├── .github └── workflows │ └── commit.yml ├── .gitignore ├── .tool-versions ├── .vscode └── launch.json ├── 3M-control-list ├── 3M-CNCF-Software-Supply-Chain-Best-Practices-Control-List.csv └── LICENSE.md ├── LICENSE ├── Pipfile ├── Pipfile.lock ├── controls └── controls_catalog.csv └── csv_to_oscal.py /.github/workflows/commit.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Commit" 3 | 4 | on: 5 | push: 6 | branches: 7 | - main 8 | pull_request: 9 | branches: 10 | - main 11 | 12 | env: 13 | python_version: "3.12" 14 | 15 | defaults: 16 | run: 17 | shell: 'bash --noprofile --norc -Eeuo pipefail {0}' 18 | 19 | jobs: 20 | generate-oscal: 21 | name: Generate OSCAL 22 | runs-on: ubuntu-22.04 23 | steps: 24 | - name: Checkout the repository 25 | uses: actions/checkout@v3 26 | - name: Lint 27 | run: | 28 | tr -d $'\r' < controls/controls_catalog.csv > controls/controls_catalog.tmp 29 | mv controls/controls_catalog.tmp controls/controls_catalog.csv 30 | if [ -n "$(git status --porcelain)" ]; then echo 'Please remove carriage returns from controls/controls_catalog.csv'; exit 1; fi 31 | - name: Setup python 32 | uses: actions/setup-python@v4 33 | with: 34 | python-version: ${{ env.python_version }} 35 | - uses: actions/cache@v3 36 | with: 37 | path: ~/.local/share/virtualenvs 38 | key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }} 39 | - name: Install the dependencies 40 | run: | 41 | python -m pip install --upgrade pipenv 42 | pipenv install --deploy --ignore-pipfile --dev 43 | - name: Generate the OSCAL artifacts 44 | run: pipenv run ./csv_to_oscal.py 45 | - name: Upload the generated OSCAL 46 | uses: actions/upload-artifact@v3 47 | with: 48 | name: OSCAL 49 | path: controls/controls_catalog.json 50 | if-no-files-found: error 51 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | controls/controls_catalog.json 2 | -------------------------------------------------------------------------------- /.tool-versions: -------------------------------------------------------------------------------- 1 | python 3.10.1 2 | -------------------------------------------------------------------------------- /.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | // Use IntelliSense to learn about possible attributes. 3 | // Hover to view descriptions of existing attributes. 4 | // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 5 | "version": "0.2.0", 6 | "configurations": [ 7 | { 8 | "name": "Python: Current File", 9 | "type": "python", 10 | "request": "launch", 11 | "program": "${file}", 12 | "console": "integratedTerminal" 13 | } 14 | ] 15 | } -------------------------------------------------------------------------------- /3M-control-list/3M-CNCF-Software-Supply-Chain-Best-Practices-Control-List.csv: -------------------------------------------------------------------------------- 1 | Number,Control Objective,Category,Control,Assurance Level,Implementation Guidance,Evidence Recommendations to Validate Implementation,Control Owner, Status,Notes 2 | SSSC-SC-1.1.1,Securing the Source Code,Verification,Require Signed Commits,Moderate,Sign source code commits and tags to ensure integrity and non-repudiation of code using GPG or s/mime keys,,,, 3 | SSSC-SC-1.2.1,Securing the Source Code,Verification,Enforce full attestation and verification for protected branches,High,Establish attribution of changes to source code via out-of-band mechanism,,,, 4 | SSSC-SC-2.1.1,Securing the Source Code,Automation,Prevent Committing secrets to the repository,Moderate,"Use a credential scanning tool to detect secret leaks including credentials, keys, or tokens",,,, 5 | SSSC-SC-2.2.1,Securing the Source Code,Automation,Define owership for code repository,Low,Define ownership of code repository project inventory methods,,,, 6 | SSSC-SC-2.2.2,Securing the Source Code,Automation,Define owership for code repository,High,"Create and enforce code standards including templates (also .gitignore, .gitattributes) and denylist files to help mitigate injection risks and provide higher assurance",,,, 7 | SSSC-SC-2.3.3,Securing the Source Code,Automation,Automate software security scanning and testing,High,"The metadata from security tooling such as SAST tooling should be recorded and linked to a hash of the build artefact to provide chain of custody and provenance. Both the coverage and results of these tests should be published as part of the repository information to help downstream consumers of software better assess the stability, reliability, 8 | and/or suitability of a product or library.",,,, 9 | SSSC-SC-3.1.1,Securing the Source Code,Controlled Environments,Establish and adhere to contribution policies,Moderate,"Define configuration options or configuration rules to enforce security, hygiene and operational policies.",,,, 10 | SSSC-SC-3.2.1,Securing the Source Code,Controlled Environments,Define roles aligned to functional responsibilities,Moderate,Define roles and associated access controls based upon the different personas interacting with the source code repositories.,,,, 11 | SSSC-SC-3.3.1,Securing the Source Code,Controlled Environments,Enforce an independent four-eyes principle,Moderate,"Ensure that at least two individuals, of which one should have write access to the branch, that are independent of the request must review and approve commit requests.",,,, 12 | SSSC-SC-3.4.1,Securing the Source Code,Controlled Environments,Use branch protection rules,Moderate,"Enable configuration and restriction of source code operations on individual branches to enforce the usage of pull requests with specified precondition and approval rules for protected repositories, ensuring that a human code review process is followed or an automated status checking of a branch occurs.",,,, 13 | SSSC-SC-3.5.1,Securing the Source Code,Controlled Environments,Validate runtime security of version control system (VCS),Moderate,Ensure that configuration and authentication anomalies are forwarded to organizational Security Information and Event Management (SIEM) systems for evaluation and alerting.,,,,Added 14 | SSSC-SC-3.5.2,Securing the Source Code,Controlled Environments,Validate runtime security of version control system (VCS),Moderate,Perform quarterly tests to ensure that the event detection and alerting system is functioning properly. Review results to improve detection capabilities.,,,,Added 15 | SSSC-SC-4.1.1,Securing the Source Code,Secure Authentication,Enforce MFA for accessing source code repositories,Moderate,Enforce Multi-factor authentication (MFA) at the source code repository level for software projects.,,,, 16 | SSSC-SC-4.2.1,Securing the Source Code,Secure Authentication,Use SSH keys to provide developers access to source code repositories,Moderate,Use SSH keys to provide developers access to source code repositories,,,, 17 | SSSC-SC-4.3.1,Securing the Source Code,Secure Authentication,Have a key rotation policy,Moderate,Implement a key rotation policy to ensure that compromised keys will cease to be usable after a certain period of time.,,,, 18 | SSSC-SM-1.1.1,Securing Materials,Verification,Verify third party artefacts and open source libraries,Moderate,Any software ingested must be scanned using Software Composition Analysis (SCA) tools to detect whether any vulnerable open-source software is used in the final product.,,,, 19 | SSSC-SM-1.2.1,Securing Materials,Verification,Validate against checksums ,Moderate,All third party artefacts and any other dependencies should validate their checksums against a known good source and validate any cryptographic signatures. ,,,, 20 | SSSC-SM-1.3.1,Securing Materials,Verification,Verify third party artefacts and open source libraries,High,3rd party artefacts should be pen tested to ensure that the software is resistant to standard attacks and no basic security errors or loopholes exist,,,, 21 | SSSC-SM-1.4.1,Securing Materials,Verification,Require SBOM from third party supplier,High,Vendors should be required to provide Software Bills of Materials (SBOMs) containing the explicit details of the software and versions used within the supplied product.,,,, 22 | SSSC-SM-1.5.1,Securing Materials,Verification,Track dependencies between open source components,Moderate,"A register should be maintained of a project’s open source components, dependencies and vulnerabilities to help trace any deployed artefacts with new vulnerabilities.",,,, 23 | SSSC-SM-1.5.2,Securing Materials,Verification,Track dependencies between open source components,Moderate,"Generate and maintain a supply chain inventory to help identify the software vendors, suppliers, and sources used in an organization with the associated software and versions",,,, 24 | SSSC-SM-1.6.1,Securing Materials,Verification,Build libraries based upon source code,High,Build binaries directly from the source code. This provides a clear link between the library source code and the compiled binary,,,, 25 | SSSC-SM-1.7.1,Securing Materials,Verification,Define and prioritize trusted package managers and repositories,High,Minimize ingesting from public repositories,,,, 26 | SSSC-SM-1.8.1,Securing Materials,Verification,Generate an immutable SBOM of the code,Moderate,"Provide a clear list of the contents within the final software 27 | package. Consumers of the software will then be able to analyse the SBOM, aligning it with vulnerability data to directly identify vulnerabilities based upon the exact package contents",,,, 28 | SSSC-SA-1.9.1,Securing Materials,Verification,Track Bill of Materials (SBOM) information in a secure location,Moderate,Use a secure metadata tracking service to store SBOM generation information for incident and problem management purposes.,,,, 29 | SSSC-SM-2.1.1,Securing Materials,Automation,Scan software for vulnerabilities,Moderate,Scan and evaluate software dependencies using software composition analysis to ensure the vulnerabilities they bring are within the risk limits of the product’s assurance level,,,, 30 | SSSC-SM-2.2.1,Securing Materials,Automation,Scan software for license implications,Moderate,Scan software for license implications and ensure that it meets the company standard for open-source software. ,,,, 31 | SSSC-SM-2.2.2,Securing Materials,Automation,Scan software for license implications,Moderate,Licensing metadata should be recorded during the build process and distributed with the artefact SBOM,,,, 32 | SSSC-SM-2.3.1,Securing Materials,Automation,Run software composition analysis on ingested software,Moderate,Ensure validation of the security of the open source modules before the build process,,,, 33 | SSSC-SM-2.4.1,Securing Materials,Automation,Monitor for ingestion anomalies and other materials management security events,Moderate,Ensure that ingestion anomalies and other materials management security events are forwarded to organizational Security Information and Event Management (SIEM) systems for evaluation and alerting.,,,,Added 34 | SSSC-SM-2.4.2,Securing Materials,Automation,Monitor for ingestion anomalies and other materials management security events,Moderate,Perform quarterly tests to ensure that the event detection and alerting system is functioning properly. Review results to improve detection capabilities.,,,,Added 35 | SSSC-BP-1.1.1,Securing Build Pipelines,Verification,Cryptographically guarantee policy adherence,High,"Project and organizational release policy should be maintained as a policy template. Metadata produced during the build process must be analyzed to ensure that the products, materials, and processes used during the build pipeline fall within controls set in the policy template.",,,, 36 | SSSC-BP-1.2.1,Securing Build Pipelines,Verification,Validate environments and dependencies before usage,Moderate,"Checksums and any signatures should be validated both in the downloading or ingestion process, and again by the build worker. This should include validating package manager signatures, checking out specific Git commit hashes, and verifying SHA sums of input sources 37 | and binaries.",,,, 38 | SSSC-BP-1.3.1,Securing Build Pipelines,Verification,Validate runtime security of build workers,Moderate,"Enable out-of-band verification of runtime environment security, as defined by execution of policies using tools such as seccomp, AppArmor, and SELinux, to provide defense in depth against attacks on build infrastructure.",,,, 39 | SSSC-BP-1.3.2,Securing Build Pipelines,Verification,Validate runtime security of build workers,Moderate,"Restrict high privilege kernel capabilities such as debugger, device, and network attachments ",,,, 40 | SSSC-BP-1.3.3,Securing Build Pipelines,Verification,Validate runtime security of build workers,Moderate,Build worker security events should be forwarded to organizational Security Information and Event Management (SIEM) systems for remediation.,,,,Added 41 | SSSC-BP-1.3.4,Securing Build Pipelines,Verification,Validate runtime security of build workers,Moderate,Perform quarterly tests to ensure that the event detection and alerting system is functioning properly. Review results to improve detection capabilities.,,,,Added 42 | SSSC-BP-1.4.1,Securing Build Pipelines,Verification,Validate Build artefacts through verifiably reproducible builds,High,"A deterministic build produces equivalent outputs when given the same inputs and enables us to detect unintended changes (whether malicious, such as malware and backdoors, or accidental). Verifiably reproducible builds improve on this by enabling us to cryptographically attest that the given inputs produce the same output",,,, 43 | SSSC-BP-1.5.1,Securing Build Pipelines,Verification,Lock and Verify External Requirements From The Build Process,Moderate,Third party packages that are part of your build process should be maintained in a designated artifact respository.,,,, 44 | SSSC-BP-1.6.1,Securing Build Pipelines,Verification,Find and Eliminate Sources Of Non-Determinism,High,"Create reproducable builds by evaluating timestamps, locale differences, and embedded version information are just a few of the things to remove sources of determinism in the build process",,,, 45 | SSSC-BP-1.7.1,Securing Build Pipelines,Verification,Record The Build Environment,High,"In order to reproduce a build environment, the versions of all tools and required configurations should be recorded. This includes compilers, system libraries, build paths, and operating systems.",,,, 46 | SSSC-BP-1.8.1,Securing Build Pipelines,Verification,Automate Creation Of The Build Environment,High,Use automation to allow other developers or verifiers who wish to build your software need to be able to recreate the build environment with minimum effort. ,,,, 47 | SSSC-BP-1.9.1,Securing Build Pipelines,Verification,Distribute Builds Across Different Infrastructure,High,"Distribute the builds to multiple instances. Each instance independently and deterministically builds the same component. A hash of each resulting build can then be verified to ensure that the results are the same, and any divergence should be examined",,,, 48 | SSSC-BP-1.10.1,Securing Build Pipelines,Verification,Sign Every Step in the Build Process,Moderate,"Build step inputs, outputs, and process traces should be collected and evaluated as part of the software release and distribution process. ",,,, 49 | SSSC-BP-1.10.2,Securing Build Pipelines,Verification,Sign Every Step in the Build Process,Moderate,The final artefact bundle should include these collective signatures and itself be signed to give integrity to the completed artefact and all its associated metadata,,,, 50 | SSSC-BP-1.11.1,Securing Build Pipelines,Verification,Validate the Signatures Generated at Each Step,Moderate,"The integrity of images, deployment configuration, and application packages included in artefacts should all be validated using the signatures generated by each step in its build process",,,, 51 | SSSC-BP-1.11.2,Securing Build Pipelines,Verification,Validate the Signatures Generated at Each Step,Moderate,"Software metadata, such as SBOMs, should have validated signatures to ensure objects in an artefact’s manifest or dependency metadata store have not been tampered with between build and runtime",,,, 52 | SSSC-BP-1.12.1,Securing Build Pipelines,Verification,Track build event information in a secure location,Moderate,Use a secure metadata tracking service to store build artefact event information for incident and problem management purposes.,,,, 53 | SSSC-BP-2.1.1,Securing Build Pipelines,Automation,Build and related continuous integration/continuous delivery steps should all be automated through a pipeline defined as code,Moderate,"All steps from code checkout, to checksum and signature 54 | validation, to building and compilation, to publishing, and eventually to deployment should be automated",,,, 55 | SSSC-BP-2.2.1,Securing Build Pipelines,Automation,Standardize pipelines across projects,High,Template CI/CD pipelines and verify that pipelines meet organizational standards,,,, 56 | SSSC-BP-2.3.1,Securing Build Pipelines,Automation,Standardize pipelines across projects,High,"Verification of pipelines should occur before release or 57 | distribution. The CNCF project in-toto provides a layout specification enabling out-of-band verification of CI/CD pipelines",,,, 58 | SSSC-BP-2.4.1,Securing Build Pipelines,Automation,Provision a secured orchestration platform to host software factory,Moderate,The provisioning process should be described as IaC and happen through an automated and