Documentation Index
Initiatives
| Name | Description |
|---|---|
| NIST Application Container Security Initiative | This initiative enforces container security controls as outlined in NIST SP 800-190. It ensures that containerized applications follow security best practices, including vulnerability scanning, trusted image sources, registry security, and proper configuration to minimize risk. The initiative enables policy-driven enforcement of security controls throughout the software development lifecycle (SDLC), providing real-time feedback to developers and enforcement in CI/CD pipelines. |
| NIST Supply Chain Integrity Initiative | This initiative enforces key supply chain requirements from NIST SP 800-53. It mandates that container builds include: - A Software Bill of Materials (SBOM) to ensure component inventory and traceability, addressing requirements from SR-4 and CM-8. - Provenance data to support architectural traceability, as outlined in SA-8. Both the SBOM and the provenance artifacts must be cryptographically signed to meet integrity requirements specified in SA-12. |
| SLSA L1 Framework | Evaluate SLSA Level 1 |
| SLSA L2 Framework | Evaluate SLSA Level 2 |
| SSDF Client Initiative | Evaluate PS rules from the SSDF initiative |
| Secure Software Pipeline Blueprint | Blueprint for secure pipelines - Gitlab |
Rules
SBOM
Evidence Type: SBOM
| Rule Name | Description |
|---|---|
| Apply Scribe Template Policy | Verify XX using the Scribe API template rule. |
| Scribe Published Policy | Verify image Scribe Publish flag is set for container image. |
| NTIA SBOM Compliance Check | Validates that SBOM metadata meets basic NTIA requirements for authors and supplier. |
| Enforce SBOM Freshness | Verify the SBOM is not older than the specified duration. |
| Require SBOM Existence | Verify the SBOM exists as evidence. |
| Require SBOM Signature | Verify the SBOM is signed. |
| Require SBOM Existence | Verify the SBOM exists as evidence. |
Image SBOM
Evidence Type: Image SBOM
| Rule Name | Description |
|---|---|
| Verify File Integrity | Verify the checksum of each file in one SBOM matches the checksum in a second SBOM. |
| Verify Image Labels | Verify specified labels key-value pairs exist in the image. |
| Forbid Large Images | Verify the image size is below the specified threshold. |
| Disallow Container Shell Entrypoint | Verify the container image disallows shell entrypoint. |
| Fresh Base Image | Verifies that each base image is not older than the specified threshold (max_days) from its creation date. |
| Banned Ports | Ensures that the container image does not expose ports that are disallowed by organizational policy. The rule examines properties in the SBOM metadata and checks each value (expected in the format "port/protocol") against a provided banned ports list. It fails if any banned port is exposed or if no banned ports list is provided. |
| Disallow Specific Users in SBOM | Verify specific users are not allowed in an SBOM. |
| Restrict Build Scripts | Verify no build scripts commands appear in block list. |
| Registry Connection HTTPS | Checks if the container's registry scheme is HTTPS |
| Require Image Labels | Verify the image has the specified labels. |
| Require Healthcheck | Checks that the container image includes at least one healthcheck property. |
| Allowed Base Image | Verifies that every base image is from an approved source. The rule returns a summary including the component names and versions of valid base images, or lists the invalid ones. This rule requires Dockerfile context; for example, run it with: valint my_image --base-image Dockerfile. |
| Fresh Image | Verify the image is not older than the specified threshold. |
| Allowed Main Image Source | Ensures the main container image referenced in the SBOM is from an approved source. |
| Require Signed Container Image | Enforces that container images (target_type=container) are cryptographically signed. |
| Verify No Critical or High Vulnerabilities | Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.). |
| Disallow Specific Users in SBOM | Verify specific users are not allowed in an SBOM. |
| Enforce SBOM Dependencies | Verify the artifact includes all required dependencies. |
| Enforce SBOM License Completeness | Verify all dependencies in the artifact have a license. |
| Restrict Disallowed SBOM Licenses | Verify the number of disallowed licenses in SBOM dependencies remains below the specified threshold. |
| Enforce Allowed SBOM Components | Verify the artifact contains only allowed components. |
| Require Specified SBOM Licenses | Verify the artifact includes all specified licenses. |
| Restrict Disallowed Dependencies | Verify the number of disallowed dependencies remains below the specified threshold. |
Git SBOM
Evidence Type: Git SBOM
| Rule Name | Description |
|---|---|
| Restrict Coding Permissions | Verify only allowed users committed to the repository. |
