NIST Application Container Security Initiative
Type: Initiative
ID: SP-800-190
Version: 1.0.0
Bundle-Version: v2
Source: v2/initiatives/sp-800-190.yaml
Help: https://csrc.nist.gov/publications/detail/sp/800-190/final
This initiative enforces container security controls as outlined in NIST SP 800-190. It ensures that containerized applications follow security best practices, including vulnerability scanning, trusted image sources, registry security, and proper configuration to minimize risk. The initiative enables policy-driven enforcement of security controls throughout the software development lifecycle (SDLC), providing real-time feedback to developers and enforcement in CI/CD pipelines.
Controls Overview
| Control Name | Control Description | Mitigation |
|---|---|---|
| [4.1] IMAGE COUNTERMEASURES | Implements security controls to reduce risks associated with container images, such as vulnerabilities, misconfigurations, and unauthorized images. The policies enforce CVE scanning, mandatory security settings, and allow only trusted sources. | Ensures that all container images meet organizational security policies before deployment. Helps reduce the attack surface by blocking images with vulnerabilities, misconfigurations, or unauthorized sources. |
| [4.2] REGISTRY COUNTERMEASURES | Implements controls to secure container image registries by enforcing HTTPS connections, verifying image freshness, and preventing stale images from being used. | Reduces risks associated with registry security, stale images, and unauthorized image pulls. Ensures that images are kept up-to-date and only retrieved from secure sources. |
Evidence Defaults
| Field | Value |
|---|---|
| signed | False |
Detailed Controls
[4.1] 4.1 IMAGE COUNTERMEASURES
Implements security controls to reduce risks associated with container images, such as vulnerabilities, misconfigurations, and unauthorized images. The policies enforce CVE scanning, mandatory security settings, and allow only trusted sources.
Mitigation
Ensures that all container images meet organizational security policies before deployment. Helps reduce the attack surface by blocking images with vulnerabilities, misconfigurations, or unauthorized sources.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| trivy-verify-vulnerability-findings | 4.1.1 Severity-Based Vulnerabilities (Trivy) | Ensures that images do not contain high-severity vulnerabilities. Blocks images if any CVEs exceed the defined severity threshold. |
| trivy-blocklist-cve | 4.1.1 High-Profile Vulnerabilities (Trivy) | Blocks images that contain specific high-profile CVEs that are actively exploited or widely known. |
| sbom-disallowed-users | 4.1.2 Default Non-Root User | Ensures that containers do not run as the root user. |
| images-banned-ports | 4.1.2 Banned Open Port 22 | Blocks images that expose SSH (port 22), which should not be used in containerized applications. |
| images-require-healthcheck | 4.1.3 Set HEALTHCHECK Instruction | Ensures that container images include a HEALTHCHECK instruction to monitor their runtime health. |
| image-labels | 4.1.3 Verify Required Image Labels | Enforces the presence of essential OpenContainers labels, such as creation time, version, and source repository. |
| images-allowed-base-image | 4.1.5 Approved Source Base Images | Ensures that base images originate from approved and trusted sources. |
| images-allowed-image-source | 4.1.5 Approved Source Images | Ensures that application images are built from approved sources. |
| images-require-signed-image | 4.1.5 Signed Images | Ensures that images are cryptographically signed before execution. |
[4.2] 4.2 REGISTRY COUNTERMEASURES
Implements controls to secure container image registries by enforcing HTTPS connections, verifying image freshness, and preventing stale images from being used.
Mitigation
Reduces risks associated with registry security, stale images, and unauthorized image pulls. Ensures that images are kept up-to-date and only retrieved from secure sources.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| images-registry-https-check | 4.2.1 Registry Connection Enforcement | Ensures that images are only pulled from registries using HTTPS. |
| images-fresh-base-image | 4.2.2 Up-to-Date Base Images | Ensures that base images are not older than a specified time limit. |
| fresh-image | 4.2.2 Up-to-Date Derived Images | Ensures that derived images are refreshed regularly and not outdated. |