audited process,,,, 59 | SSSC-BP-2.5.1,Securing Build Pipelines,Automation,Build Workers Should be Single Use,Moderate,"Build Workers, the containers which perform the Build Steps, should be single use. This lowers the blast radius and limits the attack surface by keeping the lifespan of a build worker to a single build operation.",,,, 60 | SSSC-BP-2.6.1,Securing Build Pipelines,Automation,Validate images and updates,Moderate,"Consider the Notary project, based on TUF, to enable the creation and interaction of trusted collections. ",,,, 61 | SSSC-BP-2.7.1,Securing Build Pipelines,Automation,Create a secure repository for artefact metadata,Moderate,"Create a secure repository to provide authentication, integrity and auditability guarantees for the supply chain. Consider using in-toto or similar frameworks",,,, 62 | SSSC-BP-2.8.1,Securing Build Pipelines,Automation,Automate software security scanning and testing,Moderate,"Security specific scans should be performed, including Static application security testing (SAST)",,,,Moved 63 | SSSC-BP-2.8.2,Securing Build Pipelines,Automation,Automate software security scanning and testing,Moderate,"Security specific scans should be performed, including Interactive (IAST) or Dynamic (DAST) application security testing",,,,Moved 64 | SSSC-BP-3.1.1,Securing Build Pipelines,Controlled Environments,Ensure Software Factory has minimal network connectivity,High,"The software factory should have no network connectivity other than to connect to the trusted sources of hardened source code, the dependency repository and code signing infrastructure.",,,, 65 | SSSC-BP-3.1.2,Securing Build Pipelines,Controlled Environments,Ensure Software Factory has minimal network connectivity,High,The build workers will require a secure shared storage capability to pass data between each worker. This storage must be encrypted and secured.,,,, 66 | SSSC-BP-3.2.1,Securing Build Pipelines,Controlled Environments,Segregate the Duties of Each Build Worker,High,"When planning what the build worker will be responsible for, consider segregation of duties within the domain of a particular build. It is generally better to have specific build workers handle specific parts of a build.",,,, 67 | SSSC-BP-3.3.1,Securing Build Pipelines,Controlled Environments,Pass in Build Worker Environment and Commands,High,The Build Worker’s commands or actions should be passed in explicitly at worker provisioning and it should not have capability to pull in its own environment.,,,, 68 | SSSC-BP-3.4.1,Securing Build Pipelines,Controlled Environments,Write Output to a Separate Secured Storage Repo,High,The output artefact should be written to a separate shared storage from the inputs. A process separate from the Build Worker should then upload that artefact to an appropriate repository.,,,, 69 | SSSC-BP-4.1.1,Securing Build Pipelines,Secure Authentication/Access,Only allow pipeline modifications through “pipeline as code”,Moderate,The pipeline configuration should be deployed through the pipeline as code and should be immutable. It should not be possible for an administrator to modify an instantiated pipeline,,,, 70 | SSSC-BP-4.2.1,Securing Build Pipelines,Secure Authentication/Access,Define user roles,Moderate,Organizations must define user roles in a software factory which should be used to define permission boundaries.,,,, 71 | SSSC-BP-4.3.1,Securing Build Pipelines,Secure Authentication/Access,Follow established practices for establishing a root of trust from an offline source,High,Root of trust for a software factory must follow standardized methods for establishing root of trust from an offline source.,,,, 72 | SSSC-BP-4.4.1,Securing Build Pipelines,Secure Authentication/Access,Use short-lived Workload Certificates,High,Workloads should be issued short lived credentials with automated rotation.,,,, 73 | SSSC-BP-4.5.1,Securing Build Pipelines,Secure Authentication,Use short-lived/ephemeral credentials for machine/service access,Moderate,"Use randomly generated short lived tokens (Oauth 2.0, OpenID Connect) for the access management of machines and services such as CI/CD pipeline agents",,,, 74 | SSSC-SD-1.1.1,Securing Deployments,Verification,"Ensure clients can perform Verification of Artefacts and 75 | associated metadata",Moderate,Clients receiving software artefacts from the distribution mechanism must be able to verify the integrity of the downloaded files,,,, 76 | SSSC-SD-1.1.2,Securing Deployments,Verification,"Ensure clients can perform Verification of Artefacts and 77 | associated metadata",Moderate,Ensure the view a client has of the repository is consistent and up to date so the client sees the latest version of all the files it has access to.,,,, 78 | SSSC-SD-1.1.3,Securing Deployments,Verification,"Ensure clients can perform Verification of Artefacts and 79 | associated metadata",Moderate,"If an SBOM is created, its signatures must be verified, and the associated keys must be validated as belonging to an 80 | authorized party",,,, 81 | SSSC-SD-1.2.1,Securing Deployments,Verification,Ensure clients can verify the “freshness” of files,Moderate,Clients must be in a position to recognize when they are being provided files that are out of date,,,, 82 | SSSC-SD-1.3.1,Securing Deployments,Verification,Track deployment event information in a secure location,Moderate,Use a secure metadata tracking service to store deployment event information for incident and problem management purposes.,,,, 83 | SSSC-SD-2.1.1,Securing Deployments,Automation,Implement a capability to securely deliver software artifacts such as TUF or equivalent,High,"TUF is a specification for securely delivering software artefacts by combining trust, compromise resilience, integrity, and freshness. It is a graduated CNCF project and has been deployed in various contexts",,,, 84 | SSSC-SD-3.1.1,Securing Deployments,Controlled Environments,Limit which artefacts any given party is authorized to certify,High,"Trust must expire at predefined intervals, unless 85 | renewed",,,, 86 | SSSC-SD-3.1.2,Securing Deployments,Controlled Environments,Limit which artefacts any given party is authorized to certify,High,The system must make it clear which artefacts or metadata a given party is trusted to certify using selective trust delegations,,,, 87 | SSSC-SD-3.2.1,Securing Deployments,Controlled Environments,Build in a system for rotating and revoking private keys,High,"The ability to rotate and revoke private keys must be built into the distribution mechanism. This distribution mechanism must allow users to ensure that they are using a currently trusted set of keys, and not keys that have previously been revoked",,,, 88 | SSSC-SD-3.2.2,Securing Deployments,Controlled Environments,Use a container registry that supports OCI image-spec images,High,An internal image registry should be deployed and configured to support artefact distribution with OCI spec security properties ,,,, 89 | SSSC-SD-4.1.1,Securing Deployments,Encryption,Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities,High,"Encrypt artefacts so they are accessible only by authorized parties, such as the clusters, vulnerability scanners, etc. 90 | 91 | OCI image encryption is implemented via the ocicrypt library, supported by CNCF projects containerd and cri-o runtimes, as well as build tools such as buildah and skopeo.",,,, 92 | SSSC-SD-4.1.2,Securing Deployments,Encryption,Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities,High,It is recommended organizations use key management and distribution systems with identity and attestation mechanisms (e.g. SPIFFE/SPIRE) to accomplish this.,,,, -------------------------------------------------------------------------------- /3M-control-list/LICENSE.md: -------------------------------------------------------------------------------- 1 | This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Pipfile: -------------------------------------------------------------------------------- 1 | [[source]] 2 | url = "https://pypi.org/simple" 3 | verify_ssl = true 4 | name = "pypi" 5 | 6 | [packages] 7 | compliance-trestle = "*" 8 | 9 | [dev-packages] 10 | 11 | [requires] 12 | python_version = "3.12" 13 | -------------------------------------------------------------------------------- /Pipfile.lock: -------------------------------------------------------------------------------- 1 | { 2 | "_meta": { 3 | "hash": { 4 | "sha256": "3d7ffe196b782675ff026d0106e98367984ebaf7cdb25373e08bff39c721ff71" 5 | }, 6 | "pipfile-spec": 6, 7 | "requires": { 8 | "python_version": "3.12" 9 | }, 10 | "sources": [ 11 | { 12 | "name": "pypi", 13 | "url": "https://pypi.org/simple", 14 | "verify_ssl": true 15 | } 16 | ] 17 | }, 18 | "default": { 19 | "anyio": { 20 | "hashes": [ 21 | "sha256:cfdb2b588b9fc25ede96d8db56ed50848b0b649dca3dd1df0b11f683bb9e0b5f", 22 | "sha256:f7ed51751b2c2add651e5747c891b47e26d2a21be5d32d9311dfe9692f3e5d7a" 23 | ], 24 | "markers": "python_version >= '3.8'", 25 | "version": "==4.0.0" 26 | }, 27 | "argcomplete": { 28 | "hashes": [ 29 | "sha256:d5d1e5efd41435260b8f85673b74ea2e883affcbec9f4230c582689e8e78251b", 30 | "sha256:d97c036d12a752d1079f190bc1521c545b941fda89ad85d15afa909b4d1b9a99" 31 | ], 32 | "markers": "python_version >= '3.6'", 33 | "version": "==3.1.2" 34 | }, 35 | "attrs": { 36 | "hashes": [ 37 | "sha256:1f28b4522cdc2fb4256ac1a020c78acf9cba2c6b461ccd2c126f3aa8e8335d04", 38 | "sha256:6279836d581513a26f1bf235f9acd333bc9115683f14f7e8fae46c98fc50e015" 39 | ], 40 | "markers": "python_version >= '3.7'", 41 | "version": "==23.1.0" 42 | }, 43 | "bcrypt": { 44 | "hashes": [ 45 | "sha256:089098effa1bc35dc055366740a067a2fc76987e8ec75349eb9484061c54f535", 46 | "sha256:08d2947c490093a11416df18043c27abe3921558d2c03e2076ccb28a116cb6d0", 47 | "sha256:0eaa47d4661c326bfc9d08d16debbc4edf78778e6aaba29c1bc7ce67214d4410", 48 | "sha256:27d375903ac8261cfe4047f6709d16f7d18d39b1ec92aaf72af989552a650ebd", 49 | "sha256:2b3ac11cf45161628f1f3733263e63194f22664bf4d0c0f3ab34099c02134665", 50 | "sha256:2caffdae059e06ac23fce178d31b4a702f2a3264c20bfb5ff541b338194d8fab", 51 | "sha256:3100851841186c25f127731b9fa11909ab7b1df6fc4b9f8353f4f1fd952fbf71", 52 | "sha256:5ad4d32a28b80c5fa6671ccfb43676e8c1cc232887759d1cd7b6f56ea4355215", 53 | "sha256:67a97e1c405b24f19d08890e7ae0c4f7ce1e56a712a016746c8b2d7732d65d4b", 54 | "sha256:705b2cea8a9ed3d55b4491887ceadb0106acf7c6387699fca771af56b1cdeeda", 55 | "sha256:8a68f4341daf7522fe8d73874de8906f3a339048ba406be6ddc1b3ccb16fc0d9", 56 | "sha256:a522427293d77e1c29e303fc282e2d71864579527a04ddcfda6d4f8396c6c36a", 57 | "sha256:ae88eca3024bb34bb3430f964beab71226e761f51b912de5133470b649d82344", 58 | "sha256:b1023030aec778185a6c16cf70f359cbb6e0c289fd564a7cfa29e727a1c38f8f", 59 | "sha256:b3b85202d95dd568efcb35b53936c5e3b3600c7cdcc6115ba461df3a8e89f38d", 60 | "sha256:b57adba8a1444faf784394de3436233728a1ecaeb6e07e8c22c8848f179b893c", 61 | "sha256:bf4fa8b2ca74381bb5442c089350f09a3f17797829d958fad058d6e44d9eb83c", 62 | "sha256:ca3204d00d3cb2dfed07f2d74a25f12fc12f73e606fcaa6975d1f7ae69cacbb2", 63 | "sha256:cbb03eec97496166b704ed663a53680ab57c5084b2fc98ef23291987b525cb7d", 64 | "sha256:e9a51bbfe7e9802b5f3508687758b564069ba937748ad7b9e890086290d2f79e", 65 | "sha256:fbdaec13c5105f0c4e5c52614d04f0bca5f5af007910daa8b6b12095edaa67b3" 66 | ], 67 | "markers": "python_version >= '3.6'", 68 | "version": "==4.0.1" 69 | }, 70 | "black": { 71 | "hashes": [ 72 | "sha256:031e8c69f3d3b09e1aa471a926a1eeb0b9071f80b17689a655f7885ac9325a6f", 73 | "sha256:13a2e4a93bb8ca74a749b6974925c27219bb3df4d42fc45e948a5d9feb5122b7", 74 | "sha256:13ef033794029b85dfea8032c9d3b92b42b526f1ff4bf13b2182ce4e917f5100", 75 | "sha256:14f04c990259576acd093871e7e9b14918eb28f1866f91968ff5524293f9c573", 76 | "sha256:24b6b3ff5c6d9ea08a8888f6977eae858e1f340d7260cf56d70a49823236b62d", 77 | "sha256:403397c033adbc45c2bd41747da1f7fc7eaa44efbee256b53842470d4ac5a70f", 78 | "sha256:50254ebfa56aa46a9fdd5d651f9637485068a1adf42270148cd101cdf56e0ad9", 79 | "sha256:538efb451cd50f43aba394e9ec7ad55a37598faae3348d723b59ea8e91616300", 80 | "sha256:638619a559280de0c2aa4d76f504891c9860bb8fa214267358f0a20f27c12948", 81 | "sha256:6a3b50e4b93f43b34a9d3ef00d9b6728b4a722c997c99ab09102fd5efdb88325", 82 | "sha256:6ccd59584cc834b6d127628713e4b6b968e5f79572da66284532525a042549f9", 83 | "sha256:75a2dc41b183d4872d3a500d2b9c9016e67ed95738a3624f4751a0cb4818fe71", 84 | "sha256:7d30ec46de88091e4316b17ae58bbbfc12b2de05e069030f6b747dfc649ad186", 85 | "sha256:8431445bf62d2a914b541da7ab3e2b4f3bc052d2ccbf157ebad18ea126efb91f", 86 | "sha256:8fc1ddcf83f996247505db6b715294eba56ea9372e107fd54963c7553f2b6dfe", 87 | "sha256:a732b82747235e0542c03bf352c126052c0fbc458d8a239a94701175b17d4855", 88 | "sha256:adc3e4442eef57f99b5590b245a328aad19c99552e0bdc7f0b04db6656debd80", 89 | "sha256:c46767e8df1b7beefb0899c4a95fb43058fa8500b6db144f4ff3ca38eb2f6393", 90 | "sha256:c619f063c2d68f19b2d7270f4cf3192cb81c9ec5bc5ba02df91471d0b88c4c5c", 91 | "sha256:cf3a4d00e4cdb6734b64bf23cd4341421e8953615cba6b3670453737a72ec204", 92 | "sha256:cf99f3de8b3273a8317681d8194ea222f10e0133a24a7548c73ce44ea1679377", 93 | "sha256:d6bc09188020c9ac2555a498949401ab35bb6bf76d4e0f8ee251694664df6301" 94 | ], 95 | "markers": "python_version >= '3.8'", 96 | "version": "==23.9.1" 97 | }, 98 | "certifi": { 99 | "hashes": [ 100 | "sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082", 101 | "sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9" 102 | ], 103 | "markers": "python_version >= '3.6'", 104 | "version": "==2023.7.22" 105 | }, 106 | "cffi": { 107 | "hashes": [ 108 | "sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc", 109 | "sha256:131fd094d1065b19540c3d72594260f118b231090295d8c34e19a7bbcf2e860a", 110 | "sha256:1b8ebc27c014c59692bb2664c7d13ce7a6e9a629be20e54e7271fa696ff2b417", 111 | "sha256:2c56b361916f390cd758a57f2e16233eb4f64bcbeee88a4881ea90fca14dc6ab", 112 | "sha256:2d92b25dbf6cae33f65005baf472d2c245c050b1ce709cc4588cdcdd5495b520", 113 | "sha256:31d13b0f99e0836b7ff893d37af07366ebc90b678b6664c955b54561fc36ef36", 114 | "sha256:32c68ef735dbe5857c810328cb2481e24722a59a2003018885514d4c09af9743", 115 | "sha256:3686dffb02459559c74dd3d81748269ffb0eb027c39a6fc99502de37d501faa8", 116 | "sha256:582215a0e9adbe0e379761260553ba11c58943e4bbe9c36430c4ca6ac74b15ed", 117 | "sha256:5b50bf3f55561dac5438f8e70bfcdfd74543fd60df5fa5f62d94e5867deca684", 118 | "sha256:5bf44d66cdf9e893637896c7faa22298baebcd18d1ddb6d2626a6e39793a1d56", 119 | "sha256:6602bc8dc6f3a9e02b6c22c4fc1e47aa50f8f8e6d3f78a5e16ac33ef5fefa324", 120 | "sha256:673739cb539f8cdaa07d92d02efa93c9ccf87e345b9a0b556e3ecc666718468d", 121 | "sha256:68678abf380b42ce21a5f2abde8efee05c114c2fdb2e9eef2efdb0257fba1235", 122 | "sha256:68e7c44931cc171c54ccb702482e9fc723192e88d25a0e133edd7aff8fcd1f6e", 123 | "sha256:6b3d6606d369fc1da4fd8c357d026317fbb9c9b75d36dc16e90e84c26854b088", 124 | "sha256:748dcd1e3d3d7cd5443ef03ce8685043294ad6bd7c02a38d1bd367cfd968e000", 125 | "sha256:7651c50c8c5ef7bdb41108b7b8c5a83013bfaa8a935590c5d74627c047a583c7", 126 | "sha256:7b78010e7b97fef4bee1e896df8a4bbb6712b7f05b7ef630f9d1da00f6444d2e", 127 | "sha256:7e61e3e4fa664a8588aa25c883eab612a188c725755afff6289454d6362b9673", 128 | "sha256:80876338e19c951fdfed6198e70bc88f1c9758b94578d5a7c4c91a87af3cf31c", 129 | "sha256:8895613bcc094d4a1b2dbe179d88d7fb4a15cee43c052e8885783fac397d91fe", 130 | "sha256:88e2b3c14bdb32e440be531ade29d3c50a1a59cd4e51b1dd8b0865c54ea5d2e2", 131 | "sha256:8f8e709127c6c77446a8c0a8c8bf3c8ee706a06cd44b1e827c3e6a2ee6b8c098", 132 | "sha256:9cb4a35b3642fc5c005a6755a5d17c6c8b6bcb6981baf81cea8bfbc8903e8ba8", 133 | "sha256:9f90389693731ff1f659e55c7d1640e2ec43ff725cc61b04b2f9c6d8d017df6a", 134 | "sha256:a09582f178759ee8128d9270cd1344154fd473bb77d94ce0aeb2a93ebf0feaf0", 135 | "sha256:a6a14b17d7e17fa0d207ac08642c8820f84f25ce17a442fd15e27ea18d67c59b", 136 | "sha256:a72e8961a86d19bdb45851d8f1f08b041ea37d2bd8d4fd19903bc3083d80c896", 137 | "sha256:abd808f9c129ba2beda4cfc53bde801e5bcf9d6e0f22f095e45327c038bfe68e", 138 | "sha256:ac0f5edd2360eea2f1daa9e26a41db02dd4b0451b48f7c318e217ee092a213e9", 139 | "sha256:b29ebffcf550f9da55bec9e02ad430c992a87e5f512cd63388abb76f1036d8d2", 140 | "sha256:b2ca4e77f9f47c55c194982e10f058db063937845bb2b7a86c84a6cfe0aefa8b", 141 | "sha256:b7be2d771cdba2942e13215c4e340bfd76398e9227ad10402a8767ab1865d2e6", 142 | "sha256:b84834d0cf97e7d27dd5b7f3aca7b6e9263c56308ab9dc8aae9784abb774d404", 143 | "sha256:b86851a328eedc692acf81fb05444bdf1891747c25af7529e39ddafaf68a4f3f", 144 | "sha256:bcb3ef43e58665bbda2fb198698fcae6776483e0c4a631aa5647806c25e02cc0", 145 | "sha256:c0f31130ebc2d37cdd8e44605fb5fa7ad59049298b3f745c74fa74c62fbfcfc4", 146 | "sha256:c6a164aa47843fb1b01e941d385aab7215563bb8816d80ff3a363a9f8448a8dc", 147 | "sha256:d8a9d3ebe49f084ad71f9269834ceccbf398253c9fac910c4fd7053ff1386936", 148 | "sha256:db8e577c19c0fda0beb7e0d4e09e0ba74b1e4c092e0e40bfa12fe05b6f6d75ba", 149 | "sha256:dc9b18bf40cc75f66f40a7379f6a9513244fe33c0e8aa72e2d56b0196a7ef872", 150 | "sha256:e09f3ff613345df5e8c3667da1d918f9149bd623cd9070c983c013792a9a62eb", 151 | "sha256:e4108df7fe9b707191e55f33efbcb2d81928e10cea45527879a4749cbe472614", 152 | "sha256:e6024675e67af929088fda399b2094574609396b1decb609c55fa58b028a32a1", 153 | "sha256:e70f54f1796669ef691ca07d046cd81a29cb4deb1e5f942003f401c0c4a2695d", 154 | "sha256:e715596e683d2ce000574bae5d07bd522c781a822866c20495e52520564f0969", 155 | "sha256:e760191dd42581e023a68b758769e2da259b5d52e3103c6060ddc02c9edb8d7b", 156 | "sha256:ed86a35631f7bfbb28e108dd96773b9d5a6ce4811cf6ea468bb6a359b256b1e4", 