| Required Git Evidence Exists | Verify required Git evidence exists. |
| Git Artifact Signed | Verify the Git artifact is signed. |
| Disallow Commits to Main Branch | Verify commits made directly to the main branch are disallowed. |
| Disallow Unsigned Commits | Verify all commits are signed. |
SARIF Evidence
Evidence Type: SARIF Evidence
| Rule Name | Description |
|---|---|
| Verify Attack Vector Exists in SARIF | Verify required evidence validates attack vectors in the SARIF report. |
| Verify IaC Misconfiguration Threshold in SARIF | Verify the number of infrastructure-as-code (IaC) errors in the SARIF report remains below the specified threshold. |
| Verify Required Evidence in SARIF | Verify all required evidence exists as defined by the SARIF policy. |
| Verify Artifact Signature in SARIF | Verify the artifact referenced in the SARIF report is signed to confirm its integrity. |
| Verify Rule Compliance in SARIF | Verify the SARIF report complies with defined generic rules for compliance and security. vulnerability profiles. |
| Verify Tool Evidence in SARIF | Verify required tools were used to generate the SARIF report. |
| Verify Semgrep Rule in SARIF | Verify the Semgrep SARIF report complies with predefined rules to ensure compliance and detect issues. |
| Verify Trivy SARIF Report Compliance | Verify the Trivy SARIF report complies with predefined rules to ensure compliance and detect issues. |
| Verify IaC Misconfiguration Threshold in Trivy SARIF | Verify the number of infrastructure-as-code (IaC) errors in the Trivy SARIF report remains below the specified threshold. |
| Trivy Blocklist CVE Check | Verify a CVE Blocklist against a SARIF report |
| Trivy Vulnerability Findings Check | Verifies that vulnerability findings in the SARIF evidence from Trivy do not exceed the defined severity threshold. |
| Verify Attack Vector Threshold in Trivy SARIF | Verify no attack vector in the Trivy SARIF report exceeds the specified threshold. |
| SARIF Update Needed | Verify no security packages require updates. |
| K8s Jailbreak | Verify no misconfigurations from the prohibited ids list in the Kuberentes scan is below specified threshold |
Generic Statement
Evidence Type: Generic Statement
| Rule Name | Description |
|---|---|
| Required Trivy Evidence Exists | Verify required Trivy evidence exists |
| Required Generic Evidence Exists | Verify required evidence exists. |
| Generic Artifact Signed | Verify required evidence is signed. |
Github Organization Discovery Evidence
Evidence Type: Github Organization Discovery Evidence
| Rule Name | Description |
|---|---|
| Verify members_can_create_repositories setting | Verify only allowed users can create repositories in the GitHub organization. |
Verify secret_scanning_push_protection Setting | Verify secret scanning push protection is configured in the GitHub repository. |
Verify secret_scanning_validity_checks_enabled Setting | Verify validity checks for secrets are configured for the GitHub repository. |
| Verify dependabot_security_updates_enabled_for_new_repositories setting | Verify Dependabot security updates for new repositories are configured in the GitHub organization. |
Verify secret_scanning Setting in security_and_analysis | Verify secret scanning is configured in the GitHub repository. |
| Limit Admin Number in GitHub Organization | Verify the maximum number of GitHub organization admins is restricted. |
Verify advanced_security_enabled_for_new_repositories setting | Verify Advanced Security is enabled for new repositories in the GitHub organization. |
| Verify dependency_graph_enabled_for_new_repositories setting | Verify dependency graph is enabled for new repositories in the GitHub organization. |
| Verify GitHub Organization Requires Signoff on Web Commits | Verify contributors sign commits through the GitHub web interface. |
| Verify Two-Factor Authentication (2FA) Requirement Enabled | Verify Two-factor Authentication is required in the GitHub organization. |
| Verify GitHub Organization Secrets Are Not Too Old | Verify secrets in the GitHub organization are not older than the specified threshold. |
| Allowed GitHub Organization Admins | Verify only users in the Allowed List have admin privileges in the GitHub organization. |
| Verify secret_scanning_enabled_for_new_repositories setting | Verify secret scanning is configured for new repositories in the GitHub organization. |
| Allowed GitHub Organization Users | Verify only users in the Allowed List have user access to the GitHub organization. |
Verify secret_scanning_push_protection_custom_link_enabled Setting | Verify secret scanning push protection custom link is enabled in the GitHub organization. |
| Verify dependabot_security_updates setting in security_and_analysis | Verify Dependabot security updates are configured in the GitHub organization. |
