and + admission policy configuration (if available) --- @@ -107,7 +110,43 @@ Classify findings by type: Dockerfiles, Kubernetes manifests, Helm charts, Kusto --- -### Step 2 through Step 6: CIS Benchmark and NIST SP 800-190 Evaluation +### Step 2: Verify Image Provenance and Admission Evidence Chain + +For production workloads, verify that the deployed image is the same artifact +that was built, scanned, signed, attested, and admitted by policy. Do not rely +only on Dockerfile templates, Helm defaults, image tags, or CI claims. + +**Evidence chain to require:** + +- [ ] Rendered manifest or live workload records the production image reference. +- [ ] Image reference resolves to an immutable digest, or tag exceptions include + owner, justification, expiry, and the resolved digest at deployment time. +- [ ] Build provenance links the digest to a source commit, CI run, builder, and + artifact registry location. +- [ ] Signature or attestation verification is performed against the deployed + digest and trusted signer identity, not only a mutable tag. +- [ ] SBOM or vulnerability scan evidence is tied to the same deployed digest. +- [ ] Admission policy is in enforce mode for production namespaces, or the + exception has compensating controls and expiry. +- [ ] Helm, Kustomize, and environment-specific values do not override a pinned + or verified image reference with a mutable tag. + +**Finding IDs:** + +``` +CONT-PROV-01: Deployed image uses a mutable tag without resolved digest evidence or exception lifecycle +CONT-PROV-02: Signature or attestation evidence does not match the deployed digest +CONT-PROV-03: SBOM or vulnerability scan evidence cannot be linked to the deployed digest +CONT-PROV-04: Admission policy is audit-only or not scoped to production namespaces +CONT-PROV-05: Signer identity, issuer, or certificate SAN is not constrained to trusted build workflows +CONT-PROV-06: Helm, Kustomize, or environment values override a pinned image with a mutable tag +CONT-PROV-07: Production image exception lacks owner, justification, expiry, or compensating controls +CONT-PROV-08: Registry lifecycle or retention policy can remove evidence needed to verify deployed images +``` + +--- + +### Step 3 through Step 7: CIS Benchmark and NIST SP 800-190 Evaluation Evaluate all container and Kubernetes configurations against CIS Docker Benchmark v1.6.0, CIS Kubernetes Benchmark v1.9.0, and NIST SP 800-190 countermeasures. This covers Dockerfile security, Pod Security Standards, RBAC, Network Policies, Secrets Management, Control Plane configuration, and Container Runtime Hardening. @@ -115,7 +154,7 @@ For detailed CIS benchmark checklist items, NIST SP 800-190 countermeasure table --- -### Step 7: Compile Assessment Report +### Step 8: Compile Assessment Report Produce the final report using the structure defined in the Output Format section. @@ -157,6 +196,7 @@ Produce the final report using the structure defined in the Output Format sectio | Domain | Framework | Critical | High | Medium | Low | Pass | |--------|-----------|----------|------|--------|-----|------| | Dockerfile Security | CIS Docker 4.x | X | X | X | X | X | +| Image Provenance | NIST 800-190 | X | X | X | X | X | | Pod Security | CIS K8s 5.2.x | X | X | X | X | X | | RBAC | CIS K8s 5.1.x | X | X | X | X | X | | Network Policies | CIS K8s 5.3.x | X | X | X | X | X | @@ -178,6 +218,12 @@ Produce the final report using the structure defined in the Output Format sectio - **Evidence:** - **Remediation:** +### Image Provenance Evidence Matrix + +| Workload | Namespace | Rendered Image | Resolved Digest | Build/CI Evidence | Signature/Attestation | SBOM/Scan Digest | Admission Mode | Exception | +|----------|-----------|----------------|-----------------|-------------------|-----------------------|------------------|----------------|-----------| +| deploy/api | production | registry.example.com/app/api@sha256:... | sha256:... | commit + CI run | cosign pass, trusted identity | sha256:... | enforce | none | + ### Pod Security Standards Compliance Matrix | Workload | Namespace | PSS Level | Violations | @@ -193,6 +239,7 @@ Produce the final report using the structure defined in the Output Format sectio ### Summary - Dockerfiles reviewed: +- Production image references reviewed: - Kubernetes workloads reviewed: - Overall Pod Security Standard level: - Critical findings: @@ -257,6 +304,7 @@ Produce the final report using the structure defined in the Output Format sectio 5. **`readOnlyRootFilesystem` breaks many applications.** When recommending this control, also recommend adding writable `emptyDir` volume mounts for directories the application needs to write to (e.g., `/tmp`, `/var/cache`). 6. **Network policies are additive, not subtractive.