157 | "sha256:ee07e47c12890ef248766a6e55bd38ebfb2bb8edd4142d56db91b21ea68b7627", 158 | "sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956", 159 | "sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357" 160 | ], 161 | "markers": "python_version >= '3.8'", 162 | "version": "==1.16.0" 163 | }, 164 | "chardet": { 165 | "hashes": [ 166 | "sha256:1b3b6ff479a8c414bc3fa2c0852995695c4a026dcd6d0633b2dd092ca39c1cf7", 167 | "sha256:e1cf59446890a00105fe7b7912492ea04b6e6f06d4b742b2c788469e34c82970" 168 | ], 169 | "markers": "python_version >= '3.7'", 170 | "version": "==5.2.0" 171 | }, 172 | "charset-normalizer": { 173 | "hashes": [ 174 | "sha256:02673e456dc5ab13659f85196c534dc596d4ef260e4d86e856c3b2773ce09843", 175 | "sha256:02af06682e3590ab952599fbadac535ede5d60d78848e555aa58d0c0abbde786", 176 | "sha256:03680bb39035fbcffe828eae9c3f8afc0428c91d38e7d61aa992ef7a59fb120e", 177 | "sha256:0570d21da019941634a531444364f2482e8db0b3425fcd5ac0c36565a64142c8", 178 | "sha256:09c77f964f351a7369cc343911e0df63e762e42bac24cd7d18525961c81754f4", 179 | "sha256:0d3d5b7db9ed8a2b11a774db2bbea7ba1884430a205dbd54a32d61d7c2a190fa", 180 | "sha256:1063da2c85b95f2d1a430f1c33b55c9c17ffaf5e612e10aeaad641c55a9e2b9d", 181 | "sha256:12ebea541c44fdc88ccb794a13fe861cc5e35d64ed689513a5c03d05b53b7c82", 182 | "sha256:153e7b6e724761741e0974fc4dcd406d35ba70b92bfe3fedcb497226c93b9da7", 183 | "sha256:15b26ddf78d57f1d143bdf32e820fd8935d36abe8a25eb9ec0b5a71c82eb3895", 184 | "sha256:1872d01ac8c618a8da634e232f24793883d6e456a66593135aeafe3784b0848d", 185 | "sha256:187d18082694a29005ba2944c882344b6748d5be69e3a89bf3cc9d878e548d5a", 186 | "sha256:1b2919306936ac6efb3aed1fbf81039f7087ddadb3160882a57ee2ff74fd2382", 187 | "sha256:232ac332403e37e4a03d209a3f92ed9071f7d3dbda70e2a5e9cff1c4ba9f0678", 188 | "sha256:23e8565ab7ff33218530bc817922fae827420f143479b753104ab801145b1d5b", 189 | "sha256:24817cb02cbef7cd499f7c9a2735286b4782bd47a5b3516a0e84c50eab44b98e", 190 | "sha256:249c6470a2b60935bafd1d1d13cd613f8cd8388d53461c67397ee6a0f5dce741", 191 | "sha256:24a91a981f185721542a0b7c92e9054b7ab4fea0508a795846bc5b0abf8118d4", 192 | "sha256:2502dd2a736c879c0f0d3e2161e74d9907231e25d35794584b1ca5284e43f596", 193 | "sha256:250c9eb0f4600361dd80d46112213dff2286231d92d3e52af1e5a6083d10cad9", 194 | "sha256:278c296c6f96fa686d74eb449ea1697f3c03dc28b75f873b65b5201806346a69", 195 | "sha256:2935ffc78db9645cb2086c2f8f4cfd23d9b73cc0dc80334bc30aac6f03f68f8c", 196 | "sha256:2f4a0033ce9a76e391542c182f0d48d084855b5fcba5010f707c8e8c34663d77", 197 | "sha256:30a85aed0b864ac88309b7d94be09f6046c834ef60762a8833b660139cfbad13", 198 | "sha256:380c4bde80bce25c6e4f77b19386f5ec9db230df9f2f2ac1e5ad7af2caa70459", 199 | "sha256:3ae38d325b512f63f8da31f826e6cb6c367336f95e418137286ba362925c877e", 200 | "sha256:3b447982ad46348c02cb90d230b75ac34e9886273df3a93eec0539308a6296d7", 201 | "sha256:3debd1150027933210c2fc321527c2299118aa929c2f5a0a80ab6953e3bd1908", 202 | "sha256:4162918ef3098851fcd8a628bf9b6a98d10c380725df9e04caf5ca6dd48c847a", 203 | "sha256:468d2a840567b13a590e67dd276c570f8de00ed767ecc611994c301d0f8c014f", 204 | "sha256:4cc152c5dd831641e995764f9f0b6589519f6f5123258ccaca8c6d34572fefa8", 205 | "sha256:542da1178c1c6af8873e143910e2269add130a299c9106eef2594e15dae5e482", 206 | "sha256:557b21a44ceac6c6b9773bc65aa1b4cc3e248a5ad2f5b914b91579a32e22204d", 207 | "sha256:5707a746c6083a3a74b46b3a631d78d129edab06195a92a8ece755aac25a3f3d", 208 | "sha256:588245972aca710b5b68802c8cad9edaa98589b1b42ad2b53accd6910dad3545", 209 | "sha256:5adf257bd58c1b8632046bbe43ee38c04e1038e9d37de9c57a94d6bd6ce5da34", 210 | "sha256:619d1c96099be5823db34fe89e2582b336b5b074a7f47f819d6b3a57ff7bdb86", 211 | "sha256:63563193aec44bce707e0c5ca64ff69fa72ed7cf34ce6e11d5127555756fd2f6", 212 | "sha256:67b8cc9574bb518ec76dc8e705d4c39ae78bb96237cb533edac149352c1f39fe", 213 | "sha256:6a685067d05e46641d5d1623d7c7fdf15a357546cbb2f71b0ebde91b175ffc3e", 214 | "sha256:70f1d09c0d7748b73290b29219e854b3207aea922f839437870d8cc2168e31cc", 215 | "sha256:750b446b2ffce1739e8578576092179160f6d26bd5e23eb1789c4d64d5af7dc7", 216 | "sha256:7966951325782121e67c81299a031f4c115615e68046f79b85856b86ebffc4cd", 217 | "sha256:7b8b8bf1189b3ba9b8de5c8db4d541b406611a71a955bbbd7385bbc45fcb786c", 218 | "sha256:7f5d10bae5d78e4551b7be7a9b29643a95aded9d0f602aa2ba584f0388e7a557", 219 | "sha256:805dfea4ca10411a5296bcc75638017215a93ffb584c9e344731eef0dcfb026a", 220 | "sha256:81bf654678e575403736b85ba3a7867e31c2c30a69bc57fe88e3ace52fb17b89", 221 | "sha256:82eb849f085624f6a607538ee7b83a6d8126df6d2f7d3b319cb837b289123078", 222 | "sha256:85a32721ddde63c9df9ebb0d2045b9691d9750cb139c161c80e500d210f5e26e", 223 | "sha256:86d1f65ac145e2c9ed71d8ffb1905e9bba3a91ae29ba55b4c46ae6fc31d7c0d4", 224 | "sha256:86f63face3a527284f7bb8a9d4f78988e3c06823f7bea2bd6f0e0e9298ca0403", 225 | "sha256:8eaf82f0eccd1505cf39a45a6bd0a8cf1c70dcfc30dba338207a969d91b965c0", 226 | "sha256:93aa7eef6ee71c629b51ef873991d6911b906d7312c6e8e99790c0f33c576f89", 227 | "sha256:96c2b49eb6a72c0e4991d62406e365d87067ca14c1a729a870d22354e6f68115", 228 | "sha256:9cf3126b85822c4e53aa28c7ec9869b924d6fcfb76e77a45c44b83d91afd74f9", 229 | "sha256:9fe359b2e3a7729010060fbca442ca225280c16e923b37db0e955ac2a2b72a05", 230 | "sha256:a0ac5e7015a5920cfce654c06618ec40c33e12801711da6b4258af59a8eff00a", 231 | "sha256:a3f93dab657839dfa61025056606600a11d0b696d79386f974e459a3fbc568ec", 232 | "sha256:a4b71f4d1765639372a3b32d2638197f5cd5221b19531f9245fcc9ee62d38f56", 233 | "sha256:aae32c93e0f64469f74ccc730a7cb21c7610af3a775157e50bbd38f816536b38", 234 | "sha256:aaf7b34c5bc56b38c931a54f7952f1ff0ae77a2e82496583b247f7c969eb1479", 235 | "sha256:abecce40dfebbfa6abf8e324e1860092eeca6f7375c8c4e655a8afb61af58f2c", 236 | "sha256:abf0d9f45ea5fb95051c8bfe43cb40cda383772f7e5023a83cc481ca2604d74e", 237 | "sha256:ac71b2977fb90c35d41c9453116e283fac47bb9096ad917b8819ca8b943abecd", 238 | "sha256:ada214c6fa40f8d800e575de6b91a40d0548139e5dc457d2ebb61470abf50186", 239 | "sha256:b09719a17a2301178fac4470d54b1680b18a5048b481cb8890e1ef820cb80455", 240 | "sha256:b1121de0e9d6e6ca08289583d7491e7fcb18a439305b34a30b20d8215922d43c", 241 | "sha256:b3b2316b25644b23b54a6f6401074cebcecd1244c0b8e80111c9a3f1c8e83d65", 242 | "sha256:b3d9b48ee6e3967b7901c052b670c7dda6deb812c309439adaffdec55c6d7b78", 243 | "sha256:b5bcf60a228acae568e9911f410f9d9e0d43197d030ae5799e20dca8df588287", 244 | "sha256:b8f3307af845803fb0b060ab76cf6dd3a13adc15b6b451f54281d25911eb92df", 245 | "sha256:c2af80fb58f0f24b3f3adcb9148e6203fa67dd3f61c4af146ecad033024dde43", 246 | "sha256:c350354efb159b8767a6244c166f66e67506e06c8924ed74669b2c70bc8735b1", 247 | "sha256:c5a74c359b2d47d26cdbbc7845e9662d6b08a1e915eb015d044729e92e7050b7", 248 | "sha256:c71f16da1ed8949774ef79f4a0260d28b83b3a50c6576f8f4f0288d109777989", 249 | "sha256:d47ecf253780c90ee181d4d871cd655a789da937454045b17b5798da9393901a", 250 | "sha256:d7eff0f27edc5afa9e405f7165f85a6d782d308f3b6b9d96016c010597958e63", 251 | "sha256:d97d85fa63f315a8bdaba2af9a6a686e0eceab77b3089af45133252618e70884", 252 | "sha256:db756e48f9c5c607b5e33dd36b1d5872d0422e960145b08ab0ec7fd420e9d649", 253 | "sha256:dc45229747b67ffc441b3de2f3ae5e62877a282ea828a5bdb67883c4ee4a8810", 254 | "sha256:e0fc42822278451bc13a2e8626cf2218ba570f27856b536e00cfa53099724828", 255 | "sha256:e39c7eb31e3f5b1f88caff88bcff1b7f8334975b46f6ac6e9fc725d829bc35d4", 256 | "sha256:e46cd37076971c1040fc8c41273a8b3e2c624ce4f2be3f5dfcb7a430c1d3acc2", 257 | "sha256:e5c1502d4ace69a179305abb3f0bb6141cbe4714bc9b31d427329a95acfc8bdd", 258 | "sha256:edfe077ab09442d4ef3c52cb1f9dab89bff02f4524afc0acf2d46be17dc479f5", 259 | "sha256:effe5406c9bd748a871dbcaf3ac69167c38d72db8c9baf3ff954c344f31c4cbe", 260 | "sha256:f0d1e3732768fecb052d90d62b220af62ead5748ac51ef61e7b32c266cac9293", 261 | "sha256:f5969baeaea61c97efa706b9b107dcba02784b1601c74ac84f2a532ea079403e", 262 | "sha256:f8888e31e3a85943743f8fc15e71536bda1c81d5aa36d014a3c0c44481d7db6e", 263 | "sha256:fc52b79d83a3fe3a360902d3f5d79073a993597d48114c29485e9431092905d8" 264 | ], 265 | "markers": "python_full_version >= '3.7.0'", 266 | "version": "==3.3.0" 267 | }, 268 | "click": { 269 | "hashes": [ 270 | "sha256:ae74fb96c20a0277a1d615f1e4d73c8414f5a98db8b799a7931d1582f3390c28", 271 | "sha256:ca9853ad459e787e2192211578cc907e7594e294c7ccc834310722b41b9ca6de" 272 | ], 273 | "markers": "python_version >= '3.7'", 274 | "version": "==8.1.7" 275 | }, 276 | "cmarkgfm": { 277 | "hashes": [ 278 | "sha256:02f14c7e77fcddf044df14cc227d7703027ee720bac719616ac505af29812b73", 279 | "sha256:0c5d762351f14479b07bfda6773905caa0fa7f132f6478c35e467d0be21e9f2e", 280 | "sha256:13c34b6dc5b77100201c543cd205366ef7ecc612efce4247e2b7a0bb258b271e", 281 | "sha256:3157b37d1a897ee57ae57be8eafac3659e31fdce33fbbc85f76df34ee2804d5a", 282 | "sha256:371c4a2d88508800f6cc872082970afdb414f2d3b86ac7769419f27da0d43acc", 283 | "sha256:3a31b239dfe4945fcb6a53fcb7dac64cb857ecfb1f710d891ff96955c64509f6", 284 | "sha256:3a5138d76e93378a72fb7a704cbf09764ebb43cfcf121e6d7ffdc40fb7917d4a", 285 | "sha256:3c7053c8650bf1f79c607dc88ff56652d07f52aac4b60aa1bf07529c9b4473a7", 286 | "sha256:4121f6047c4d4a28ded3cf02c087869549e9f0c3712e5a2af180972f9d1348a5", 287 | "sha256:427ca60eb2f56c6293ac0e91b728acf608297c9030dccd3c928e938b3bf3ee77", 288 | "sha256:51134e3775ac7c47ca2430a53b02c6ff03463143af8dfaeb1575c03e039ee485", 289 | "sha256:57e4f57aa9264a3244a28665d3c5ec81b1ace454b01a1c09ff0d67a2cd12ca5a", 290 | "sha256:605bd69fa4b247be9bb4e7d75bda4df37428a153e3a67aca50d7cd9dc1ee8225", 291 | "sha256:6377e46d854cc32e03933a44a0b6e6750cf89b4314e1c84958a7a547c3952c23", 292 | "sha256:6a48a67ff8425b4dee33196f6cd9bdba7b902c0b7e369150f6704989f9c40476", 293 | "sha256:6bb05e1b4adc8027c41ddbd11761482c652f1aa2ae4419469e3883ec8b0bdf67", 294 | "sha256:706daefce3f9bd1cd955b6bb06beac31c050b65f4bec8025dade3b0f05dbeed2", 295 | "sha256:713bd4e64651e7bbd897bbaee6057c16b72c6ac3cf59b2b38892d635d52755eb", 296 | "sha256:7262bb2b875d1c47dfa0e074fe349eb1ba1901e323fcf9e3fc4dbf97f0b92d97", 297 | "sha256:737e4525c63ae3bca731e5c57056c02078e31e579ec655b72bd28eae525d6b53", 298 | "sha256:7641061c0bc4caf754f119c326131ad41c25beb1e95e2479e8aab60dbd8f9f79", 299 | "sha256:786e8a06f7eec6eb3f3789353a586c8b065570d2db9811fdcdaced736a36ce53", 300 | "sha256:791c7f8aed353d540aed52c6724df408eb73208d7c9dd98aae6506d5783cb95f", 301 | "sha256:7a974b3b90805f656054d6873cd876ee5c7949e7860d131b7ec0b29a3de3a3f3", 302 | "sha256:82cfc1bc7099fa819993c41d3c6778bff29e5547dbf1de1dbb113ef4d2bc0df9", 303 | "sha256:872f3c9d99aedf55ad6950a4158873a107f6338040bc381b21849ccf165e9d90", 304 | "sha256:89cc51c26a10ebdaada4ed2630f6f375cf059d3aca5d77aff493a2010f6ed60a", 305 | "sha256:8b58277117a439fd27aee2bcc8869be334fb7e8781e27066ec31ec0a596a6a01", 306 | "sha256:8be0c52d0caf1852a5374c7c9a279801c1a8dd9e2040939e75262d02b003835b", 307 | "sha256:8eebdc5ca2cd565998195d1e6189d5979a00a5db9c579d05953478cb085ef435", 308 | "sha256:8f901c002172a3be8bb91a422da23dfae0301afe062addf41c976385f96bc1ef", 309 | "sha256:94ba213739648006232aa917f8c4c42c520812601d85502fa7a5dad0f0d1590e", 310 | "sha256:989432956e34591387f0aaab98caabd699f2f5d4c708d1a0d882334a8b760cc5", 311 | "sha256:a386b01a266a42e8e9052c74ad42dc1ff50b209d8958a3656e0435fa018a0223", 312 | "sha256:ae6796d4e8ea746dc8e29173f95ffb9b12f940ff5b9186d10203445526cf8d4d", 313 | "sha256:b04da61652984c89868b31aface2d75e3d26081273d3764e18b5661eea98916e", 314 | "sha256:b594063a3421561e0559cc5a68419cdcb020512fc40c3eb37e4629bae2a954b6", 315 | "sha256:c17e19db003f86662d08ce382912767f7221637703a64cfdb85b8c1447cc4b36", 316 | "sha256:c58c904c22b946d436637e8e1987db5886af8041c57e0028c419f98075344f1f", 317 | "sha256:c61f3f2cd2b9c44cb2579e165a18f824a6c99682aff10ac2779a7a74a3167e89", 318 | "sha256:ccbfb5e427ca815d80962e6705834ebadeb55058ac745e0339fb570bb78a6114", 319 | "sha256:ce717bd3e26a95b749fbbf68da42cc5cb9200779a4943bbdd38fa73711366081", 320 | "sha256:d4422e0dd3a11eeebbe86c6c08ac1c28783efed4b7b948a9878724e677eda107", 321 | "sha256:e550ca0826eab1ab87d9eed58da89cc113f13f369fdd61c799705007422dbfce", 322 | "sha256:e66f15d4c645c87819f7170990a00e0fa9e0e8255097f8bd5eb3037d78264efb", 323 | "sha256:e7b5b6cd8befa8c1cf2a55f750a4dcf84de05c80a7110d933ea6724fbc6d2cf8", 324 | "sha256:ec2bf8d5799c4b5bbfbae30a4a1dfcb06512f2e17e9ee60ba7e1d390318582fc", 325 | "sha256:f0da78ef960f57aec8a6854821a99fa7a520dad77631b19becb68b2ebf8dbc2d", 326 | "sha256:f56aa4940aa4ee98fd6f3e0a648b8ae1e6a27f5007d64d406aeadc51451dc13b", 327 | "sha256:fa28b1a335adb5bad04b4a50382cbcfcc6c8d68413ba35e2cd3f657a1dc76347" 328 | ], 329 | "version": "==0.6.0" 330 | }, 331 | "compliance-trestle": { 332 | "hashes": [ 333 | "sha256:636911761233d2d3aa737850b2a9dc9d4c3b40dabf3ebe87ab8e52ee37178596", 334 | "sha256:d5aa245242864c714ec8a59ee7c4ed227611f0418e425e8f9f0a5597c36737c1" 335 | ], 336 | "index": "pypi", 337 | "version": "==2.3.1" 338 | }, 339 | "cryptography": { 340 | "hashes": [ 341 | "sha256:004b6ccc95943f6a9ad3142cfabcc769d7ee38a3f60fb0dddbfb431f818c3a67", 342 | "sha256:047c4603aeb4bbd8db2756e38f5b8bd7e94318c047cfe4efeb5d715e08b49311", 343 | "sha256:0d9409894f495d465fe6fda92cb70e8323e9648af912d5b9141d616df40a87b8", 344 | "sha256:23a25c09dfd0d9f28da2352503b23e086f8e78096b9fd585d1d14eca01613e13", 345 | "sha256:2ed09183922d66c4ec5fdaa59b4d14e105c084dd0febd27452de8f6f74704143", 346 | "sha256:35c00f637cd0b9d5b6c6bd11b6c3359194a8eba9c46d4e875a3660e3b400005f", 347 | "sha256:37480760ae08065437e6573d14be973112c9e6dcaf5f11d00147ee74f37a3829", 348 | "sha256:3b224890962a2d7b57cf5eeb16ccaafba6083f7b811829f00476309bce2fe0fd", 349 | "sha256:5a0f09cefded00e648a127048119f77bc2b2ec61e736660b5789e638f43cc397", 350 | "sha256:5b72205a360f3b6176485a333256b9bcd48700fc755fef51c8e7e67c4b63e3ac", 351 | "sha256:7e53db173370dea832190870e975a1e09c86a879b613948f09eb49324218c14d", 352 | "sha256:7febc3094125fc126a7f6fb1f420d0da639f3f32cb15c8ff0dc3997c4549f51a", 353 | "sha256:80907d3faa55dc5434a16579952ac6da800935cd98d14dbd62f6f042c7f5e839", 354 | "sha256:86defa8d248c3fa029da68ce61fe735432b047e32179883bdb1e79ed9bb8195e", 355 | "sha256:8ac4f9ead4bbd0bc8ab2d318f97d85147167a488be0e08814a37eb2f439d5cf6", 356 | "sha256:93530900d14c37a46ce3d6c9e6fd35dbe5f5601bf6b3a5c325c7bffc030344d9", 357 | "sha256:9eeb77214afae972a00dee47382d2591abe77bdae166bda672fb1e24702a3860", 358 | "sha256:b5f4dfe950ff0479f1f00eda09c18798d4f49b98f4e2006d644b3301682ebdca", 359 | "sha256:c3391bd8e6de35f6f1140e50aaeb3e2b3d6a9012536ca23ab0d9c35ec18c8a91", 360 | "sha256:c880eba5175f4307129784eca96f4e70b88e57aa3f680aeba3bab0e980b0f37d", 361 | "sha256:cecfefa17042941f94ab54f769c8ce0fe14beff2694e9ac684176a2535bf9714", 362 | "sha256:e40211b4923ba5a6dc9769eab704bdb3fbb58d56c5b336d30996c24fcf12aadb", 363 | "sha256:efc8ad4e6fc4f1752ebfb58aefece8b4e3c4cae940b0994d43649bdfce8d0d4f" 364 | ], 365 | "markers": "python_version >= '3.7'", 366 | "version": "==41.0.4" 367 | }, 368 | "datamodel-code-generator": { 369 | "extras": [ 370 | "http" 371 | ], 372 | "hashes": [ 373 | "sha256:48c8ce0b38b575bcc573237bb3faab696b072aa131b3f008c848d2c3b24a4417", 374 | "sha256:ac1fbc4fa778c2a43f740740fd352ca4300f705044e112a0023af8d04f0b61af" 375 | ], 376 | "markers": "python_version >= '3.7' and python_version < '4.0'", 377 | "version": "==0.22.1" 378 | }, 379 | "defusedxml": { 380 | "hashes": [ 381 | "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69", 382 | "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61" 383 | ], 384 | "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", 385 | "version": "==0.7.1" 386 | }, 387 | "dnspython": { 388 | "hashes": [ 389 | "sha256:57c6fbaaeaaf39c891292012060beb141791735dbb4004798328fc2c467402d8", 390 | "sha256:8dcfae8c7460a2f84b4072e26f1c9f4101ca20c071649cb7c34e8b6a93d58984" 391 | ], 392 | "markers": "python_version >= '3.8' and python_version < '4.0'", 393 | "version": "==2.4.2" 394 | }, 395 | "email-validator": { 396 | "hashes": [ 397 | "sha256:1ff6e86044200c56ae23595695c54e9614f4a9551e0e393614f764860b3d7900", 398 | "sha256:2466ba57cda361fb7309fd3d5a225723c788ca4bbad32a0ebd5373b99730285c" 399 | ], 400 | "version": "==2.0.0.post2" 401 | }, 402 | "et-xmlfile": { 403 | "hashes": [ 404 | "sha256:8eb9e2bc2f8c97e37a2dc85a09ecdcdec9d8a396530a6d5a33b30b9a92da0c5c", 405 | "sha256:a2ba85d1d6a74ef63837eed693bcb89c3f752169b0e3e7ae5b16ca5e1b3deada" 406 | ], 407 | "markers": "python_version >= '3.6'", 408 | "version": "==1.1.0" 409 | }, 410 | "furl": { 411 | "hashes": [ 412 | "sha256:5a6188fe2666c484a12159c18be97a1977a71d632ef5bb867ef15f54af39cc4e", 413 | "sha256:9ab425062c4217f9802508e45feb4a83e54324273ac4b202f1850363309666c0" 414 | ], 415 | "version": "==2.1.3" 416 | }, 417 | "genson": { 418 | "hashes": [ 419 | "sha256:8caf69aa10af7aee0e1a1351d1d06801f4696e005f06cedef438635384346a16" 420 | ], 421 | "version": "==1.2.2" 422 | }, 423 | "h11": { 424 | "hashes": [ 425 | "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d", 426 | "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761" 427 | ], 428 | "markers": "python_version >= '3.7'", 429 | "version": "==0.14.0" 430 | }, 431 | "httpcore": { 432 | "hashes": [ 433 | "sha256:13b5e5cd1dca1a6636a6aaea212b19f4f85cd88c366a2b82304181b769aab3c9", 434 | "sha256:adc5398ee0a476567bf87467063ee63584a8bce86078bf748e48754f60202ced" 435 | ], 436 | "markers": "python_version >= '3.8'", 437 | "version": "==0.18.0" 438 | }, 439 | "httpx": { 440 | "hashes": [ 441 | "sha256:181ea7f8ba3a82578be86ef4171554dd45fec26a02556a744db029a0a27b7100", 442 | "sha256:47ecda285389cb32bb2691cc6e069e3ab0205956f681c5b2ad2325719751d875" 443 | ], 444 | "version": "==0.25.0" 445 | }, 446 | "idna": { 447 | "hashes": [ 448 | "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", 