| Verify that members can create private repositories setting is configured | Verify only allowed users can create private repositories in the GitHub organization. |
| Verify Repo Visibility Setting | Verify only repositories in the Allowed List are public in the GitHub organization. |
Verify secret_scanning_validity_checks Setting in security_and_analysis | Verify validity checks for secrets are configured for the GitHub organization. |
Verify secret_scanning_push_protection_enabled_for_new_repositories Setting | Verify secret scanning push protection is enabled for new repositories in the GitHub organization. |
| Verify dependabot_alerts_enabled_for_new_repositories setting | Verify Dependabot alerts for new repositories are enabled in the GitHub organization. |
Github Repository Discovery Evidence
Evidence Type: Github Repository Discovery Evidence
| Rule Name | Description |
|---|---|
| Verify secret scanning. | Verify both secret_scanning_validity_checks and security_and_analysis are set in GitHub organization and all the repositories. |
| Verify Dependabot security updates setting | Verify Dependabot security updates are configured in the GitHub repository. |
| Verify Repository Is Private | Verify the GitHub repository is private. |
| Verify Repository Requires Commit Signoff | Verify contributors sign off on commits to the GitHub repository through the GitHub web interface. |
| Verify Default Branch Protection | Verify the default branch protection is configured in the GitHub repository. |
| Verify No Old Secrets Exist in Repository | Verify secrets in the GitHub repository are not older than the specified threshold. |
| Verify No Organization Secrets Exist in Repository | Verify no organization secrets exist in the GitHub repository. |
| Verify Branch Verification Setting | Verify branch verification in the GitHub repository matches the value defined in the configuration file. |
| Verify Branch Protection Setting | Verify branch protection is configured in the GitHub repository. |
| Verify All Commits Are Signed in Repository | Verify all commits are signed in a repository attestation. |
| Verify secret_scanning setting | Verify secret_scanning is configured in the GitHub repository. |
| Verify No Cache Usage Exists in Repository | Verify the GitHub repository has no cache usage. |
| Verify All Commits Are Signed in Repository | Verify all commits in the GitHub repository are signed. |
| Verify Only Ephemeral Runners Exist in Repository | Verify self-hosted runners are disallowed in the GitHub repository. |
| Allowed Public Repositories | Verify only GitHub repositories in the Allowed List are public. |
| Verify Push Protection Setting | Verify secret_scanning_push_protection is configured in the GitHub repository. |
Gitlab Organization Discovery Evidence
Evidence Type: Gitlab Organization Discovery Evidence
| Rule Name | Description |
|---|---|
| Limit Admins in GitLab Organization | Verify the maximum number of admins for the GitLab project is restricted. |
| Ensure Active Projects in GitLab Organization | Verify no GitLab organization projects are inactive. |
| Restrict Public Visibility in GitLab Organization | Verify only allowed projects in the GitLab organization have public visibility. |
| Allowed Admins in GitLab Organization | Verify only users in the Allowed List have admin privileges in the GitLab organization. |
| Forbid Long-Lived Tokens in GitLab Organization | Verify no GitLab organization tokens have an excessively long lifespan. |
| Forbid Unused Tokens in GitLab Organization | Verify there are no unused GitLab organization tokens. |
| Allowed Users in GitLab Organization | Verify only users in the Allowed List have access to the GitLab organization. |
| Restrict Token Scopes in GitLab | Verify all tokens in the GitLab organization are restricted to allowed scopes to prevent excessive permission. |
| Block Users in GitLab Organization | Verify no users in the GitLab organization are on the block list. |
| Prevent Token Expiration in GitLab Organization | Verify no GitLab organization tokens are about to expire. |
| Forbid Token Scopes in GitLab Organization | Verify no GitLab organization tokens have disallowed scopes. |
Gitlab Project Discovery Evidence
Evidence Type: Gitlab Project Discovery Evidence
| Rule Name | Description |
|---|---|
| Merge approval policy check for GitLab project | Verify the project's merge approval policy complies with requirements. |
| Set Push Rules for GitLab Project | Verify push rules are set for the GitLab project. |
| Disable Committers' Approval for Merge Requests in GitLab | Verify merge_requests_disable_committers_approval is set for the GitLab project. |
| Restrict Commit Authors in GitLab Project | Verify only GitLab project users in the Allowed List have commit author permissions. |
| Require Minimal Approvers in GitLab Project | Verify the required number of approvers for the GitLab project is met. |
