NIST Application Container Security Initiative
Type: Initiative
ID: SP-800-190
Version: 1.0.0
Bundle-Version: v2
Source: v2/initiatives/sp-800-190.yaml
Help: https://csrc.nist.gov/publications/detail/sp/800-190/final
This initiative enforces container security controls as outlined in NIST SP 800-190. It ensures that containerized applications follow security best practices, including vulnerability scanning, trusted image sources, registry security, and proper configuration to minimize risk. The initiative enables policy-driven enforcement of security controls throughout the software development lifecycle (SDLC), providing real-time feedback to developers and enforcement in CI/CD pipelines.
Required Evidence
This initiative requires the following evidence types:
Evidence Defaults
| Field | Value |
|---|---|
| signed | False |
Rule Parameters
To configure this initiative for your organization needs, the following parameters should be specified:
- [4.1] 4.1 IMAGE COUNTERMEASURES
- 4.1.1 Severity-Based Vulnerabilities
severity_threshold:integer- The maximum severity level allowed for vulnerabilities.
Default:5.5.superset:object- The superset of CVEs to check for, including the following format [cve: [max: int, severity: int], has_kev: bool, has_fix: bool]].
Default:{'cve': {'max': 0, 'severity': 0}}.
- 4.1.1 High-Profile Vulnerabilities
rule_ids:array- List of CVE identifiers to check for in the Trivy SARIF report.
Default:['CVE-2014-0160', 'CVE-2021-44228', 'CVE-2023-38545', 'CVE-2023-44487', 'CVE-2024-3094', 'CVE-2024-47176', 'CVE-2024-47076', 'CVE-2024-47175', 'CVE-2024-47177', 'CVE-2019-1549'].superset:object- The superset of CVEs to check for, including the following format [cve: [max: int, severity: int], has_kev: bool, has_fix: bool]].
Default:{'cve': {'max': 0, 'severity': 6, 'has_kev': True, 'vulnerabilities': ['CVE-2014-0160', 'CVE-2021-44228', 'CVE-2023-38545', 'CVE-2023-44487', 'CVE-2024-3094', 'CVE-2024-47176', 'CVE-2024-47076', 'CVE-2024-47175', 'CVE-2024-47177', 'CVE-2019-1549']}}.
- 4.1.2 Banned Open Port 22
banned_ports:array- A list of banned ports and protocols. Each entry should be a dictionary with 'port' and 'protocol' keys.
Default:[{'port': '22', 'protocol': 'tcp'}].
- 4.1.2 Approved Source Base Images
approved_sources:array- A list of approved base image registry URL prefixes.
- 4.1.2 Up-to-Date Base Images
max_days:integer- The maximum allowed age of the base image in days.
Default:100.
- 4.1.3 Verify Required Image Labels
labels:array- A list of required labels.
Default:['org.opencontainers.image.created', 'org.opencontainers.image.revision', 'org.opencontainers.image.source', 'org.opencontainers.image.version', 'org.opencontainers.image.licenses'].
- 4.1.5 Approved Source Base Images
approved_sources:array- A list of approved base image registry URL prefixes.
- 4.1.5 Approved Source Images
approved_sources:array- A list of approved Image source patterns.
- 4.1.5 Fresh Images
max_days:integer- The maximum allowed age of the image in days.
Default:30.
- 4.1.1 Severity-Based Vulnerabilities
- [4.2] 4.2 REGISTRY COUNTERMEASURES
- 4.2.2 Up-to-Date Base Images
max_days:integer- The maximum allowed age of the base image in days.
Default:100.
- 4.2.2 Up-to-Date Derived Images
max_days:integer- The maximum allowed age of the image in days.
Default:30.