449 | "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" 450 | ], 451 | "markers": "python_version >= '3.5'", 452 | "version": "==3.4" 453 | }, 454 | "ilcli": { 455 | "hashes": [ 456 | "sha256:8a56b053836f8b0e1bbbdda884288d18dc966bd8e90fdf9b340914dba625cd7f", 457 | "sha256:dfb7d2da49c63ef92c5a589eb5f765d073d7ea83275c3dd2aea8ae5cbe4c5be2" 458 | ], 459 | "version": "==0.3.2" 460 | }, 461 | "inflect": { 462 | "hashes": [ 463 | "sha256:aadc7ed73928f5e014129794bbac03058cca35d0a973a5fc4eb45c7fa26005f9", 464 | "sha256:b45d91a4a28a4e617ff1821117439b06eaa86e2a4573154af0149e9be6687238" 465 | ], 466 | "markers": "python_version >= '3.7'", 467 | "version": "==5.6.2" 468 | }, 469 | "isort": { 470 | "hashes": [ 471 | "sha256:8bef7dde241278824a6d83f44a544709b065191b95b6e50894bdc722fcba0504", 472 | "sha256:f84c2818376e66cf843d497486ea8fed8700b340f308f076c6fb1229dff318b6" 473 | ], 474 | "markers": "python_full_version >= '3.8.0'", 475 | "version": "==5.12.0" 476 | }, 477 | "jinja2": { 478 | "hashes": [ 479 | "sha256:31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852", 480 | "sha256:6088930bfe239f0e6710546ab9c19c9ef35e29792895fed6e6e31a023a182a61" 481 | ], 482 | "markers": "python_version >= '3.7'", 483 | "version": "==3.1.2" 484 | }, 485 | "jsonschema": { 486 | "hashes": [ 487 | "sha256:0f864437ab8b6076ba6707453ef8f98a6a0d512a80e93f8abdb676f737ecb60d", 488 | "sha256:a870ad254da1a8ca84b6a2905cac29d265f805acc57af304784962a2aa6508f6" 489 | ], 490 | "markers": "python_version >= '3.7'", 491 | "version": "==4.17.3" 492 | }, 493 | "jsonschema-spec": { 494 | "hashes": [ 495 | "sha256:90215863b56e212086641956b20127ccbf6d8a3a38343dad01d6a74d19482f76", 496 | "sha256:f2206d18c89d1824c1f775ba14ed039743b41a9167bd2c5bdb774b66b3ca0bbf" 497 | ], 498 | "markers": "python_full_version >= '3.7.0' and python_full_version < '4.0.0'", 499 | "version": "==0.1.6" 500 | }, 501 | "lazy-object-proxy": { 502 | "hashes": [ 503 | "sha256:09763491ce220c0299688940f8dc2c5d05fd1f45af1e42e636b2e8b2303e4382", 504 | "sha256:0a891e4e41b54fd5b8313b96399f8b0e173bbbfc03c7631f01efbe29bb0bcf82", 505 | "sha256:189bbd5d41ae7a498397287c408617fe5c48633e7755287b21d741f7db2706a9", 506 | "sha256:18b78ec83edbbeb69efdc0e9c1cb41a3b1b1ed11ddd8ded602464c3fc6020494", 507 | "sha256:1aa3de4088c89a1b69f8ec0dcc169aa725b0ff017899ac568fe44ddc1396df46", 508 | "sha256:212774e4dfa851e74d393a2370871e174d7ff0ebc980907723bb67d25c8a7c30", 509 | "sha256:2d0daa332786cf3bb49e10dc6a17a52f6a8f9601b4cf5c295a4f85854d61de63", 510 | "sha256:5f83ac4d83ef0ab017683d715ed356e30dd48a93746309c8f3517e1287523ef4", 511 | "sha256:659fb5809fa4629b8a1ac5106f669cfc7bef26fbb389dda53b3e010d1ac4ebae", 512 | "sha256:660c94ea760b3ce47d1855a30984c78327500493d396eac4dfd8bd82041b22be", 513 | "sha256:66a3de4a3ec06cd8af3f61b8e1ec67614fbb7c995d02fa224813cb7afefee701", 514 | "sha256:721532711daa7db0d8b779b0bb0318fa87af1c10d7fe5e52ef30f8eff254d0cd", 515 | "sha256:7322c3d6f1766d4ef1e51a465f47955f1e8123caee67dd641e67d539a534d006", 516 | "sha256:79a31b086e7e68b24b99b23d57723ef7e2c6d81ed21007b6281ebcd1688acb0a", 517 | "sha256:81fc4d08b062b535d95c9ea70dbe8a335c45c04029878e62d744bdced5141586", 518 | "sha256:8fa02eaab317b1e9e03f69aab1f91e120e7899b392c4fc19807a8278a07a97e8", 519 | "sha256:9090d8e53235aa280fc9239a86ae3ea8ac58eff66a705fa6aa2ec4968b95c821", 520 | "sha256:946d27deaff6cf8452ed0dba83ba38839a87f4f7a9732e8f9fd4107b21e6ff07", 521 | "sha256:9990d8e71b9f6488e91ad25f322898c136b008d87bf852ff65391b004da5e17b", 522 | "sha256:9cd077f3d04a58e83d04b20e334f678c2b0ff9879b9375ed107d5d07ff160171", 523 | "sha256:9e7551208b2aded9c1447453ee366f1c4070602b3d932ace044715d89666899b", 524 | "sha256:9f5fa4a61ce2438267163891961cfd5e32ec97a2c444e5b842d574251ade27d2", 525 | "sha256:b40387277b0ed2d0602b8293b94d7257e17d1479e257b4de114ea11a8cb7f2d7", 526 | "sha256:bfb38f9ffb53b942f2b5954e0f610f1e721ccebe9cce9025a38c8ccf4a5183a4", 527 | "sha256:cbf9b082426036e19c6924a9ce90c740a9861e2bdc27a4834fd0a910742ac1e8", 528 | "sha256:d9e25ef10a39e8afe59a5c348a4dbf29b4868ab76269f81ce1674494e2565a6e", 529 | "sha256:db1c1722726f47e10e0b5fdbf15ac3b8adb58c091d12b3ab713965795036985f", 530 | "sha256:e7c21c95cae3c05c14aafffe2865bbd5e377cfc1348c4f7751d9dc9a48ca4bda", 531 | "sha256:e8c6cfb338b133fbdbc5cfaa10fe3c6aeea827db80c978dbd13bc9dd8526b7d4", 532 | "sha256:ea806fd4c37bf7e7ad82537b0757999264d5f70c45468447bb2b91afdbe73a6e", 533 | "sha256:edd20c5a55acb67c7ed471fa2b5fb66cb17f61430b7a6b9c3b4a1e40293b1671", 534 | "sha256:f0117049dd1d5635bbff65444496c90e0baa48ea405125c088e93d9cf4525b11", 535 | "sha256:f0705c376533ed2a9e5e97aacdbfe04cecd71e0aa84c7c0595d02ef93b6e4455", 536 | "sha256:f12ad7126ae0c98d601a7ee504c1122bcef553d1d5e0c3bfa77b16b3968d2734", 537 | "sha256:f2457189d8257dd41ae9b434ba33298aec198e30adf2dcdaaa3a28b9994f6adb", 538 | "sha256:f699ac1c768270c9e384e4cbd268d6e67aebcfae6cd623b4d7c3bfde5a35db59" 539 | ], 540 | "markers": "python_version >= '3.7'", 541 | "version": "==1.9.0" 542 | }, 543 | "markupsafe": { 544 | "hashes": [ 545 | "sha256:05fb21170423db021895e1ea1e1f3ab3adb85d1c2333cbc2310f2a26bc77272e", 546 | "sha256:0a4e4a1aff6c7ac4cd55792abf96c915634c2b97e3cc1c7129578aa68ebd754e", 547 | "sha256:10bbfe99883db80bdbaff2dcf681dfc6533a614f700da1287707e8a5d78a8431", 548 | "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686", 549 | "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c", 550 | "sha256:1577735524cdad32f9f694208aa75e422adba74f1baee7551620e43a3141f559", 551 | "sha256:1b40069d487e7edb2676d3fbdb2b0829ffa2cd63a2ec26c4938b2d34391b4ecc", 552 | "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb", 553 | "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939", 554 | "sha256:282c2cb35b5b673bbcadb33a585408104df04f14b2d9b01d4c345a3b92861c2c", 555 | "sha256:2c1b19b3aaacc6e57b7e25710ff571c24d6c3613a45e905b1fde04d691b98ee0", 556 | "sha256:2ef12179d3a291be237280175b542c07a36e7f60718296278d8593d21ca937d4", 557 | "sha256:338ae27d6b8745585f87218a3f23f1512dbf52c26c28e322dbe54bcede54ccb9", 558 | "sha256:3c0fae6c3be832a0a0473ac912810b2877c8cb9d76ca48de1ed31e1c68386575", 559 | "sha256:3fd4abcb888d15a94f32b75d8fd18ee162ca0c064f35b11134be77050296d6ba", 560 | "sha256:42de32b22b6b804f42c5d98be4f7e5e977ecdd9ee9b660fda1a3edf03b11792d", 561 | "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd", 562 | "sha256:504b320cd4b7eff6f968eddf81127112db685e81f7e36e75f9f84f0df46041c3", 563 | "sha256:525808b8019e36eb524b8c68acdd63a37e75714eac50e988180b169d64480a00", 564 | "sha256:56d9f2ecac662ca1611d183feb03a3fa4406469dafe241673d521dd5ae92a155", 565 | "sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac", 566 | "sha256:65c1a9bcdadc6c28eecee2c119465aebff8f7a584dd719facdd9e825ec61ab52", 567 | "sha256:68e78619a61ecf91e76aa3e6e8e33fc4894a2bebe93410754bd28fce0a8a4f9f", 568 | "sha256:69c0f17e9f5a7afdf2cc9fb2d1ce6aabdb3bafb7f38017c0b77862bcec2bbad8", 569 | "sha256:6b2b56950d93e41f33b4223ead100ea0fe11f8e6ee5f641eb753ce4b77a7042b", 570 | "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007", 571 | "sha256:787003c0ddb00500e49a10f2844fac87aa6ce977b90b0feaaf9de23c22508b24", 572 | "sha256:7ef3cb2ebbf91e330e3bb937efada0edd9003683db6b57bb108c4001f37a02ea", 573 | "sha256:8023faf4e01efadfa183e863fefde0046de576c6f14659e8782065bcece22198", 574 | "sha256:8758846a7e80910096950b67071243da3e5a20ed2546e6392603c096778d48e0", 575 | "sha256:8afafd99945ead6e075b973fefa56379c5b5c53fd8937dad92c662da5d8fd5ee", 576 | "sha256:8c41976a29d078bb235fea9b2ecd3da465df42a562910f9022f1a03107bd02be", 577 | "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2", 578 | "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1", 579 | "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707", 580 | "sha256:962f82a3086483f5e5f64dbad880d31038b698494799b097bc59c2edf392fce6", 581 | "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c", 582 | "sha256:9dcdfd0eaf283af041973bff14a2e143b8bd64e069f4c383416ecd79a81aab58", 583 | "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823", 584 | "sha256:aa7bd130efab1c280bed0f45501b7c8795f9fdbeb02e965371bbef3523627779", 585 | "sha256:ab4a0df41e7c16a1392727727e7998a467472d0ad65f3ad5e6e765015df08636", 586 | "sha256:ad9e82fb8f09ade1c3e1b996a6337afac2b8b9e365f926f5a61aacc71adc5b3c", 587 | "sha256:af598ed32d6ae86f1b747b82783958b1a4ab8f617b06fe68795c7f026abbdcad", 588 | "sha256:b076b6226fb84157e3f7c971a47ff3a679d837cf338547532ab866c57930dbee", 589 | "sha256:b7ff0f54cb4ff66dd38bebd335a38e2c22c41a8ee45aa608efc890ac3e3931bc", 590 | "sha256:bfce63a9e7834b12b87c64d6b155fdd9b3b96191b6bd334bf37db7ff1fe457f2", 591 | "sha256:c011a4149cfbcf9f03994ec2edffcb8b1dc2d2aede7ca243746df97a5d41ce48", 592 | "sha256:c9c804664ebe8f83a211cace637506669e7890fec1b4195b505c214e50dd4eb7", 593 | "sha256:ca379055a47383d02a5400cb0d110cef0a776fc644cda797db0c5696cfd7e18e", 594 | "sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b", 595 | "sha256:cd0f502fe016460680cd20aaa5a76d241d6f35a1c3350c474bac1273803893fa", 596 | "sha256:ceb01949af7121f9fc39f7d27f91be8546f3fb112c608bc4029aef0bab86a2a5", 597 | "sha256:d080e0a5eb2529460b30190fcfcc4199bd7f827663f858a226a81bc27beaa97e", 598 | "sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb", 599 | "sha256:df0be2b576a7abbf737b1575f048c23fb1d769f267ec4358296f31c2479db8f9", 600 | "sha256:e09031c87a1e51556fdcb46e5bd4f59dfb743061cf93c4d6831bf894f125eb57", 601 | "sha256:e4dd52d80b8c83fdce44e12478ad2e85c64ea965e75d66dbeafb0a3e77308fcc", 602 | "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc", 603 | "sha256:fec21693218efe39aa7f8599346e90c705afa52c5b31ae019b2e57e8f6542bb2", 604 | "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11" 605 | ], 606 | "markers": "python_version >= '3.7'", 607 | "version": "==2.1.3" 608 | }, 609 | "mypy-extensions": { 610 | "hashes": [ 611 | "sha256:4392f6c0eb8a5668a69e23d168ffa70f0be9ccfd32b5cc2d26a34ae5b844552d", 612 | "sha256:75dbf8955dc00442a438fc4d0666508a9a97b6bd41aa2f0ffe9d2f2725af0782" 613 | ], 614 | "markers": "python_version >= '3.5'", 615 | "version": "==1.0.0" 616 | }, 617 | "openapi-schema-validator": { 618 | "hashes": [ 619 | "sha256:79f37f38ef9fd5206b924ed7a6f382cea7b649b3b56383c47f1906082b7b9015", 620 | "sha256:c573e2be2c783abae56c5a1486ab716ca96e09d1c3eab56020d1dc680aa57bf8" 621 | ], 622 | "markers": "python_full_version >= '3.7.0' and python_full_version < '4.0.0'", 623 | "version": "==0.4.4" 624 | }, 625 | "openapi-spec-validator": { 626 | "hashes": [ 627 | "sha256:6c2d42180045a80fd6314de848b94310bdb0fa4949f4b099578b69f79d9fa5ac", 628 | "sha256:8712d2879db7692974ef89c47a3ebfc79436442921ec3a826ac0ce80cde8c549" 629 | ], 630 | "markers": "python_full_version >= '3.7.0' and python_full_version < '4.0.0'", 631 | "version": "==0.5.7" 632 | }, 633 | "openpyxl": { 634 | "hashes": [ 635 | "sha256:a6f5977418eff3b2d5500d54d9db50c8277a368436f4e4f8ddb1be3422870184", 636 | "sha256:f91456ead12ab3c6c2e9491cf33ba6d08357d802192379bb482f1033ade496f5" 637 | ], 638 | "markers": "python_version >= '3.6'", 639 | "version": "==3.1.2" 640 | }, 641 | "orderedmultidict": { 642 | "hashes": [ 643 | "sha256:04070bbb5e87291cc9bfa51df413677faf2141c73c61d2a5f7b26bea3cd882ad", 644 | "sha256:43c839a17ee3cdd62234c47deca1a8508a3f2ca1d0678a3bf791c87cf84adbf3" 645 | ], 646 | "version": "==1.0.1" 647 | }, 648 | "orjson": { 649 | "hashes": [ 650 | "sha256:02e693843c2959befdd82d1ebae8b05ed12d1cb821605d5f9fe9f98ca5c9fd2b", 651 | "sha256:06f0c024a75e8ba5d9101facb4fb5a028cdabe3cdfe081534f2a9de0d5062af2", 652 | "sha256:0a1a4d9e64597e550428ba091e51a4bcddc7a335c8f9297effbfa67078972b5c", 653 | "sha256:0d2cd6ef4726ef1b8c63e30d8287225a383dbd1de3424d287b37c1906d8d2855", 654 | "sha256:0f89dc338a12f4357f5bf1b098d3dea6072fb0b643fd35fec556f4941b31ae27", 655 | "sha256:12b83e0d8ba4ca88b894c3e00efc59fe6d53d9ffb5dbbb79d437a466fc1a513d", 656 | "sha256:1ef06431f021453a47a9abb7f7853f04f031d31fbdfe1cc83e3c6aadde502cce", 657 | "sha256:1f352117eccac268a59fedac884b0518347f5e2b55b9f650c2463dd1e732eb61", 658 | "sha256:24301f2d99d670ded4fb5e2f87643bc7428a54ba49176e38deb2887e42fe82fb", 659 | "sha256:31d676bc236f6e919d100fb85d0a99812cff1ebffaa58106eaaec9399693e227", 660 | "sha256:335406231f9247f985df045f0c0c8f6b6d5d6b3ff17b41a57c1e8ef1a31b4d04", 661 | "sha256:397a185e5dd7f8ebe88a063fe13e34d61d394ebb8c70a443cee7661b9c89bda7", 662 | "sha256:4a308aeac326c2bafbca9abbae1e1fcf682b06e78a54dad0347b760525838d85", 663 | "sha256:50232572dd300c49f134838c8e7e0917f29a91f97dbd608d23f2895248464b7f", 664 | "sha256:512e5a41af008e76451f5a344941d61f48dddcf7d7ddd3073deb555de64596a6", 665 | "sha256:5424ecbafe57b2de30d3b5736c5d5835064d522185516a372eea069b92786ba6", 666 | "sha256:543b36df56db195739c70d645ecd43e49b44d5ead5f8f645d2782af118249b37", 667 | "sha256:678ffb5c0a6b1518b149cc328c610615d70d9297e351e12c01d0beed5d65360f", 668 | "sha256:6fcf06c69ccc78e32d9f28aa382ab2ab08bf54b696dbe00ee566808fdf05da7d", 669 | "sha256:75b805549cbbcb963e9c9068f1a05abd0ea4c34edc81f8d8ef2edb7e139e5b0f", 670 | "sha256:8038ba245d0c0a6337cfb6747ea0c51fe18b0cf1a4bc943d530fd66799fae33d", 671 | "sha256:879d2d1f6085c9c0831cec6716c63aaa89e41d8e036cabb19a315498c173fcc6", 672 | "sha256:8cba20c9815c2a003b8ca4429b0ad4aa87cb6649af41365821249f0fd397148e", 673 | "sha256:8e7877256b5092f1e4e48fc0f1004728dc6901e7a4ffaa4acb0a9578610aa4ce", 674 | "sha256:906cac73b7818c20cf0f6a7dde5a6f009c52aecc318416c7af5ea37f15ca7e66", 675 | "sha256:920814e02e3dd7af12f0262bbc18b9fe353f75a0d0c237f6a67d270da1a1bb44", 676 | "sha256:957a45fb201c61b78bcf655a16afbe8a36c2c27f18a998bd6b5d8a35e358d4ad", 677 | "sha256:9a4402e7df1b5c9a4c71c7892e1c8f43f642371d13c73242bda5964be6231f95", 678 | "sha256:9d9b5440a5d215d9e1cfd4aee35fd4101a8b8ceb8329f549c16e3894ed9f18b5", 679 | "sha256:a3bf6ca6bce22eb89dd0650ef49c77341440def966abcb7a2d01de8453df083a", 680 | "sha256:a71b0cc21f2c324747bc77c35161e0438e3b5e72db6d3b515310457aba743f7f", 681 | "sha256:ab7bae2b8bf17620ed381e4101aeeb64b3ba2a45fc74c7617c633a923cb0f169", 682 | "sha256:ae72621f216d1d990468291b1ec153e1b46e0ed188a86d54e0941f3dabd09ee8", 683 | "sha256:b20becf50d4aec7114dc902b58d85c6431b3a59b04caa977e6ce67b6fee0e159", 684 | "sha256:b28c1a65cd13fff5958ab8b350f0921121691464a7a1752936b06ed25c0c7b6e", 685 | "sha256:b97a67c47840467ccf116136450c50b6ed4e16a8919c81a4b4faef71e0a2b3f4", 686 | "sha256:bd55ea5cce3addc03f8fb0705be0cfed63b048acc4f20914ce5e1375b15a293b", 687 | "sha256:c4eb31a8e8a5e1d9af5aa9e247c2a52ad5cf7e968aaa9aaefdff98cfcc7f2e37", 688 | "sha256:c63eca397127ebf46b59c9c1fb77b30dd7a8fc808ac385e7a58a7e64bae6e106", 689 | "sha256:c959550e0705dc9f59de8fca1a316da0d9b115991806b217c82931ac81d75f74", 690 | "sha256:cffb77cf0cd3cbf20eb603f932e0dde51b45134bdd2d439c9f57924581bb395b", 691 | "sha256:d1c01cf4b8e00c7e98a0a7cf606a30a26c32adf2560be2d7d5d6766d6f474b31", 692 | "sha256:d3f56e41bc79d30fdf077073072f2377d2ebf0b946b01f2009ab58b08907bc28", 693 | "sha256:e159b97f5676dcdac0d0f75ec856ef5851707f61d262851eb41a30e8fadad7c9", 694 | "sha256:e98ca450cb4fb176dd572ce28c6623de6923752c70556be4ef79764505320acb", 695 | "sha256:eb50d869b3c97c7c5187eda3759e8eb15deb1271d694bc5d6ba7040db9e29036", 696 | "sha256:ece2d8ed4c34903e7f1b64fb1e448a00e919a4cdb104fc713ad34b055b665fca", 697 | "sha256:f28090060a31f4d11221f9ba48b2273b0d04b702f4dcaa197c38c64ce639cc51", 698 | "sha256:f692e7aabad92fa0fff5b13a846fb586b02109475652207ec96733a085019d80", 699 | "sha256:f708ca623287186e5876256cb30599308bce9b2757f90d917b7186de54ce6547" 700 | ], 701 | "markers": "python_version >= '3.8'", 702 | "version": "==3.9.9" 703 | }, 704 | "packaging": { 705 | "hashes": [ 706 | "sha256:048fb0e9405036518eaaf48a55953c750c11e1a1b68e0dd1a9d62ed0c092cfc5", 707 | "sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7" 708 | ], 709 | "markers": "python_version >= '3.7'", 710 | "version": "==23.2" 711 | }, 712 | "paramiko": { 713 | "hashes": [ 714 | "sha256:6a3777a961ac86dbef375c5f5b8d50014a1a96d0fd7f054a43bc880134b0ff77", 715 | "sha256:b7bc5340a43de4287bbe22fe6de728aa2c22468b2a849615498dd944c2f275eb" 716 | ], 717 | "markers": "python_version >= '3.6'", 718 | "version": "==3.3.1" 719 | }, 720 | "pathable": { 721 | "hashes": [ 722 | "sha256:5c869d315be50776cc8a993f3af43e0c60dc01506b399643f919034ebf4cdcab", 723 | "sha256:cdd7b1f9d7d5c8b8d3315dbf5a86b2596053ae845f056f57d97c0eefff84da14" 724 | ], 725 | "markers": "python_full_version >= '3.7.0' and python_full_version < '4.0.0'", 726 | "version": "==0.4.3" 727 | }, 728 | "pathspec": { 729 | "hashes": [ 730 | "sha256:1d6ed233af05e679efb96b1851550ea95bbb64b7c490b0f5aa52996c11e92a20", 731 | "sha256:e0d8d0ac2f12da61956eb2306b69f9469b42f4deb0f3cb6ed47b9cce9996ced3" 732 | ], 733 | "markers": "python_version >= '3.7'", 734 | "version": "==0.11.2" 735 | }, 736 | "platformdirs": { 737 | "hashes": [ 738 | "sha256:cf8ee52a3afdb965072dcc652433e0c7e3e40cf5ea1477cd4b3b1d2eb75495b3", 739 | "sha256:e9d171d00af68be50e9202731309c4e658fd8bc76f55c11c7dd760d023bda68e" 740 | ], 741 | "markers": "python_version >= '3.7'", 742 | "version": "==3.11.0" 743 | }, 744 | "prance": { 745 | "hashes": [ 746 | "sha256:6a4276fa07ed9f22feda4331097d7503c4adc3097e46ffae97425f2c1026bd9f", 747 | "sha256:d8c15f8ac34019751cc4945f866d8d964d7888016d10de3592e339567177cabe" 748 | ], 749 | "markers": "python_version >= '3.8'", 750 | "version": "==23.6.21.0" 751 | }, 752 | "pycparser": { 753 | "hashes": [ 754 | "sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9", 755 | "sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206" 756 | ], 757 | "version": "==2.21" 758 | }, 759 | "pydantic": { 760 | "extras": [ 761 | "email" 762 | ], 763 | "hashes": [ 764 | "sha256:1740068fd8e2ef6eb27a20e5651df000978edce6da6803c2bef0bc74540f9548", 