Detailed Container Registry Features (finos#595)

services/devtools/containerReg/controls.yaml → services/devtools/container-registry/controls.yaml

@@ -8,29 +8,29 @@ common_controls:
   - CCC.C10 # Prevent data replication to destinations outside of defined trust perimeter
 
 controls:
-  - id: CCC.ContReg.C01 # Implement Vulnerability Scanning for Artifacts
+  - id: CCC.CntrReg.C01 # Implement Vulnerability Scanning for Artifacts
     title: Implement Vulnerability Scanning for Artifacts
     objective: |
       Ensure that container images and artifacts stored in the container registry are scanned for
       vulnerabilities to identify and remediate security issues before deployment.
     control_family: Risk Management
     threats:
-      - CCC.ContReg.TH01 # Vulnerabilities in Artifacts are Exploited
+      - CCC.CntrReg.TH01 # Vulnerabilities in Artifacts are Exploited
     nist_csf: ID.RA-1 # Asset vulnerabilities are identified and documented
     control_mappings:
       NIST_800_53:
         - RA-5 # Vulnerability Monitoring and Scanning
         - SI-5 # Security Alerts, Advisories, and Directives
     test_requirements:
-      - id: CCC.ContReg.C01.TR01
+      - id: CCC.CntrReg.C01.TR01
         text: |
           Attempt to push an artifact with known vulnerabilities to the registry
           and observe if it is flagged or rejected by the vulnerability scanning process.
         tlp_levels:
           - tlp_red
           - tlp_amber
 
-  - id: CCC.ContReg.C02 # Implement Cleanup Policies for Artifacts
+  - id: CCC.CntrReg.C02 # Implement Cleanup Policies for Artifacts
     title: Implement Cleanup Policies for Artifacts
     objective: |
       Ensure that unused or outdated artifacts are cleaned up according to defined policies to
@@ -43,7 +43,7 @@ controls:
       NIST_800_53:
         - SI-12 # Information Handling and Retention
     test_requirements:
-      - id: CCC.ContReg.C02.TR01
+      - id: CCC.CntrReg.C02.TR01
         text: |
           Confirm that artifacts older than the specified retention period are automatically deleted from the registry.
         tlp_levels:

services/devtools/container-registry/features.yaml

@@ -0,0 +1,117 @@
+common_features:
+  - CCC.F01 # Encryption in Transit Enabled by Default
+  - CCC.F02 # Encryption at Rest Enabled by Default
+  - CCC.F03 # Access/Activity Logs
+  - CCC.F04 # Transaction Rate Limits
+  - CCC.F05 # Signed URLs
+  - CCC.F06 # Identity-Based Access Control
+  - CCC.F07 # Event Notifications
+  - CCC.F09 # Monitoring
+  - CCC.F13 # Infrastructure as Code
+  - CCC.F14 # API Access
+  - CCC.F18 # Versioning
+  - CCC.F21 # Replication
+  - CCC.F22 # Location Lock-In
+
+features:
+  - id: CCC.CntrReg.F01
+    title: Image Storage
+    description: |
+      Ability to upload and securely store container images and image metadata.
+
+  - id: CCC.CntrReg.F02
+    title: Private Repositories
+    description: |
+      Support for creating container image repositories that are restricted and
+      only accessible by authorized users or services.
+
+  - id: CCC.CntrReg.F03
+    title: Public Repositories
+    description: |
+      Support for creating container image repositories that are open to the public.
+      These repositories are used mainly for sharing container images.
+
+  - id: CCC.CntrReg.F04
+    title: Lifecycle Policies
+    description: |
+      Supports defining of policies for automatic expiry of
+      unused or outdated images to manage storage effectively.
+
+  - id: CCC.CntrReg.F05
+    title: Image Scanning
+    description: |
+      Provides vulnerability scanning for container images (built-in
+      or through integration to scanning services) to detect security
+      issues and generate reports for known CVEs (Common Vulnerabilities
+      and Exposures).
+
+  - id: CCC.CntrReg.F06
+    title: Integration with CI/CD Tooling
+    description: |
+      Seamlessly integrates with CI/CD pipelines to automate pushing and pulling of
+      container images.
+
+  - id: CCC.CntrReg.F07
+    title: Caching of Images
+    description: |
+      Provides caching for faster access to frequently used images.
+
+  - id: CCC.CntrReg.F08
+    title: Multi-platform Support
+    description: |
+      Ability to store images built for different CPU architectures such as
+      x86_64 (AMD/Intel), ARM64, and others within the same container image
+      repository.
+
+  - id: CCC.CntrReg.F09
+    title: Immutable Tags
+    description: |
+      Prevent tags from being overwritten or deleted once they have been
+      assigned to an image. This ensures that once a container image is tagged
+      with a specific version or identifier, that tag remains associated with
+      the same image throughout its lifetime.
+
+  - id: CCC.CntrReg.F10
+    title: List Repositories
+    description: |
+      Ability to list all public and private repositories in the container
+      image registry.
+
+  - id: CCC.CntrReg.F11
+    title: Edit Repository
+    description: |
+      Ability to edit a public or private container image repository properties
+      after being created.
+
+  - id: CCC.CntrReg.F12
+    title: Delete Repository
+    description: |
+      Ability to delete a public or private container image repository after
+      being created.
+
+  - id: CCC.CntrReg.F13
+    title: List Images
+    description: |
+      Ability to list container images in a public or private container image
+      repository.
+
+  - id: CCC.CntrReg.F14
+    title: Delete Image
+    description: |
+      Ability to delete a container image after being created.
+
+  - id: CCC.CntrReg.F15
+    title: List Lifecycle Policies
+    description: |
+      Ability to list lifecycle policies for container images in a public or private
+      container repository.
+
+  - id: CCC.CntrReg.F16
+    title: Edit Lifecycle Policy
+    description: |
+      Ability to edit a lifecycle policy after being created.
+
+  - id: CCC.CntrReg.F17
+    title: Delete Lifecycle Policy
+    description: |
+      Ability to delete a lifecycle policy after being created.

services/devtools/container-registry/metadata.yaml

@@ -0,0 +1,19 @@
+title: CCC Container Registry
+id: CCC.CntrReg
+description: |
+  This documents the minimal set of features that should be present
+  for a container registry service to be considered for use in financial
+  services ecosystems.
+release_details:
+  - version: "2025.06"
+    assurance_level: None
+    threat_model_url: None
+    threat_model_author: None
+    red_team: None
+    red_team_exercise_url: None
+    release_manager:
+      name: Damien Burks
+      github_id: damienjburks
+      company: Citi
+      summary: None
+    change_log: []

services/devtools/service-categories.yaml

@@ -0,0 +1,23 @@
+title: CCC Dev Tools
+id: CCC.DevTools
+description: |
+  Dev Tools in the context of cloud computing refer to a suite of tools
+  and services provided by cloud service providers to help developers
+  build, test, deploy, and maintain applications efficiently. These tools
+  are designed to support the DevOps lifecycle by enabling collaboration,
+  automation, and scalability for development workflows in the cloud.
+service_categories:
+  - id: CCC.CntrReg
+    title: Container Registry
+    description: |
+      Container Registry is a repository for storing, managing and distributing
+      container images. It acts as a hub in the container ecosystem, enabling
+      developers to push, pull, version, and share container images efficiently
+      and securely.
+    examples:
+      - AWS:
+          - AWS Elastic Container Registry (ECR)
+      - Azure:
+          - Azure Container Registry (ACR)
+      - Google Cloud:
+          - Google Container Registry (GCR)