| Enforce Medium Severity Limit | Verify the maximum allowed medium severity alerts for the GitLab project. |
| Enforce Merge Access Level Policy for GitLab Project | Verify the GitLab project's merge access level complies with requirements. |
| Set Author Email Regex in GitLab Project | Verify the author_email_regex for the GitLab project is set to the specified value. |
| Check CWE Compliance | Verify that specified CWEs were not detected in the GitLab project. |
| Enforce Critical Severity Limit | Verify the maximum allowed critical severity alerts for the GitLab project. |
| Verify Commit Message Format | Verify that commit messages in the GitLab project adhere to the specified format template. |
| Enable Member Check for GitLab Project | Verify member_check is enabled for the GitLab project. |
| Restrict Selective Code Owner Removals in GitLab | Verify selective_code_owner_removals is set for the GitLab project. |
| Run Secrets Scanning in GitLab Project | Verify secrets scanning is performed for the GitLab project. |
| Reset Approvals on Push in GitLab Project | Verify reset_approvals_on_push is set for the GitLab project. |
| Reject Unsigned Commits in GitLab Project | Verify reject_unsigned_commits is enabled for the GitLab project. |
| Enable Commit Committer Check in GitLab Project | Verify commit_committer_check is enabled for the GitLab project. |
| Protect CI Secrets in GitLab Project | Verify secrets in the GitLab project are not shared. |
| Validate All Commits in GitLab Project | Verify all commits in the GitLab project are validated. |
| Disallow Banned Approvers | Verify approvers in the GitLab project are not on the banned list. |
| Allowed Committer Emails in GitLab Project | Verify only users in the Allowed List use committer email addresses in the GitLab project. |
| Set Push Access Level in GitLab Project | Verify the GitLab project's push access level policy complies with requirements. |
| Disallow Force Push in GitLab Project | Verify force pushes in the GitLab project are disallowed to maintain repository integrity. |
| Set Visibility Level in GitLab Project | Verify the GitLab project's visibility matches the required level. |
| Restrict Approvers Per Merge Request | Verify the binary field disable_overriding_approvers_per_merge_request is set for the GitLab project. |
| Allowed Commit Authors in GitLab Project | Verify only users in the Allowed List author commits in the GitLab project. |
| Disable Author Approval for Merge Requests in GitLab | Verify the binary field merge_requests_author_approval is set for the GitLab project. |
| Enable Secrets Prevention in GitLab Project | Verify prevent_secrets is enabled for the GitLab project. |
| Ensure All Commits Are Signed in GitLab Project | Verify all commits in the GitLab project are signed. |
| Check Description Substring | Verify a specific substring is not found in the description attribute of vulnerabilities for the GitLab project. |
| Verify Project Activity | Verify the GitLab project is active for a specified duration. |
| Allowed Committer Names in GitLab Project | Verify only users in the Allowed List commit by name in the GitLab project. |
| Check Message Substring | Verify a specific substring is not found in the message attribute of vulnerabilities for the GitLab project. |
| Run SAST Scanning in GitLab Project | Verify SAST scanning is performed for the GitLab project. |
| Require Code Owner Approval in GitLab Project | Verify code owner approval is required for specific branches in the GitLab project. |
| Ensure SAST Scanning Passes | Verify SAST scanning is successful for the GitLab project. |
| Ensure Secrets Scanning Passes | Verify secrets scanning is successful for the GitLab project. |
| Require Password for Approvals in GitLab Project | Verify the binary field require_password_to_approve is set for the GitLab project. |
K8s Namespace Discovery Evidence
Evidence Type: K8s Namespace Discovery Evidence
| Rule Name | Description |
|---|---|
| Allowed Container Images | Verify only container images specified in the Allowed List run within the Kubernetes namespace. |
| Verify Namespace Termination | Verify Kubernetes namespaces are properly terminated to prevent lingering resources and maintain cluster hygiene. |
| Allowed Namespaces | Verify only namespaces specified in the Allowed List are allowed within the cluster. |
| Verify Namespace Runtime Duration | Verify Kubernetes namespaces adhere to a specified runtime duration to enforce lifecycle limits. |
| Allowed Namespace Registries | Verify container images in Kubernetes namespaces originate from registries in the Allowed List. |
| Allowed Pods in Namespace | Verify only pods explicitly listed in the Allowed List run within a Kubernetes namespace. |
K8s Pod Discovery Evidence
Evidence Type: K8s Pod Discovery Evidence
| Rule Name | Description |
|---|---|