** A default-deny policy must be explicitly created. Without it, all pod-to-pod traffic is allowed regardless of other NetworkPolicy resources. 7. **Distroless images have no shell.** While this is excellent for security, note that debugging requires ephemeral containers (`kubectl debug`). Flag this as a consideration, not a problem. +8. **`imagePullPolicy: Always` is not provenance.** It changes pull behavior but does not prove the image was built from the reviewed commit, signed by a trusted identity, scanned, or admitted in enforce mode. --- @@ -284,9 +332,11 @@ Produce the final report using the structure defined in the Output Format sectio - Kubernetes Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - Kubernetes Pod Security Admission: https://kubernetes.io/docs/concepts/security/pod-security-admission/ - Kubernetes Network Policies: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +- Kubernetes Dynamic Admission Control: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/ - Kubernetes RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - Docker Security Best Practices: https://docs.docker.com/develop/security-best-practices/ - Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ +- Sigstore Cosign Verification: https://docs.sigstore.dev/cosign/verifying/verify/ - NSA/CISA Kubernetes Hardening Guide: https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF --- diff --git a/skills/cloud/container-security/cis-benchmarks.md b/skills/cloud/container-security/cis-benchmarks.md index 3b547ca4..3b35eeaf 100644 --- a/skills/cloud/container-security/cis-benchmarks.md +++ b/skills/cloud/container-security/cis-benchmarks.md @@ -596,6 +596,70 @@ Evaluate container runtime configurations against NIST SP 800-190 countermeasure | **CM-4:** Use immutable tags or digests | `image: nginx@sha256:...` preferred over `image: nginx:1.25` | | **CM-5:** Remove unnecessary packages | No curl, wget, netcat, or shells in production images | +#### Image Provenance and Admission Evidence Chain + +Reviewers must tie image security evidence to the artifact that is actually +deployed. A signed tag, a scanned build output, or a Helm template default is +not sufficient unless it matches the rendered production image digest. + +**Evidence to collect:** + +| Evidence | Required proof | +|----------|----------------| +| Rendered workload image | `kubectl get`, rendered Helm output, Kustomize build output, or release manifest showing the production image reference | +| Resolved digest | Registry digest or workload status proving the exact `sha256` digest deployed | +| Build provenance | Source commit, CI run, builder identity, and registry artifact for the digest | +| Signature or attestation | Cosign/Notary/admission result for the deployed digest and trusted signer identity | +| SBOM or scan | SBOM, vulnerability scan, or attestation whose subject digest equals the deployed digest | +| Admission enforcement | Kyverno, Gatekeeper, admission webhook, or registry policy in enforce mode for production | +| Exception lifecycle | Owner, justification, expiry, compensating controls, and resolved digest for any tag or policy exception | + +**Failure patterns:** + +```yaml +# FAIL: Signed tag evidence does not prove the deployed digest. +review_evidence: + signed_image: registry.example.com/app/api:1.4.2 + signed_digest: sha256:aaa... +runtime: + resolved_digest: sha256:bbb... +``` + +```yaml +# FAIL: Production policy only audits unsigned images. +kind: ClusterPolicy +metadata: + name: verify-image-signature +spec: + validationFailureAction: Audit +``` + +```yaml +# FAIL: Environment values replace a pinned image with a mutable tag. +image: + repository: registry.example.com/app/api + tag: latest +``` + +```text +# FAIL: SBOM subject does not match workload digest. +Workload digest: sha256:bbb... +SBOM subject: sha256:aaa... +``` + +**Finding IDs:** + +| ID | Finding | +|----|---------| +| CONT-PROV-01 | Deployed image uses a mutable tag without resolved digest evidence or exception lifecycle | +| CONT-PROV-02 | Signature or attestation evidence does not match the deployed digest | +| CONT-PROV-03 | SBOM or vulnerability scan evidence cannot be linked to the deployed digest | +| CONT-PROV-04 | Admission policy is audit-only or not scoped to production namespaces | +| CONT-PROV-05 | Signer identity, issuer, or certificate SAN is not constrained to trusted build workflows | +| CONT-PROV-06 | Helm, Kustomize, or environment values override a pinned image with a mutable tag | +| CONT-PROV-07 | Production image exception lacks owner, justification, expiry, or compensating controls | +| CONT-PROV-08 | Registry lifecycle or retention policy can remove evidence needed to verify deployed images | + ### NIST 800-190: Orchestrator Countermeasures | Countermeasure | What to Check |