- 4.2.2 Up-to-Date Base Images
Controls Overview
| Control Name | Control Description | Mitigation |
|---|---|---|
| [4.1] IMAGE COUNTERMEASURES | Implements security controls to reduce risks associated with container images, such as vulnerabilities, misconfigurations, and unauthorized images. The policies enforce CVE scanning, mandatory security settings, and allow only trusted sources. | Ensures that all container images meet organizational security policies before deployment. Helps reduce the attack surface by blocking images with vulnerabilities, misconfigurations, or unauthorized sources. |
| [4.2] REGISTRY COUNTERMEASURES | Implements controls to secure container image registries by enforcing HTTPS connections, verifying image freshness, and preventing stale images from being used. | Reduces risks associated with registry security, stale images, and unauthorized image pulls. Ensures that images are kept up-to-date and only retrieved from secure sources. |
Detailed Controls
[4.1] 4.1 IMAGE COUNTERMEASURES
Implements security controls to reduce risks associated with container images, such as vulnerabilities, misconfigurations, and unauthorized images. The policies enforce CVE scanning, mandatory security settings, and allow only trusted sources.
Mitigation
Ensures that all container images meet organizational security policies before deployment. Helps reduce the attack surface by blocking images with vulnerabilities, misconfigurations, or unauthorized sources.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| 4.1.1-trivy-verify-vulnerability-findings | 4.1.1 Severity-Based Vulnerabilities | Ensures that images do not contain high-severity vulnerabilities. Blocks images if any CVEs exceed the defined severity threshold. |
| 4.1.1-trivy-blocklist-cve | 4.1.1 High-Profile Vulnerabilities | Blocks images that contain specific high-profile CVEs that are actively exploited or widely known. |
| 4.1.1-scribe-api-verify-vulnerability-findings | 4.1.1 Severity-Based Vulnerabilities | Ensures that images do not contain high-severity vulnerabilities. Blocks images if any CVEs exceed the defined severity threshold. |
| 4.1.1-scribe-api-blocklist-cve | 4.1.1 High-Profile Vulnerabilities | Blocks images that contain specific high-profile CVEs that are actively exploited or widely known. |
| 4.1.2-image-disallowed-users | 4.1.2 Default Non-Root User | Ensures that containers do not run as the root user. |
| 4.1.2-image-banned-ports | 4.1.2 Banned Open Port 22 | Blocks images that expose SSH (port 22), which should not be used in containerized applications. |
| 4.1.2-image-allowed-base | 4.1.2 Approved Source Base Images | Ensures that base images originate from approved and trusted sources. |
| 4.1.2-image-fresh-base | 4.1.2 Up-to-Date Base Images | Ensures that base images are not older than a specified time limit. |
| 4.1.3-image-require-healthcheck | 4.1.3 Set HEALTHCHECK Instruction | Ensures that container images include a HEALTHCHECK instruction to monitor their runtime health. |
| 4.1.3-image-verify-labels | 4.1.3 Verify Required Image Labels | Enforces the presence of essential OpenContainers labels, such as creation time, version, and source repository. |
| 4.1.5-image-allowed-base | 4.1.5 Approved Source Base Images | Ensures that base images originate from approved and trusted sources. |
| 4.1.5-image-allowed-source | 4.1.5 Approved Source Images | Ensures that application images are built from approved sources. |
| 4.1.5-image-signed | 4.1.5 Signed Images | Ensures that images are cryptographically signed before execution. |
| 4.1.5-image-fresh | 4.1.5 Fresh Images | Ensures that images are not older than a specified time limit. |
[4.2] 4.2 REGISTRY COUNTERMEASURES
Implements controls to secure container image registries by enforcing HTTPS connections, verifying image freshness, and preventing stale images from being used.
Mitigation
Reduces risks associated with registry security, stale images, and unauthorized image pulls. Ensures that images are kept up-to-date and only retrieved from secure sources.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| 4.2.1-registry-enforce-https | 4.2.1 Registry Connection Enforcement | Ensures that images are only pulled from registries using HTTPS. |
| 4.2.2-registry-fresh-base | 4.2.2 Up-to-Date Base Images | Ensures that base images are not older than a specified time limit. |
| 4.2.2-registry-fresh-image | 4.2.2 Up-to-Date Derived Images | Ensures that derived images are refreshed regularly and not outdated. |