765 | "sha256:210ce042e8f6f7c01168b2d84d4c9eb2b009fe7bf572c2266e235edf14bacd80", 766 | "sha256:32c8b48dcd3b2ac4e78b0ba4af3a2c2eb6048cb75202f0ea7b34feb740efc340", 767 | "sha256:3ecea2b9d80e5333303eeb77e180b90e95eea8f765d08c3d278cd56b00345d01", 768 | "sha256:4b03e42ec20286f052490423682016fd80fda830d8e4119f8ab13ec7464c0132", 769 | "sha256:4c5370a7edaac06daee3af1c8b1192e305bc102abcbf2a92374b5bc793818599", 770 | "sha256:56e3ff861c3b9c6857579de282ce8baabf443f42ffba355bf070770ed63e11e1", 771 | "sha256:5a1f9f747851338933942db7af7b6ee8268568ef2ed86c4185c6ef4402e80ba8", 772 | "sha256:5e08865bc6464df8c7d61439ef4439829e3ab62ab1669cddea8dd00cd74b9ffe", 773 | "sha256:61d9dce220447fb74f45e73d7ff3b530e25db30192ad8d425166d43c5deb6df0", 774 | "sha256:654db58ae399fe6434e55325a2c3e959836bd17a6f6a0b6ca8107ea0571d2e17", 775 | "sha256:678bcf5591b63cc917100dc50ab6caebe597ac67e8c9ccb75e698f66038ea953", 776 | "sha256:6cf25c1a65c27923a17b3da28a0bdb99f62ee04230c931d83e888012851f4e7f", 777 | "sha256:75ac15385a3534d887a99c713aa3da88a30fbd6204a5cd0dc4dab3d770b9bd2f", 778 | "sha256:75b297827b59bc229cac1a23a2f7a4ac0031068e5be0ce385be1462e7e17a35d", 779 | "sha256:7d6f6e7305244bddb4414ba7094ce910560c907bdfa3501e9db1a7fd7eaea127", 780 | "sha256:84bafe2e60b5e78bc64a2941b4c071a4b7404c5c907f5f5a99b0139781e69ed8", 781 | "sha256:854223752ba81e3abf663d685f105c64150873cc6f5d0c01d3e3220bcff7d36f", 782 | "sha256:8ae5dd6b721459bfa30805f4c25880e0dd78fc5b5879f9f7a692196ddcb5a580", 783 | "sha256:8ef467901d7a41fa0ca6db9ae3ec0021e3f657ce2c208e98cd511f3161c762c6", 784 | "sha256:968ac42970f57b8344ee08837b62f6ee6f53c33f603547a55571c954a4225691", 785 | "sha256:97cce3ae7341f7620a0ba5ef6cf043975cd9d2b81f3aa5f4ea37928269bc1b87", 786 | "sha256:9849f031cf8a2f0a928fe885e5a04b08006d6d41876b8bbd2fc68a18f9f2e3fd", 787 | "sha256:9f00790179497767aae6bcdc36355792c79e7bbb20b145ff449700eb076c5f96", 788 | "sha256:b87326822e71bd5f313e7d3bfdc77ac3247035ac10b0c0618bd99dcf95b1e687", 789 | "sha256:b97c1fac8c49be29486df85968682b0afa77e1b809aff74b83081cc115e52f33", 790 | "sha256:bc0898c12f8e9c97f6cd44c0ed70d55749eaf783716896960b4ecce2edfd2d69", 791 | "sha256:c553f6a156deb868ba38a23cf0df886c63492e9257f60a79c0fd8e7173537653", 792 | "sha256:c636925f38b8db208e09d344c7aa4f29a86bb9947495dd6b6d376ad10334fb78", 793 | "sha256:c958d053453a1c4b1c2062b05cd42d9d5c8eb67537b8d5a7e3c3032943ecd261", 794 | "sha256:d3a3c792a58e1622667a2837512099eac62490cdfd63bd407993aaf200a4cf1f", 795 | "sha256:e31647d85a2013d926ce60b84f9dd5300d44535a9941fe825dc349ae1f760df9", 796 | "sha256:e70ca129d2053fb8b728ee7d1af8e553a928d7e301a311094b8a0501adc8763d", 797 | "sha256:efff03cc7a4f29d9009d1c96ceb1e7a70a65cfe86e89d34e4a5f2ab1e5693737", 798 | "sha256:f59ef915cac80275245824e9d771ee939133be38215555e9dc90c6cb148aaeb5", 799 | "sha256:f8e81fc5fb17dae698f52bdd1c4f18b6ca674d7068242b2aff075f588301bbb0" 800 | ], 801 | "markers": "python_version >= '3.7'", 802 | "version": "==1.10.13" 803 | }, 804 | "pynacl": { 805 | "hashes": [ 806 | "sha256:06b8f6fa7f5de8d5d2f7573fe8c863c051225a27b61e6860fd047b1775807858", 807 | "sha256:0c84947a22519e013607c9be43706dd42513f9e6ae5d39d3613ca1e142fba44d", 808 | "sha256:20f42270d27e1b6a29f54032090b972d97f0a1b0948cc52392041ef7831fee93", 809 | "sha256:401002a4aaa07c9414132aaed7f6836ff98f59277a234704ff66878c2ee4a0d1", 810 | "sha256:52cb72a79269189d4e0dc537556f4740f7f0a9ec41c1322598799b0bdad4ef92", 811 | "sha256:61f642bf2378713e2c2e1de73444a3778e5f0a38be6fee0fe532fe30060282ff", 812 | "sha256:8ac7448f09ab85811607bdd21ec2464495ac8b7c66d146bf545b0f08fb9220ba", 813 | "sha256:a36d4a9dda1f19ce6e03c9a784a2921a4b726b02e1c736600ca9c22029474394", 814 | "sha256:a422368fc821589c228f4c49438a368831cb5bbc0eab5ebe1d7fac9dded6567b", 815 | "sha256:e46dae94e34b085175f8abb3b0aaa7da40767865ac82c928eeb9e57e1ea8a543" 816 | ], 817 | "markers": "python_version >= '3.6'", 818 | "version": "==1.5.0" 819 | }, 820 | "pyrsistent": { 821 | "hashes": [ 822 | "sha256:016ad1afadf318eb7911baa24b049909f7f3bb2c5b1ed7b6a8f21db21ea3faa8", 823 | "sha256:1a2994773706bbb4995c31a97bc94f1418314923bd1048c6d964837040376440", 824 | "sha256:20460ac0ea439a3e79caa1dbd560344b64ed75e85d8703943e0b66c2a6150e4a", 825 | "sha256:3311cb4237a341aa52ab8448c27e3a9931e2ee09561ad150ba94e4cfd3fc888c", 826 | "sha256:3a8cb235fa6d3fd7aae6a4f1429bbb1fec1577d978098da1252f0489937786f3", 827 | "sha256:3ab2204234c0ecd8b9368dbd6a53e83c3d4f3cab10ecaf6d0e772f456c442393", 828 | "sha256:42ac0b2f44607eb92ae88609eda931a4f0dfa03038c44c772e07f43e738bcac9", 829 | "sha256:49c32f216c17148695ca0e02a5c521e28a4ee6c5089f97e34fe24163113722da", 830 | "sha256:4b774f9288dda8d425adb6544e5903f1fb6c273ab3128a355c6b972b7df39dcf", 831 | "sha256:4c18264cb84b5e68e7085a43723f9e4c1fd1d935ab240ce02c0324a8e01ccb64", 832 | "sha256:5a474fb80f5e0d6c9394d8db0fc19e90fa540b82ee52dba7d246a7791712f74a", 833 | "sha256:64220c429e42a7150f4bfd280f6f4bb2850f95956bde93c6fda1b70507af6ef3", 834 | "sha256:878433581fc23e906d947a6814336eee031a00e6defba224234169ae3d3d6a98", 835 | "sha256:99abb85579e2165bd8522f0c0138864da97847875ecbd45f3e7e2af569bfc6f2", 836 | "sha256:a2471f3f8693101975b1ff85ffd19bb7ca7dd7c38f8a81701f67d6b4f97b87d8", 837 | "sha256:aeda827381f5e5d65cced3024126529ddc4289d944f75e090572c77ceb19adbf", 838 | "sha256:b735e538f74ec31378f5a1e3886a26d2ca6351106b4dfde376a26fc32a044edc", 839 | "sha256:c147257a92374fde8498491f53ffa8f4822cd70c0d85037e09028e478cababb7", 840 | "sha256:c4db1bd596fefd66b296a3d5d943c94f4fac5bcd13e99bffe2ba6a759d959a28", 841 | "sha256:c74bed51f9b41c48366a286395c67f4e894374306b197e62810e0fdaf2364da2", 842 | "sha256:c9bb60a40a0ab9aba40a59f68214eed5a29c6274c83b2cc206a359c4a89fa41b", 843 | "sha256:cc5d149f31706762c1f8bda2e8c4f8fead6e80312e3692619a75301d3dbb819a", 844 | "sha256:ccf0d6bd208f8111179f0c26fdf84ed7c3891982f2edaeae7422575f47e66b64", 845 | "sha256:e42296a09e83028b3476f7073fcb69ffebac0e66dbbfd1bd847d61f74db30f19", 846 | "sha256:e8f2b814a3dc6225964fa03d8582c6e0b6650d68a232df41e3cc1b66a5d2f8d1", 847 | "sha256:f0774bf48631f3a20471dd7c5989657b639fd2d285b861237ea9e82c36a415a9", 848 | "sha256:f0e7c4b2f77593871e918be000b96c8107da48444d57005b6a6bc61fb4331b2c" 849 | ], 850 | "markers": "python_version >= '3.7'", 851 | "version": "==0.19.3" 852 | }, 853 | "pysnooper": { 854 | "hashes": [ 855 | "sha256:810669e162a250a066d8662e573adbc5af770e937c5b5578f28bb7355d1c859b", 856 | "sha256:aa859aa9a746cffc1f35e4ee469d49c3cc5185b5fc0c571feb3af3c94d2eb625" 857 | ], 858 | "version": "==1.2.0" 859 | }, 860 | "python-dotenv": { 861 | "hashes": [ 862 | "sha256:a8df96034aae6d2d50a4ebe8216326c61c3eb64836776504fcca410e5937a3ba", 863 | "sha256:f5971a9226b701070a4bf2c38c89e5a3f0d64de8debda981d1db98583009122a" 864 | ], 865 | "markers": "python_version >= '3.8'", 866 | "version": "==1.0.0" 867 | }, 868 | "python-frontmatter": { 869 | "hashes": [ 870 | "sha256:766ae75f1b301ffc5fe3494339147e0fd80bc3deff3d7590a93991978b579b08", 871 | "sha256:e98152e977225ddafea6f01f40b4b0f1de175766322004c826ca99842d19a7cd" 872 | ], 873 | "version": "==1.0.0" 874 | }, 875 | "pyyaml": { 876 | "hashes": [ 877 | "sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5", 878 | "sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc", 879 | "sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df", 880 | "sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741", 881 | "sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206", 882 | "sha256:18aeb1bf9a78867dc38b259769503436b7c72f7a1f1f4c93ff9a17de54319b27", 883 | "sha256:1d4c7e777c441b20e32f52bd377e0c409713e8bb1386e1099c2415f26e479595", 884 | "sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62", 885 | "sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98", 886 | "sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696", 887 | "sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290", 888 | "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9", 889 | "sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d", 890 | "sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6", 891 | "sha256:4fb147e7a67ef577a588a0e2c17b6db51dda102c71de36f8549b6816a96e1867", 892 | "sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47", 893 | "sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486", 894 | "sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6", 895 | "sha256:596106435fa6ad000c2991a98fa58eeb8656ef2325d7e158344fb33864ed87e3", 896 | "sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007", 897 | "sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938", 898 | "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0", 899 | "sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c", 900 | "sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735", 901 | "sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d", 902 | "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28", 903 | "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4", 904 | "sha256:9046c58c4395dff28dd494285c82ba00b546adfc7ef001486fbf0324bc174fba", 905 | "sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8", 906 | "sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5", 907 | "sha256:afd7e57eddb1a54f0f1a974bc4391af8bcce0b444685d936840f125cf046d5bd", 908 | "sha256:b1275ad35a5d18c62a7220633c913e1b42d44b46ee12554e5fd39c70a243d6a3", 909 | "sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0", 910 | "sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515", 911 | "sha256:baa90d3f661d43131ca170712d903e6295d1f7a0f595074f151c0aed377c9b9c", 912 | "sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c", 913 | "sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924", 914 | "sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34", 915 | "sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43", 916 | "sha256:c8098ddcc2a85b61647b2590f825f3db38891662cfc2fc776415143f599bb859", 917 | "sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673", 918 | "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54", 919 | "sha256:d858aa552c999bc8a8d57426ed01e40bef403cd8ccdd0fc5f6f04a00414cac2a", 920 | "sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b", 921 | "sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab", 922 | "sha256:f22ac1c3cac4dbc50079e965eba2c1058622631e526bd9afd45fedd49ba781fa", 923 | "sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c", 924 | "sha256:fca0e3a251908a499833aa292323f32437106001d436eca0e6e7833256674585", 925 | "sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d", 926 | "sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f" 927 | ], 928 | "markers": "python_version >= '3.6'", 929 | "version": "==6.0.1" 930 | }, 931 | "requests": { 932 | "hashes": [ 933 | "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f", 934 | "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1" 935 | ], 936 | "markers": "python_version >= '3.7'", 937 | "version": "==2.31.0" 938 | }, 939 | "rfc3339-validator": { 940 | "hashes": [ 941 | "sha256:138a2abdf93304ad60530167e51d2dfb9549521a836871b88d7f4695d0022f6b", 942 | "sha256:24f6ec1eda14ef823da9e36ec7113124b39c04d50a4d3d3a3c2859577e7791fa" 943 | ], 944 | "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", 945 | "version": "==0.1.4" 946 | }, 947 | "ruamel.yaml": { 948 | "hashes": [ 949 | "sha256:801046a9caacb1b43acc118969b49b96b65e8847f29029563b29ac61d02db61b", 950 | "sha256:b105e3e6fc15b41fdb201ba1b95162ae566a4ef792b9f884c46b4ccc5513a87a" 951 | ], 952 | "markers": "python_version >= '3'", 953 | "version": "==0.17.35" 954 | }, 955 | "ruamel.yaml.clib": { 956 | "hashes": [ 957 | "sha256:03d1162b6d1df1caa3a4bd27aa51ce17c9afc2046c31b0ad60a0a96ec22f8001", 958 | "sha256:07238db9cbdf8fc1e9de2489a4f68474e70dffcb32232db7c08fa61ca0c7c462", 959 | "sha256:1b617618914cb00bf5c34d4357c37aa15183fa229b24767259657746c9077615", 960 | "sha256:25ac8c08322002b06fa1d49d1646181f0b2c72f5cbc15a85e80b4c30a544bb15", 961 | "sha256:25c515e350e5b739842fc3228d662413ef28f295791af5e5110b543cf0b57d9b", 962 | "sha256:3f215c5daf6a9d7bbed4a0a4f760f3113b10e82ff4c5c44bec20a68c8014f675", 963 | "sha256:3fcc54cb0c8b811ff66082de1680b4b14cf8a81dce0d4fbf665c2265a81e07a1", 964 | "sha256:53a300ed9cea38cf5a2a9b069058137c2ca1ce658a874b79baceb8f892f915a7", 965 | "sha256:56f4252222c067b4ce51ae12cbac231bce32aee1d33fbfc9d17e5b8d6966c312", 966 | "sha256:665f58bfd29b167039f714c6998178d27ccd83984084c286110ef26b230f259f", 967 | "sha256:700e4ebb569e59e16a976857c8798aee258dceac7c7d6b50cab63e080058df91", 968 | "sha256:7048c338b6c86627afb27faecf418768acb6331fc24cfa56c93e8c9780f815fa", 969 | "sha256:75e1ed13e1f9de23c5607fe6bd1aeaae21e523b32d83bb33918245361e9cc51b", 970 | "sha256:7f67a1ee819dc4562d444bbafb135832b0b909f81cc90f7aa00260968c9ca1b3", 971 | "sha256:84b554931e932c46f94ab306913ad7e11bba988104c5cff26d90d03f68258cd5", 972 | "sha256:955eae71ac26c1ab35924203fda6220f84dce57d6d7884f189743e2abe3a9fbe", 973 | "sha256:9eb5dee2772b0f704ca2e45b1713e4e5198c18f515b52743576d196348f374d3", 974 | "sha256:a5aa27bad2bb83670b71683aae140a1f52b0857a2deff56ad3f6c13a017a26ed", 975 | "sha256:a6a9ffd280b71ad062eae53ac1659ad86a17f59a0fdc7699fd9be40525153337", 976 | "sha256:b16420e621d26fdfa949a8b4b47ade8810c56002f5389970db4ddda51dbff248", 977 | "sha256:b42169467c42b692c19cf539c38d4602069d8c1505e97b86387fcf7afb766e1d", 978 | "sha256:b5edda50e5e9e15e54a6a8a0070302b00c518a9d32accc2346ad6c984aacd279", 979 | "sha256:bba64af9fa9cebe325a62fa398760f5c7206b215201b0ec825005f1b18b9bccf", 980 | "sha256:beb2e0404003de9a4cab9753a8805a8fe9320ee6673136ed7f04255fe60bb512", 981 | "sha256:bef08cd86169d9eafb3ccb0a39edb11d8e25f3dae2b28f5c52fd997521133069", 982 | "sha256:c2a72e9109ea74e511e29032f3b670835f8a59bbdc9ce692c5b4ed91ccf1eedb", 983 | "sha256:c58ecd827313af6864893e7af0a3bb85fd529f862b6adbefe14643947cfe2942", 984 | "sha256:c69212f63169ec1cfc9bb44723bf2917cbbd8f6191a00ef3410f5a7fe300722d", 985 | "sha256:cabddb8d8ead485e255fe80429f833172b4cadf99274db39abc080e068cbcc31", 986 | "sha256:d176b57452ab5b7028ac47e7b3cf644bcfdc8cacfecf7e71759f7f51a59e5c92", 987 | "sha256:d92f81886165cb14d7b067ef37e142256f1c6a90a65cd156b063a43da1708cfd", 988 | "sha256:da09ad1c359a728e112d60116f626cc9f29730ff3e0e7db72b9a2dbc2e4beed5", 989 | "sha256:ebc06178e8821efc9692ea7544aa5644217358490145629914d8020042c24aa1", 990 | "sha256:edaef1c1200c4b4cb914583150dcaa3bc30e592e907c01117c08b13a07255ec2", 991 | "sha256:f481f16baec5290e45aebdc2a5168ebc6d35189ae6fea7a58787613a25f6e875", 992 | "sha256:fff3573c2db359f091e1589c3d7c5fc2f86f5bdb6f24252c2d8e539d4e45f412" 993 | ], 994 | "markers": "platform_python_implementation == 'CPython' and python_version < '3.13'", 995 | "version": "==0.2.8" 996 | }, 997 | "six": { 998 | "hashes": [ 999 | "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", 1000 | "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" 1001 | ], 1002 | "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'", 1003 | "version": "==1.16.0" 1004 | }, 1005 | "sniffio": { 1006 | "hashes": [ 1007 | "sha256:e60305c5e5d314f5389259b7f22aaa33d8f7dee49763119234af3755c55b9101", 1008 | "sha256:eecefdce1e5bbfb7ad2eeaabf7c1eeb404d7757c379bd1f7e5cce9d8bf425384" 1009 | ], 1010 | "markers": "python_version >= '3.7'", 1011 | "version": "==1.3.0" 1012 | }, 1013 | "toml": { 1014 | "hashes": [ 1015 | "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b", 1016 | "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f" 1017 | ], 1018 | "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2'", 1019 | "version": "==0.10.2" 1020 | }, 1021 | "typing-extensions": { 1022 | "hashes": [ 1023 | "sha256:8f92fc8806f9a6b641eaa5318da32b44d401efaac0f6678c9bc448ba3605faa0", 1024 | "sha256:df8e4339e9cb77357558cbdbceca33c303714cf861d1eef15e1070055ae8b7ef" 1025 | ], 1026 | "markers": "python_version >= '3.8'", 1027 | "version": "==4.8.0" 1028 | }, 1029 | "urllib3": { 1030 | "hashes": [ 1031 | "sha256:7a7c7003b000adf9e7ca2a377c9688bbc54ed41b985789ed576570342a375cd2", 1032 | "sha256:b19e1a85d206b56d7df1d5e683df4a7725252a964e3993648dd0fb5a1c157564" 1033 | ], 1034 | "markers": "python_version >= '3.7'", 1035 | "version": "==2.0.6" 1036 | } 1037 | }, 1038 | "develop": {} 1039 | } 1040 | -------------------------------------------------------------------------------- /controls/controls_catalog.csv: -------------------------------------------------------------------------------- 1 | ID,Originating Document,Section,Control Title,Control Implementation,NIST SP800-53r5 references,Assurance Level,Risk Categories 2 | 1,CNSWP v1.0,Access,"Secrets are injected at runtime, such as environment variables or as a file",,IA-5(7) Authenticator Management | No Embedded Unencrypted Static Authenticators,N/A,N/A 3 | 2,CNSWP v1.0,Access,Applications and workloads are explicitly authorized to communicate with each other using mutual authentication,,IA-9 Service Identification and Authentication,N/A,N/A 4 | 3,CNSWP v1.0,Access,Keys are rotated frequently,,SC-12 Cryptographic Key Establishment and Management,N/A,N/A 5 | 4,CNSWP v1.0,Access,Key lifespan is short,,SC-12(3) Cryptographic Key Establishment and Management | Asymetric Key,N/A,N/A 6 | 5,CNSWP v1.0,Access,Credentials and keys protecting sensitive workloads (health/finance/etc) are customer managed (e.g. generated and managed independent of a cloud service provider),KMS and HMS are common technologies to achieve this. FIPS 140-2 compliance is strongly suggested. Cloud KMS tends to be FIPS 140-2 Level 2 or greater.,IA-2(12) Identification and Authentication (Organizational Users) | Acceptance of PIV Credentials,N/A,N/A 7 | 6,CNSWP v1.0,Access,Authentication and authorization are