| Verify Pod Runtime Duration | Verify Kubernetes pods adhere to a specified runtime duration to enforce lifecycle limits. |
| Verify Pod Termination | Verify Kubernetes pods are properly terminated to prevent lingering resources and maintain cluster hygiene. |
| Allowed Pods | Verify only pods explicitly listed in the Allowed List are allowed to run. |
Bitbucket Project Discovery Evidence
Evidence Type: Bitbucket Project Discovery Evidence
| Rule Name | Description |
|---|---|
| Prevent Long-Lived Tokens | Verify Bitbucket API tokens expire before the maximum time to live. |
| Allowed Project Admins | Verify only users specified in the Allowed List have admin privileges in the Bitbucket project. |
| Allowed Project Users | Verify only users specified in the Allowed List have user access to the Bitbucket project. |
| Prevent Credential Exposure | Verify access to the Bitbucket project is blocked if exposed credentials are detected. |
Bitbucket Repository Discovery Evidence
Evidence Type: Bitbucket Repository Discovery Evidence
| Rule Name | Description |
|---|---|
| Allowed Repository Admins | Verify only users specified in the Allowed List have admin privileges in the Bitbucket repository. |
| Verify Default Branch Protection Setting Is Configured | Verify the default branch protection is enabled in the Bitbucket repository. |
| Allowed Repository Users | Verify only users specified in the Allowed List have user access to the Bitbucket repository. |
Bitbucket Workspace Discovery Evidence
Evidence Type: Bitbucket Workspace Discovery Evidence
| Rule Name | Description |
|---|---|
| Allowed Workspace Admins | Verify only users specified in the Allowed List have admin privileges in the Bitbucket workspace. |
| Allowed Workspace Users | Verify only users specified in the Allowed List have user access to the Bitbucket workspace. |
Discovery Evidence
Evidence Type: Discovery Evidence
| Rule Name | Description |
|---|---|
| Verify GitLab Pipeline Labels | Verify the pipeline includes all required label keys and values. |
| GitLab pipeline verify labels exist | Verify the pipeline has all required label keys and values. |
| Verify Exposed Credentials | Verify there are no exposed credentials. |
Dockerhub Project Discovery Evidence
Evidence Type: Dockerhub Project Discovery Evidence
| Rule Name | Description |
|---|---|
| Verify DockerHub Tokens are Active | Verify that all discovered Dockerhub tokens are set to Active in Dockerhub. |
| Verify no unused Dockerhub | Verify that there are no unused Dockerhub. |
Jenkins Instance Discovery Evidence
Evidence Type: Jenkins Instance Discovery Evidence
| Rule Name | Description |
|---|---|
| Disallow Unused Users | Verify there are no users with zero activity. |
| Verify Inactive Users | Verify there are no inactive users. |
SLSA Provenance
Evidence Type: SLSA Provenance
| Rule Name | Description |
|---|---|
| SLSA External Parameters Match in Provenance Document | Verify the specified external parameters value match in the provenance document. |
| Verify that provenance is authenticated | Verify the artifact is signed. |
| SLSA Field Exists in Provenance Document | Verify the specified field exists in the provenance document. |
| Verify Provenance Document Exists | Verify that the Provenance document evidence exists. |
| Disallow dependencies in SLSA Provenance Document | Verify that dependencies in the block list do not appear in the SLSA Proveance document. |
| Verify build time | Verify the artifact was created within the specified time window. |
| Verify that artifact was created by the specified builder | Verify the artifact was created by the specified builder. |
| Verify that artifact has no disallowed builder dependencies | Verify the artifact has no disallowed builder dependencies. |
| SLSA Field Value Matches in Provenance Document | Verify the specified field value matches in the provenance document. |
Statement
Evidence Type: Statement
| Rule Name | Description |
|---|---|
| Verify Selected Commits Are Signed API | Verify selected commits are signed in the GitHub organization. |
| Branch protection enabled in GitHub repository | Verify GitHub branch protection rules |
| Disallow Unsigned Commits In Time Range | Verify commits in the specified time range are signed. |
| Sign Selected Commits in GitLab | Verify the selected commits are signed in the GitLab organization. |
| Set Push Rules in GitLab | Verify GitLab push rules are configured via the API. |
| Sign Selected Commit Range in GitLab | Verify the selected range of commits is signed via the GitLab API. |
| Verify No 3rd Party Findings via Scribe API | Verify via Scribe API that there are no findings reported by 3rd party tools in the target product. |
| Verify No Critical or High Vulnerabilities in Product | Verify via Scribe API that there are no critical or high severity vulnerabilities in any deliverable component of the product. |