determined independently,,IA-2(6) Identification and Authentication (Organizational Users) | Access to Accounts - Separate Devices,N/A,N/A 8 | 7,CNSWP v1.0,Access,Authentication and authorization are enforced independently,,IA-2(6) Identification and Authentication (Organizational Users) | Access to Accounts - Separate Devices,N/A,N/A 9 | 8,CNSWP v1.0,Access,Access control and file permissions are updated in real-time,where possible as caching may permit unauthorized access,SI-4(2) System Monitoring | Automated Tools and Mechanisms for Real-Time Analysis,N/A,N/A 10 | 9,CNSWP v1.0,Access,Authorization for workloads is granted based on attributes and roles/permissions previously assigned,,AC-3(13) Access Enforcement | Attribute-Based Access Control,N/A,N/A 11 | 10,CNSWP v1.0,Access,ABAC and RBAC are used,,"AC-3(13) Access Enforcement | Attribute-Based Access Control 12 | AC-3(7) Access Enforcement | Role-Based Access Control",N/A,N/A 13 | 11,CNSWP v1.0,Access,"End user identity is capable of being accepted, consumed, and forwarded on for contextual or dynamic authorization",This can be achieved through the use of identity documents and tokens.,SC-7(19) Boundary Protection | Block Communication from Non-Organizationally Configured Hosts,N/A,N/A 14 | 12,CNSWP v1.0,Access,All cluster and workloads operators are authenticated,,IA-7 Cryptographic Module Authentication,N/A,N/A 15 | 13,CNSWP v1.0,Access,"cluster and worklods operate actions are evaluated against access control policies governing context, purpose, and output",,IA-7 Cryptographic Module Authentication,N/A,N/A 16 | 14,CNSWP v1.0,Access,Identity federation uses multi-factor authentication for human users,,IA-2(1)(2) Identification and Authentication (organizational Users) | Multi-Factor Authenticaiton to Priviledged & Non Priveledged Accounts,N/A,N/A 17 | 15,CNSWP v1.0,Access,HSMs are used to physically protect cryptographic secrets with an encryption key residing in the HSM,"If this is not possible, software-based credential managers should be used.","AC-4(4) Information Flow Enforcement | Flow Control of Encrypted Information 18 | SC-3(1) Security Function Isolation | Hardware Separation",N/A,N/A 19 | 16,CNSWP v1.0,Access,Secrets should have a short expiration period or time to live,Leverage tool-specific capabilities of secret manager,SI-12 Information Management and Retention,N/A,N/A 20 | 17,CNSWP v1.0,Access,Time to live and expiration period on secrets is verfied to prevent reuse,Leverage tool-specific capabilities of secret manager,AC-16(3) Security and Privacy Attributes | Maintenance of Attribute Associations by System,N/A,N/A 21 | 18,CNSWP v1.0,Access,Secrets management systems are highly available,,SC-12(1) Cryptographic Key Establishment and Management | Availability,N/A,N/A 22 | 19,CNSWP v1.0,Access,Long-lived secrets adhere to periodic rotation and revocation,"Long-lived secrets are not recommended, but some capabilities require them",SI-12 Information Management and Retention,N/A,N/A 23 | 20,CNSWP v1.0,Access,Secrets are distributed through secured communication channels protected commensurate with the level of access or data they are protecting,,AC-16 Security and Privacy Atributes,N/A,N/A 24 | 21,CNSWP v1.0,Access,"Secrets injected are runtime are masqued or dropped from logs, audit, or system dumps","Even short lived secrets may be resused if caught in time by an interested attacker. Logs, audit, and systems dumps (i.e. in-memory shared volumes instead of environment variables) are all areas where runtime injected secrets show up",AU-9(3) Protection of Audit Information | Cryptographic Protection,N/A,N/A 25 | 22,CNSWP v1.0,Compute,Bootstrapping is employed to verify correct physical and logical location of compute,Secure Boot with TPM 2.0 or similar control,"SI-7(9) Software, Firmware, and Information Integrity | Verify Boot Process",N/A,N/A 26 | 23,CNSWP v1.0,Compute,Disparate data sensitive workloads are not run on the same host OS kernel,"There are at least three implementing controls possible: workloads may be separated by running in a separate cluster, on a separate node, or by implementing pods in independent VMs. It is also possible to emulate the kernel via an application kernel (e.g. gvisor)",SC-7 Boundary Protection,N/A,N/A 27 | 24,CNSWP v1.0,Compute,Monitor and detect any changes to the initial configurations made in runtime,Preventative controls should be the primary control. Detective controls monitoring filesystem changes should be used to verify primary controls are operating properly.,CM-2(2) Baseline Configuration | Automation Support for Accuracy and Currency CM-3(7) Configuration Change Control | Review System Changes,N/A,N/A 28 | 25,CNSWP v1.0,Compute,API auditing is enabled with a filter for a specific set of API Groups or verbs,"API audits of the application, kubernetes API server, and kernel should be implemented.",AU-2 Event Logging,N/A,N/A 29 | 26,CNSWP v1.0,Compute,Container specific operating systems are in use,a read-only OS with other services disabled. This provides isolation and resource confinement that enables developers to run isolated applications on a shared host kernel,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A 30 | 27,CNSWP v1.0,Compute,The hardware root of trust is based in a Trusted Platform Module (TPM) or virtual TPM (vTPM),"Ensure HW root of trust extends to the host OS kernel, modules, system images, container runtimes, and all software on the system.","SI-7 Software, Firmware, and Information Integrity",N/A,N/A 31 | 28,CNSWP v1.0,Compute,Minimize administrative access to the control plane,Enure both users and pods have the minimum necessary access,AC-6 Least Privilege,N/A,N/A 32 | 29,CNSWP v1.0,Compute,Object level and resource requests and limits are controlled through cgroups,"helps prevent exhaustion of node and cluster level resources by one misbehaving workload due to an intentional (e.g., fork bomb attack or cryptocurrency mining) or unintentional (e.g., reading a large file in memory without input validation, horizontal autoscaling to exhaust compute resources) issue","SI-7(16) Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision 33 | SI-7(17) Software, Firmware, and Information Integrity | Runtime Application Self-protection",N/A,N/A 34 | 30,CNSWP v1.0,Compute,Systems processing alerts are periodically tuned for false positives,"to avoid alert flooding, fatigue, and false negatives after security incidents that were not detected by the system",SI-4(13) System Monitoring | Analyze Traffic and Event Patterns,N/A,N/A 35 | 31,CNSWP v1.0,Compute,All orchestrator control plane components are configured to communicate via mutual authentication and certificate validation with a periodically rotated certificate,"In unfederated clusters, the CA should be used exclusively for the current cluster.",AC-3 Access Enforcement,N/A,N/A 36 | 32,CNSWP v1.0,Compute,"Only sanctioned capabilities and system calls (e.g. seccomp filters), are allowed to execute or be invoked in a container by the host operating system",Additional tooling should be installed that go beyond k8s capabilities to limit system calls. E.g. Falco.,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A 37 | 33,CNSWP v1.0,Compute,"Changes to critical mount points and files are prevented, monitored, and alerted",,CM-5 Access Restrictions for Change,N/A,N/A 38 | 34,CNSWP v1.0,Compute,"Runtime configuration control prevents changes to binaries, certificates, and remote access configurations",,CM-5 Access Restrictions for Change,N/A,N/A 39 | 35,CNSWP v1.0,Compute,Runtime configuration prevents ingress and egress network access for containers to only what is required to operate,,SC-7 Boundary Protection,N/A,N/A 40 | 36,CNSWP v1.0,Compute,Policies are defined that restrict communications to only occur between sanctioned microservice pairs,,SC-7 Boundary Protection,N/A,N/A 41 | 37,CNSWP v1.0,Compute,"Use a policy agent to control and enforce authorized, signed container images",,CM-5 Access Restrictions for Change,N/A,N/A 42 | 38,CNSWP v1.0,Compute,Use a policy agent to control provenance assurance for operational workloads,,CM-5 Access Restrictions for Change,N/A,N/A 43 | 39,CNSWP v1.0,Compute,"Use a service mesh that eliminates implicit trust through data-in-motion protection (i.e. confidentiality, integrity, authentication, authorization)",,SC-7 Boundary Protection,N/A,N/A 44 | 40,CNSWP v1.0,Compute,"Use components that detect, track, aggregate and report system calls and network traffic from a container",should be leveraged to look for unexpected or malicious behavior,SI-4 System Monitoring,N/A,N/A 45 | 41,CNSWP v1.0,Compute,Workloads should be dynamically scanned to detect malicious or insidious behavior for which no known occurrence yet exists,"Events such as an extended sleep command that executes data exfiltration from etcd after the workload has been running for X amount of days are not expected in the majority of environments and therefore are not included in security tests. The aspect that workloads can have time or event delayed trojan horses is only detectable by comparing to baseline expected behavior, often discovered during thorough activity and scan monitoring",SI-3 Malicious Code Protection,N/A,N/A 46 | 42,CNSWP v1.0,Compute,Environments are continuously scanned to detect new vulnerabilities in workloads,"Vulnerabilities are constantly being discovered, just because it wasnt vulnerable at deploy, doesn't mean it won't be vulnerable in two weeks",RA-5 Vulnerability Monitoring and Scanning,N/A,N/A 47 | 43,CNSWP v1.0,Compute,"Actionable audit events are generated that correlate/contextualize data from logs into ""information"" that can drive decision trees/incident response",,AU-3 Content of Audit Records,N/A,N/A 48 | 44,CNSWP v1.0,Compute,Segregation of duties and the principle of least privilege is enforced,,AC-6 Least Privilege,N/A,N/A 49 | 45,CNSWP v1.0,Compute,Non-compliant violations are detected based on a pre-configured set of rules defined by the organization's policies,,"SI-7 Software, Firmware, and Information Integrity",N/A,N/A 50 | 46,CNSWP v1.0,Compute,Native secret stores encrypt with keys from an external Key Management Store (KMS),,SC-12(3) Systems & Communication Protection,N/A,N/A 51 | 47,CNSWP v1.0,Compute,Native secret stores are not configured for base64 encoding or stored in clear-text in the key-value store by default,Encoding is not encryption,SC-12(3) Systems & Communication Protection,N/A,N/A 52 | 48,CNSWP v1.0,Compute,Network traffic to malicious domains is detected and denied,,SI-4 System Monitoring,N/A,N/A 53 | 49,CNSWP v1.0,Compute,"Use encrypted containers for sensitive sources, methods, and data",,SC-28 Protection of Information at Rest,N/A,N/A 54 | 50,CNSWP v1.0,Compute,"Use SBOMs to identify current deployments of vulnerable libraries, dependencies, and packages",,CM-8 System Component Inventory,N/A,N/A 55 | 51,CNSWP v1.0,Compute,Processes must execute only functions explicitly defined in an allow list,,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A 56 | 52,CNSWP v1.0,Compute,Functions are not be allowed to make changes to critical file system mount points,,CM-5 Access Restrictions for Change,N/A,N/A 57 | 53,CNSWP v1.0,Compute,Function access is only permitted to sanctioned services,Either through networking restrictions or least privilege in permission models,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A 58 | 54,CNSWP v1.0,Compute,Egress network connection is monitored to detect and prevent access to C&C (command and control) and other malicious network domains,,SI-4 System Monitoring,N/A,N/A 59 | 55,CNSWP v1.0,Compute,Ingress network inspection is employed detect and remove malicious payloads and commands,"For instance, SQL injection attacks can be detected using inspection.",SI-4 System Monitoring,N/A,N/A 60 | 56,CNSWP v1.0,Compute,Serverless functions are run in tenant-based resource or performance isolation for similar data classifications,This may impact the performance due to limitations in the address space available to the isolation environment and should be considered for only the most sensitive workloads.,SC-7(21) Boundary Protection | Isolation of System Components,N/A,N/A 61 | 57,CNSWP v1.0,Deploy,Trust confirmation verifies the image has a valid signature from an authorized source,,"SR-4 (3) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED 62 | SR-4 (4) PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE",N/A,N/A 63 | 58,CNSWP v1.0,Deploy,Image runtime policies are enforced prior to deployment,,"SI-7 (17) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | RUNTIME APPLICATION SELF-PROTECTION",N/A,N/A 64 | 59,CNSWP v1.0,Deploy,Image integrity and signature are verified prior to deployment,,"SR-4 (3) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED 65 | SR-4 (4) PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE",N/A,N/A 66 | 60,CNSWP v1.0,Deploy,"Applications provide logs regarding authentication, authorization, actions, and failures",,CM-3 CONFIGURATION CHANGE CONTROL,N/A,N/A 67 | 61,CNSWP v1.0,Deploy,Forensics capabilities are integrated into an incident response plan and procedures,,INCIDENT HANDLING | MALICIOUS CODE AND FORENSIC ANALYSIS,N/A,N/A 68 | 62,CNSWP v1.0,Deploy,"AI, ML, or statistical modeling are used for behavioural and heuristic environment analysis to detect unwanted activities",,SI-3 SYSTEM AND INFORMATION INTEGRITY,N/A,N/A 69 | 63,CNSWP v1.0,Develop,Establish a dedicated Production environment,"Ensure that production workloads are in a separate, dedicated environment from non-production workloads. In the context of containers, this can mean separate clusters. In the case of VMs, separate networks.",SA-3(1) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT,N/A,N/A 70 | 64,CNSWP v1.0,Develop,Leverage Dynamic deployments,"Blue/Green, Alpha/Beta, Canary, red-black deployments",SA-8(31) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE SYSTEM MODIFICATION,N/A,N/A 71 | 65,CNSWP v1.0,Develop,Integrate vulnerability and configuration scanning in both the IDE and at the CI system during pull request,,SA-11(1) DEVELOPER TESTING AND EVALUATION | STATIC CODE ANALYSIS,N/A,N/A 72 | 66,CNSWP v1.0,Develop,"Establish dedicated development, testing, and production environment",,"SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS",N/A,N/A 73 | 67,CNSWP v1.0,Develop,Build tests for business-critical code,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 74 | 68,CNSWP v1.0,Develop,Build tests for business-critical infrastructure,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 75 | 69,CNSWP v1.0,Develop,Test suite able to be ran locally,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 76 | 70,CNSWP v1.0,Develop,Test suites should be available to run in a shared environment,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 77 | 71,CNSWP v1.0,Develop,Implement at least one other non-author reviewer/approver prior to merging,,SA-11(4) DEVELOPER TESTING AND EVALUATION | MANUAL CODE REVIEWS,N/A,N/A 78 | 72,CNSWP v1.0,Develop,Code should be clean and well commented,,,N/A,N/A 79 | 73,CNSWP v1.0,Develop,Full infrastructure tests are used,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 80 | 74,CNSWP v1.0,Develop,Regression tests are used,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 81 | 75,CNSWP v1.0,Develop,Test suites are updated against new and emerging threats and developed into security regressions tests,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 82 | 76,CNSWP v1.0,Develop,Establish a dedicated Testing environment,,SA-3(1) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT,N/A,N/A 83 | 77,CNSWP v1.0,Develop,Continuous integration server is isolated and hardened,,SC-39 PROCESS ISOLATION,N/A,N/A 84 | 78,CNSWP v1.0,Develop,Use threat model results to determine ROI for test development,,SA-11(2) DEVELOPER TESTING AND EVALUATION | THREAT MODELING AND VULNERABILITY ANALYSES,N/A,N/A 85 | 79,CNSWP v1.0,Distribute,"Should software artifacts become untrusted due to compromise or other incident, teams should revoke signing keys to ensure repudiation",,,N/A,N/A 86 | 80,CNSWP v1.0,Distribute,Artifacts ready for deployment are managed in a staging or pre-prod registry,,,N/A,N/A 87 | 81,CNSWP v1.0,Distribute,container images are hardened following best practices,"Images contain least permissions to remain functional, do not allow for shell, do not include unnecessary libraries and dependencies, do not bind mount files in from the host, etc.",,N/A,N/A 88 | 82,CNSWP v1.0,Distribute,Static application security testing (SAST) is performed,Static analysis is performed by dedicated SAST tools as well as linters,,N/A,N/A 89 | 83,CNSWP v1.0,Distribute,Test suites follow the test pyramid,,,N/A,N/A 90 | 84,CNSWP v1.0,Distribute,Artifacts undergoing active development are held in a private registery,,,N/A,N/A 91 | 85,CNSWP v1.0,Distribute,Scan application manifests in CI pipeline,,RA-5 VULNERABILITY MONITORING AND SCANNING,N/A,N/A 92 | 86,CNSWP v1.0,Distribute,CI server's for sensitive workloads are isolated from other workloads,,SC-39 PROCESS ISOLATION,N/A,N/A 93 | 87,CNSWP v1.0,Distribute,Builds requiring elevated privileges must run on dedicated servers,,SC-39 PROCESS ISOLATION,N/A,N/A 94 | 88,CNSWP v1.0,Distribute,Build policies are enforced on the CI pipeline,,SA-1 POLICY AND PROCEDURES,N/A,N/A 95 | 89,CNSWP v1.0,Distribute,Sign pipeline metadata,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 96 | 90,CNSWP v1.0,Distribute,Build stages are verified prior to the next stage executing,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 97 | 91,CNSWP v1.0,Distribute,Images are scanned within the CI pipeline,,"RA-5 VULNERABILITY MONITORING AND SCANNING 98 | SA-3 SYSTEM DEVELOPMENT LIFE CYCLE",N/A,N/A 99 | 92,CNSWP v1.0,Distribute,Vulnerability scans are coupled with pipeline compliance rules,Prevent insecure images and artifacts from being deployed,SA-1 POLICY AND PROCEDURES,N/A,N/A 100 | 93,CNSWP v1.0,Distribute,Dynamic application security testing (DAST) is performed,,SA-11 (8) & (9) INTERACTIVE APPLICATION SECURITY TESTING,N/A,N/A 101 | 94,CNSWP v1.0,Distribute,Application instrumentation is employed,,SI-4 SYSTEM MONITORING,N/A,N/A 102 | 95,CNSWP v1.0,Distribute,Automated test results map back to requirements,"Requirements include feature, function, security, and complaince",,N/A,N/A 103 | 96,CNSWP v1.0,Distribute,Infrastructure security tests must be employed,"firewall rules open to the world, overprivileged Identity & Access Management (IAM) policies, unauthenticated endpoints, etc",,N/A,N/A 104 | 97,CNSWP v1.0,Distribute,Tests to verify the security health are executed at time of build and at time of deploy,to evaluate any changes or regressions that may have occurred throughout the lifecycle.,SI-4 SYSTEM MONITORING,N/A,N/A 105 | 98,CNSWP v1.0,Distribute,IaC is subject to the same pipeline policy controls as application code,,,N/A,N/A 106 | 99,CNSWP v1.0,Distribute,Security testing is automated,,"SA-11 DEVELOPER TESTING AND EVALUATION 107 | CA-8 PENETRATION TESTING",N/A,N/A 108 | 100,CNSWP v1.0,Distribute,Registries require mutually authenticated TLS for all registry connections,,IA-3(1) CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION,N/A,N/A 109 | 101,CNSWP v1.0,Distribute,Image and metadata are signed,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 110 | 102,CNSWP v1.0,Distribute,Workload-related configuration is signed,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 111 | 103,CNSWP v1.0,Distribute,Workload-related package is signed,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 112 | 104,CNSWP v1.0,Distribute,Validate integrity of images,,SI-7 SYSTEM & INFORMATION INTEGRITY,N/A,N/A 113 | 105,CNSWP v1.0,Distribute,Scan images for vulnerabilities and malware,,"RA-5 VULNERABILITY MONITORING AND SCANNING 114 | SA-3 SYSTEM DEVELOPMENT LIFE CYCLE",N/A,N/A 115 | 106,CNSWP v1.0,Distribute,Enable image signing key revokation in the event of compromise,,SI-7 SYSTEM & INFORMATION INTEGRITY,N/A,N/A 116 | 107,CNSWP v1.0,Distribute,Security updates are prioritized,,SI-2(3) SYSTEM & INFORMATION INTEGRITY,N/A,N/A 117 | 108,CNSWP v1.0,Distribute,"HSMs or credential managers should be used for protecting credentials. If this is not possible, software-based credential managers should be used.",,SC-12(3) SYSTEMS & COMMUNICATION PROTECTION,N/A,N/A 118 | 109,CNSWP v1.0,Distribute,Container image scanning findings are acted upon,,SI-2(3) SYSTEM & INFORMATION INTEGRITY,N/A,N/A 119 | 110,CNSWP v1.0,Distribute,Organizational compliance rules are enforced,,PL-1 POLICY AND PROCEDURES,N/A,N/A 120 | 111,CNSWP v1.0,Distribute,Incremental hardening of the infrastructure is employed,,,N/A,N/A 121 | 112,CNSWP v1.0,Distribute,pulls from public registries are controlled and only from authorized engineers or internal registries,,AC-6(3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS,N/A,N/A 122 | 113,CNSWP v1.0,Distribute,Image encryption is coupled with key management attestation and/or authorization and credential distribution,This restricts the image to only be deployed to authorized platforms. Container image authorization is useful for compliance use cases such as geo-fencing or export control and digital rights media management,"SC-12(2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC & ASYMMETRIC KEYS 123 | SC-12(3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC & ASYMMETRIC KEYS",N/A,N/A 124 | 114,CNSWP v1.0,Distribute,At-risk applications are prioritized for remediation by the exploit maturity and vulnerable path presence in addition to the CVSS score,,SI-2(3) SYSTEM & INFORMATION INTEGRITY,N/A,N/A 125 | 115,CNSWP v1.0,Security Assurance,Network policies enforce east-west network communication within the container deployment is limited to only that which is authorized for access,,AC-6(3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS,N/A,N/A 126 | 116,CNSWP v1.0,Security Assurance,Incident reponse considers cloud native workloads,"workloads which may not always conform with some underlying assumptions about node isolation (new pod instances could run on a different server), networking (e.g. IP addresses are assigned dynamically) and immutability (e.g. runtime changes to container are not persisted across restarts)","IR-4 INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES 127 | IR-4(5) INCIDENT HANDLING | AUTOMATIC DISABLING OF SYSTEM 128 | CA-7 CONTINUOUS MONITORING",N/A,N/A 129 | 117,CNSWP v1.0,Security Assurance,Incident response accounts for appropriate evidence handling and collection of coud native workloads,,"IR-5(1) INCIDENT MONITORING | AUTOMATED TRACKING, DATA COLLECTION, AND ANALYSIS",N/A,N/A 130 | 118,CNSWP v1.0,Security Assurance,Rootless builds are employed,,,N/A,N/A 131 | 119,CNSWP v1.0,Security Assurance,cgroups and system groups are used to isolate workloads and deployments,,,N/A,N/A 132 | 120,CNSWP v1.0,Security Assurance,MAC implementations are employed,"SELinux, AppArmor",AC-3(3) ACCESS ENFORCEMENT | MANDATORY ACCESS CONTROL,N/A,N/A 133 | 121,CNSWP v1.0,Security Assurance,Threat model code and infrastructure,,SA-11(2) DEVELOPER TESTING AND EVALUATION | THREAT MODELING AND VULNERABILITY ANALYSES,N/A,N/A 134 | 122,CNSWP v1.0,Security Assurance,Entities are able to independently authenticate other identities,Public Key Infrastructure,IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION,N/A,N/A 135 | 123,CNSWP v1.0,Security Assurance,Each entity can create proof of who the identity is,,IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION,N/A,N/A 136 | 124,CNSWP v1.0,Security Assurance,"Orchestrator is running on an a trusted OS, BIOS, etc",,CM-14 SIGNED COMPONENTS,N/A,N/A 137 | 125,CNSWP v1.0,Security Assurance,Orchestrator verifies the claims of a container,,SI-6 SECURITY AND PRIVACY FUNCTION VERIFICATION,N/A,N/A 138 | 126,CNSWP v1.0,Security Assurance,Orchestrator network policies are used in conjunction with a service mesh,,,N/A,N/A 139 | 127,CNSWP v1.0,Storage,Storage control plane management interface requires mutual authentication and TLS for connections,,SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY,N/A,N/A 140 | 128,CNSWP v1.0,Storage,"Data availability is achieved through parity or mirroring, erasure coding or replicas",,SI-13 PREDICTABLE FAILURE PREVENTION,N/A,N/A 141 | 129,CNSWP v1.0,Storage,"Hashing and checksums are added to blocks, objects or files","primarily designed to detect and recover from corrupted data, but can also add a layer of protection against the tampering of data.","CM-7 LEAST FUNCTIONALITY 142 | SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 143 | 130,CNSWP v1.0,Storage,Data backup storage and data source storage should have same security controls,,"SA-9 EXTERNAL SYSTEM SERVICES 144 | SC-30 CONCEALMENT AND MISDIRECTION",N/A,N/A 145 | 131,CNSWP v1.0,Storage,Secure erasure adhering to OPAL standards is employed for returned or non-functional devices,," 146 | CP-9 SYSTEM BACKUP 147 | MP-6 MEDIA SANITIZATION",N/A,N/A 148 | 132,CNSWP v1.0,Storage,"Encryption at rest considers data path, size, and frequency of access when determing additional security protections and cryptographic algorithms to employ","The encryption may be implemented in the storage client or storage server and granularity of the encryption will vary by system (e.g. per volume, per group or global keys)",SC-28 PROTECTION OF INFORMATION AT REST,N/A,N/A 149 | 133,CNSWP v1.0,Storage,Caching is considered for determining encryption requirements in archictures,,,N/A,N/A 150 | 134,CNSWP v1.0,Storage,Namespaces have defined trust boundaries to cordon access to volumes,,,N/A,N/A 151 | 135,CNSWP v1.0,Storage,Security policies are used to prevent containers from accessing volume mounts on worker nodes,,"SC-7 BOUNDARY PROTECTION 152 | SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES 153 | CM-6 CONFIGURATION SETTINGS",N/A,N/A 154 | 136,CNSWP v1.0,Storage,Security policies are used enforce authorized worker node access to volumes,,"SC-7 BOUNDARY PROTECTION 155 | SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES 156 | CM-6 CONFIGURATION SETTINGS",N/A,N/A 157 | 137,CNSWP v1.0,Storage,Volume UID and GID are inaccessible to containers,,"AC-4 INFORMATION FLOW ENFORCEMENT 158 | AC-16 SECURITY AND PRIVACY ATTRIBUTES 159 | SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 160 | 138,CNSWP v1.0,Storage,Artifact registry supports OCI artifacts,,,N/A,N/A 161 | 139,CNSWP v1.0,Storage,Artifact registry supports signed artifacts,,CM-14 SIGNED COMPONENTS,N/A,N/A 162 | 140,CNSWP v1.0,Storage,Artifact registry verifies artifacts against organizational policies,,"AU-10 NON-REPUDIATION 163 | CM-6 CONFIGURATION SETTINGS",N/A,N/A 164 | 141,SSCP v1.0,Securing Artefacts,Every step in the build process should be signed/attested for process integrity,The signing of artefacts should be performed at each stage of its life cycle. The final artefact bundle should include these collective signatures and itself be signed to give integrity to the completed artefact and all its associated metadata.,"SI-1 POLICY AND PROCEDURES 165 | SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",Moderate to High,Moderate to High 166 | 142,SSCP v1.0,Securing Artefacts,Every step in the build process should verify the previously generated signatures,"The integrity and provenance of images, deployment configuration, and application packages included in artefacts should all be validated using the signatures generated by each step in its build process to ensure compliance","SI-1 POLICY AND PROCEDURES 167 | SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",Moderate to High,Moderate to High 168 | 143,SSCP v1.0,Securing Artefacts,Use a framework to manage signing of artefacts.,Consider TUF/notary to sign OCI images. Notary makes use of a “root-of-trust” model to delegate trust from a single root to the individual teams or developers who sign artefacts. It uses additional metadata to allow clients to verify the freshness of content in a repository and protect against common attacks on update systems48. Clients can make use of public keys to verify the contents of the repository. ,IA-5 AUTHENTICATOR MANAGEMENT,Moderate to High,Moderate to High 169 | 144,SSCP v1.0,Securing Artefacts,Use a store to manage attestations,Consider storing in-toto attestations in OCI registries alongside the image. Generated in-toto metadata needs to be stored and tracked for which a database or a dedicated store such as Grafeas can be used.,"AC-4(6) INFORMATION FLOW ENFORCEMENT | METADATA",Moderate to High,Moderate to High 170 | 145,SSCP v1.0,Securing Artefacts,Limit which artefacts any given party is authorized to certify,"Trust should not be granted universally or indefinitely. Artefacts or metadata that a given party is trusted to certify should be restricted using selective trust delegations. Trust must expire at predefined intervals, unless renewed as weel as a party must only be trusted to perform the tasks assigned to it to ensure compartmentatlization",AC-6 LEAST PRIVILEGE,High,High 171 | 146,SSCP v1.0,Securing Artefacts,Rotation and revokation of private keys should be supported,"The system must be prepared for when, not if, its private keys are compromised. The ability to rotate and revoke private keys must be built into the distribution mechanism. Additionally, multiple keys must be used for different tasks or roles, and a threshold of keys must be required for important roles. Finally, minimal trust must be placed in high-risk keys like those that are stored online or used in automated roles.",SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT,High,High 172 | 147,SSCP v1.0,Securing Artefacts,Use a container registry that supports OCI image-spec images,An internal image registry should be deployed and configured to support internal artefact distribution with the security properties described in this section.,,High,High 173 | 148,SSCP v1.0,Securing Artefacts,Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities,"Ensure contents of the artefact remain confidential in transit and at rest, until it is consumed. These artefacts can be encrypted so that they are accessible by authorized parties, such as the clusters, vulnerability scanners, etc. t is recommended organizations use key management and distribution systems with identity and attestation mechanisms (e.g. SPIFFE/SPIRE)","SC-28(1) PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION 174 | SC-13 CRYPTOGRAPHIC PROTECTION 175 | SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY 176 | IA-5 AUTHENTICATOR MANAGEMENT 177 | SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT",High,High 178 | 149,SSCP v1.0,Securing Build Pipelines,Cryptographically guarantee policy adherence,The presence and output of each build step should be attested during the build. The CNCF maintains the in-toto project that can be used to secure a chain of pipeline stages end-to-end with cryptographic guarantees. Build metadata should be evaluated against the policy template by using tools such as Open Policy Agent. ,"CM-3(6) CONFIGURATION CHANGE CONTROL | CRYPTOGRAPHY MANAGEMENT",High,High 179 | 150,SSCP v1.0,Securing Build Pipelines,Validate environments and dependencies before usage,"The build environment’s sources and dependencies must come from a secure, trusted source of truth. Checksums and any signatures should be validated both in the downloading or ingestion process, and again by the build worker. This should include validating package manager signatures, checking out specific Git commit hashes, and verifying SHA sums of input sources and binaries. After completing this validation, the downloading process should sign all binaries or libraries it is adding to the secure source","CM-3(2) CONFIGURATION CHANGE CONTROL | TESTING, VALIDATION, AND DOCUMENTATION OF CHANGES",Moderate to High,Moderate to High 180 | 151,SSCP v1.0,Securing Build Pipelines,Validate runtime security of build workers,"Out-of-band verification of runtime environment security, as defined by execution of policies using tools such as seccomp, AppArmor, and SELinux, provides defense in depth against attacks on build infrastructure. High privilege kernel capabilities such as debugger, device, and network attachments should be restricted and monitored.","CM-3(4) CONFIGURATION CHANGE CONTROL | SECURITY AND PRIVACY REPRESENTATIVES",Moderate to High,Moderate to High 181 | 152,SSCP v1.0,Securing Build Pipelines,Validate build artefacts through verifiably reproducible builds,"A verifiably reproducible build is a build process where, given a source code commit hash and a set of build instructions, an end user should be able to reproduce the built artefact bit for bit.","CM-3(4) CONFIGURATION CHANGE CONTROL | SECURITY AND PRIVACY REPRESENTATIVES 182 | CM-3(5) CONFIGURATION CHANGE CONTROL | AUTOMATED SECURITY RESPONSE",High,High 183 | 153,SSCP v1.0,Securing Build Pipelines,Lock and Verify External Requirements from the build process,,"CM-3(2) CONFIGURATION CHANGE CONTROL | TESTING, VALIDATION, AND DOCUMENTATION OF CHANGES",Moderate to High,Moderate to High 184 | 154,SSCP v1.0,Securing Build Pipelines,Find and Eliminate Sources of Non-Determinism,Reproducible-builds.org documents and offers solutions for many of these things. Diffoscope41 can be used to dig in and find the cause of differences when tracking down sources of non-determinism.,,Moderate to High,Moderate to High 185 | 155,SSCP v1.0,Securing Build Pipelines,Record the Build Environment,Ensure best practices outlined in cloud native security paper are followed to deploy a secure orchestration layer,"CM-3(1) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENTATION, NOTIFICATION, AND PROHIBITION OF CHANGES",High,High 186 | 156,SSCP v1.0,Securing Build Pipelines,Automate Creation of the Build Environment,,"CM-3(3) CONFIGURATION CHANGE CONTROL | AUTOMATED CHANGE IMPLEMENTATION",High,High 187 | 157,SSCP v1.0,Securing Build Pipelines,Distribute Builds across different infrastructure,,"CM-3(3) CONFIGURATION CHANGE CONTROL | AUTOMATED CHANGE IMPLEMENTATION",High,High 188 | 158,SSCP v1.0,Securing Build Pipelines,Build and related CI/CD steps should be automated through a pipeline delivered as code,,"SA-3 SYSTEM DEVELOPMENT LIFE CYCLE 189 | SA-11 DEVELOPER TESTING AND EVALUATION",Moderate to High,Moderate to High 190 | 159,SSCP v1.0,Securing Build Pipelines,Standardize pipelines across projects,,,Moderate to High,Moderate to High 191 | 160,SSCP v1.0,Securing Build Pipelines,Provision a secured orchestration platform to host software factory,,,Moderate to High,Moderate to High 192 | 161,SSCP v1.0,Securing Build Pipelines,Build workers should be single use,,AC-2 ACCOUNT MANAGEMENT,High,Moderate 193 | 162,SSCP v1.0,Securing Build Pipelines,Ensure software factory has minimal network connectivity,"The software factory should have no network connectivity other than to connect to the trusted sources of hardened source code, the dependency repository and code signing infrastructure.","SC-7(3) BOUNDARY PROTECTION | ACCESS POINTS",High,High 194 | 163,SSCP v1.0,Securing Build Pipelines,Segregate the duties of each build worker,,AC-5 SEPARATION OF DUTIES,High,High 195 | 164,SSCP v1.0,Securing Build Pipelines,Pass in build worker environment and commands,"Inorder to limit hostile tooling and persistent impants from attackers, a Build Worker should start with a clean and isolated environmment. It should not be able to pull its own environment. Ensure environment variables and commands are explicitly passed to avoid any complicated and opaque build process",CM-2(2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENC,High,High 196 | 165,SSCP v1.0,Securing Build Pipelines,Write output to separate secured storage repo,The output artefact should be written to a separate shared storage from the inputs. A process separate from the Build Worker should then upload that artefact to an appropriate repository.,AU-9(2) PROTECTION OF AUDIT INFORMATION | STORE ON SEPARATE PHYSICAL SYSTEMS OR COMPONENTS,High,High 197 | 166,SSCP v1.0,Securing Build Pipelines,Only allow pipeline modification through “pipeline as code”,The pipeline configuration (pipeline as code) should be immutable and any modification shouldn't be possible. This prevents attackers from interacting and modifying the configuration. This model then requires appropriate authentication and authorization to be in place for the software and configuration of the pipeline,,Moderate to High,Moderate to High 198 | 167,SSCP v1.0,Securing Build Pipelines,Define user roles,,AC-2 ACCOUNT MANAGEMENT,Moderate to High,Moderate to High 199 | 168,SSCP v1.0,Securing Build Pipelines,Follow established practices for establishing a root of trust from an offline source,,"SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES 200 | IA-5(2) AUTHENTICATOR MANAGEMENT | PUBLIC KEY-BASED AUTHENTICATION 201 | SA-8(10) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | HIERARCHICAL TRUST 202 | SR-4(4) PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE",High,High 203 | 169,SSCP v1.0,Securing Build Pipelines,Use short-lived workload certificates,,"SC-23(5) SESSION AUTHENTICITY | ALLOWED CERTIFICATE AUTHORITIES 204 | SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES",High,High 205 | 170,SSCP v1.0,Securing Deployments,Ensure clients can perform verification of artefacts and associated metadata,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",Moderate to High,Moderate to High 206 | 171,SSCP v1.0,Securing Deployments,Ensure clients can verify the “freshness” of files,Ensure clients can access latest versions and can veriify if the provided files are out of date,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",Moderate to High,Moderate to High 207 | 172,SSCP v1.0,Securing Deployments,Use an automated approach for managing software updates,"Consider using The Update Framework (TUF) to enforce the updating of software. TUF is a specification for delivering software updates in a secure, reliable and trusted way",,High,High 208 | 173,SSCP v1.0,Securing Materials,Verify third party artefacts and open source libraries,"All third party artefacts, open source libraries and any other dependencies should be verified as part of the continuous integration pipeline by validating their checksums against a known good source and validating any cryptographic signatures. Any software ingested must be scanned using Software Composition Analysis (SCA) and pentesting tools to detect whether any vulnerable open-source software is used in the final product.",SA-11 DEVELOPER TESTING AND EVALUATION,Moderate to High,Moderate to High 209 | 174,SSCP v1.0,Securing Materials,Require SBOM from third party suppliers,"Where possible, vendors should be required to provide Software Bills of Materials (SBOMs) containing the explicit details of the software and versions used within the supplied product as it provides a clear and direct link to the dependencies.",CM-8 INFORMATION SYSTEM COMPONENT INVENTORY ,High,High 210 | 175,SSCP v1.0,Securing Materials,Track dependencies between open source components,"A register should be maintained of a project’s open source components, dependencies and vulnerabilities to help trace any deployed artefacts with new vulnerabilities. One of the most popular open source inventory implementations is OWASP Dependency-Track.",CM-10 SOFTWARE USAGE RESTRICTIONS,Moderate to High,Moderate to High 211 | 176,SSCP v1.0,Securing Materials,Build libraries based upon source code,,,High,High 212 | 177,SSCP v1.0,Securing Materials,Define and prioritize trusted package managers and repositories,"Organizations should host their own package managers and artefact repositories, and restrict build machines to pull from only those sources.",,High,High 213 | 178,SSCP v1.0,Securing Materials,Generate an immutable SBOM of the code,There are currently two well known SBOM specifications: SPDX34 and CycloneDX,,Moderate to High,Moderate to High 214 | 179,SSCP v1.0,Securing Materials,Scan software for vulnerabilities,,"RA-5 VULNERABILITY MONITORING AND SCANNING 215 | SA-3 SYSTEM DEVELOPMENT LIFE CYCLE",Moderate to High,Moderate to High 216 | 180,SSCP v1.0,Securing Materials,Scan software for license implications,Licensing obligations must also be factored into the ingestion process. The Linux Foundation maintains the Open Compliance Program36 which hosts several tools to ensure released software meets legal and regulatory compliance requirements.,CM-10 SOFTWARE USAGE RESTRICTIONS,Moderate to High,Moderate to High 217 | 181,SSCP v1.0,Securing Materials,Run software composition analysis on ingested software,"The SCA tool will attempt to use heuristics to identify the direct and transitive dependencies, and can also serve as verification of SBOM content. This data will then be matched against data from a number of data feeds containing vulnerability data to highlight any vulnerabilities in the dependent packages.",SA-11 (1) (8) & (9) DEVELOPER TESTING AND EVALUATION,Moderate to High,Moderate to High 218 | 182,SSCP v1.0,Securing the Source Code,Commits and tags are signed,GPG keys or S/MIME certificates are used to sign the source code,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",Moderate to High,Moderate to High 219 | 183,SSCP v1.0,Securing the Source Code,Enforce full attestation and verification for protected branches,Branch protection is enabled on the mainline and release branches with force push disabled,AC-6(3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS,High,High 220 | 184,SSCP v1.0,Securing the Source Code,Secrets are not committed to the source code repository unless encrypted,"Implement tooling to detect secrets or to prevent certain files from being pushed which may contain plaintext sensitive materials, such as via a .gitignore and/or .gitattributes file, client-side hook (pre-commit), server-side hook (pre-receive or update), and/or as a step in the CI process","SC-12(3) SYSTEMS & COMMUNICATION PROTECTION 221 | SC-12(2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC & ASYMMETRIC KEYS",Moderate to High,Moderate to High 222 | 185,SSCP v1.0,Securing the Source Code,The individuals or teams with write access to a repository are defined,Implement codeowners (or equivalent),"PL-1 POLICY AND PROCEDURES 223 | AC-3 ACCESS ENFORCEMENT",High,High 224 | 186,SSCP v1.0,Securing the Source Code,Automate software security scanning and testing,"Security specific scans should be performed, including Static Application Security Tests (SAST) and Dynamic Application Security Tests (DAST). Both the coverage and results of these tests should be published as part of the repository information to help downstream consumers of software better assess the stability, reliability, and/or suitability of a product or library. ","RA-5 VULNERABILITY MONITORING AND SCANNING 225 | SA-3 SYSTEM DEVELOPMENT LIFE CYCLE",Moderate to High,Moderate to High 226 | 187,SSCP v1.0,Securing the Source Code,Establish and adhere to contribution policies,"Define configuration options or configuration rules witthin SCM platforms allow repository administrators to enforce security, hygiene and operational policies.",PL-1 POLICY AND PROCEDURES,Moderate to High,Moderate to High 227 | 188,SSCP v1.0,Securing the Source Code,Define roles aligned to functional responsibilities,"Define roles by using principle of least privileges to provide access based on function such as Developer, Maintainer, Owner, Reviewer, Approver, and Guest",PL-1 POLICY AND PROCEDURES,Moderate to High,Moderate to High 228 | 189,SSCP v1.0,Securing the Source Code,Enforce an independent four-eyes principle,The author(s) of a request may not also be the approver of the request. At least two reviewers with equal or greater expertise should review & approve the request.,SA-11 DEVELOPER TESTING AND EVALUATION,Moderate to High,Moderate to High 229 | 190,SSCP v1.0,Securing the Source Code,Use branch protection rules,"SCM platforms allow the configuration and restriction of source code operations on individual branches. Protection rules can be used to enforce the usage of pull requests with specified precondition and approval rules, ensuring that a human code review process is followed or an automated status checking of a branch occurs. Additionally, protected branches can be used to disallow dangerous use of force pushes26, preventing the overwrite of commit histories and potential obfuscation of code changes.",SA-8 SECURITY ENGINEERING PRINCIPLES,Moderate to High,Moderate to High 230 | 191,SSCP v1.0,Securing the Source Code,Enforce MFA for accessing source code repositories,,IA-2(1) Identification and Authentication (organizational Users) | Multi-Factor Authenticaiton to Priviledged Accounts,Moderate to High,Moderate to High 231 | 192,SSCP v1.0,Securing the Source Code,Use SSH keys to provide developers access to source code repositories,,AC-1 REMOTE ACCESS,Moderate to High,Moderate to High 232 | 193,SSCP v1.0,Securing the Source Code,Have a key rotation policy,"It is recommended to implement a key rotation policy to ensure that compromised keys will cease to be usable after a certain period of time. When a private key is known to have been compromised, it should be revoked and replaced immediately to shut off access for any unauthorized user. Organizations may also consider using short lived certificates or keys, which reduces the reliance on certificate revocation systems.",AC-2(1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT,Moderate to High,Moderate to High 233 | 194,SSCP v1.0,Securing the Source Code,Use short-lived/ephemeral credentials for machine/service access,"Short-life credential issuance encourages the use of fine grained permissions and automation in provisioning access tokens. For CI/CD pipeline agents, short-lived access tokens should be considered instead of password-based credentials. The use of very short-lived tokens like OAuth 2.0, OpenID Connect, etc., will help to implement more secure access and increase the security assurance.",AC-2(1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT,Moderate to High,Moderate to High 234 | 195,CNSWP v2.0,Access,"Secrets are injected at runtime, such as environment variables or as a file",,IA-5(7) Authenticator Management | No Embedded Unencrypted Static Authenticators,N/A,N/A 235 | 196,CNSWP v2.0,Access,Applications and workloads are explicitly authorized to communicate with each other using mutual authentication,,IA-9 Service Identification and Authentication,N/A,N/A 236 | 197,CNSWP v2.0,Access,Keys are rotated frequently,,SC-12 Cryptographic Key Establishment and Management,N/A,N/A 237 | 198,CNSWP v2.0,Access,Key lifespan is short,,SC-12(3) Cryptographic Key Establishment and Management | Asymetric Key,N/A,N/A 238 | 199,CNSWP v2.0,Access,Credentials and keys protecting sensitive workloads (health/finance/etc) are customer managed (e.g. generated and managed independent of a cloud service provider),KMS and HMS are common technologies to achieve this. FIPS 140-2 compliance is strongly suggested. Cloud KMS tends to be FIPS 140-2 Level 2 or greater.,IA-2(12) Identification and Authentication (Organizational Users) | Acceptance of PIV Credentials,N/A,N/A 239 | 200,CNSWP v2.0,Access,Authentication and authorization are determined independently,,IA-2(6) Identification and Authentication (Organizational Users) | Access to Accounts - Separate Devices,N/A,N/A 240 | 201,CNSWP v2.0,Access,Authentication and authorization are enforced independently,,IA-2(6) Identification and Authentication (Organizational Users) | Access to Accounts - Separate Devices,N/A,N/A 241 | 202,CNSWP v2.0,Access,Access control and file permissions are updated in real-time,where possible as caching may permit unauthorized access,SI-4(2) System Monitoring | Automated Tools and Mechanisms for Real-Time Analysis,N/A,N/A 242 | 203,CNSWP v2.0,Access,Authorization for workloads is granted based on attributes and roles/permissions previously assigned,,AC-3(13) Access Enforcement | Attribute-Based Access Control,N/A,N/A 243 | 204,CNSWP v2.0,Access,ABAC and RBAC are used,,"AC-3(13) Access Enforcement | Attribute-Based Access Control 244 | AC-3(7) Access Enforcement | Role-Based Access Control",N/A,N/A 245 | 205,CNSWP v2.0,Access,"End user identity is capable of being accepted, consumed, and forwarded on for contextual or dynamic authorization",This can be achieved through the use of identity documents and tokens.,SC-7(19) Boundary Protection | Block Communication from Non-Organizationally Configured Hosts,N/A,N/A 246 | 206,CNSWP v2.0,Access,All cluster and workloads operators are authenticated,,IA-7 Cryptographic Module Authentication,N/A,N/A 247 | 207,CNSWP v2.0,Access,"cluster and worklods operate actions are evaluated against access control policies governing context, purpose, and output",,IA-7 Cryptographic Module Authentication,N/A,N/A 248 | 208,CNSWP v2.0,Access,Identity federation uses multi-factor authentication for human users,,IA-2(1)(2) Identification and Authentication (organizational Users) | Multi-Factor Authenticaiton to Priviledged & Non Priveledged Accounts,N/A,N/A 249 | 209,CNSWP v2.0,Access,HSMs are used to physically protect cryptographic secrets with an encryption key residing in the HSM,"If this is not possible, software-based credential managers should be used.","AC-4(4) Information Flow Enforcement | Flow Control of Encrypted Information 250 | SC-3(1) Security Function Isolation | Hardware Separation",N/A,N/A 251 | 210,CNSWP v2.0,Access,Secrets should have a short expiration period or time to live,Leverage tool-specific capabilities of secret manager,SI-12 Information Management and Retention,N/A,N/A 252 | 211,CNSWP v2.0,Access,Time to live and expiration period on secrets is verfied to prevent reuse,Leverage tool-specific capabilities of secret manager,AC-16(3) Security and Privacy Attributes | Maintenance of Attribute Associations by System,N/A,N/A 253 | 212,CNSWP v2.0,Access,Secrets management systems are highly available,,SC-12(1) Cryptographic Key Establishment and Management | Availability,N/A,N/A 254 | 213,CNSWP v2.0,Access,Long-lived secrets adhere to periodic rotation and revocation,"Long-lived secrets are not recommended, but some capabilities require them",SI-12 Information Management and Retention,N/A,N/A 255 | 214,CNSWP v2.0,Access,Secrets are distributed through secured communication channels protected commensurate with the level of access or data they are protecting,,AC-16 Security and Privacy Atributes,N/A,N/A 256 | 215,CNSWP v2.0,Access,"Secrets injected are runtime are masqued or dropped from logs, audit, or system dumps","Even short lived secrets may be resused if caught in time by an interested attacker. Logs, audit, and systems dumps (i.e. in-memory shared volumes instead of environment variables) are all areas where runtime injected secrets show up",AU-9(3) Protection of Audit Information | Cryptographic Protection,N/A,N/A 257 | 216,CNSWP v2.0,Compute,Bootstrapping is employed to verify correct physical and logical location of compute,Secure Boot with TPM 2.0 or similar control,"SI-7(9) Software, Firmware, and Information Integrity | Verify Boot Process",N/A,N/A 258 | 217,CNSWP v2.0,Compute,Disparate data sensitive workloads are not run on the same host OS kernel,"There are at least three implementing controls possible: workloads may be separated by running in a separate cluster, on a separate node, or by implementing pods in independent VMs. It is also possible to emulate the kernel via an application kernel (e.g. gvisor)",SC-7 Boundary Protection,N/A,N/A 259 | 218,CNSWP v2.0,Compute,Monitor and detect any changes to the initial configurations made in runtime,Preventative controls should be the primary control. Detective controls monitoring filesystem changes should be used to verify primary controls are operating properly.,CM-2(2) Baseline Configuration | Automation Support for Accuracy and Currency CM-3(7) Configuration Change Control | Review System Changes,N/A,N/A 260 | 219,CNSWP v2.0,Compute,API auditing is enabled with a filter for a specific set of API Groups or verbs,"API audits of the application, kubernetes API server, and kernel should be implemented.",AU-2 Event Logging,N/A,N/A 261 | 220,CNSWP v2.0,Compute,Container specific operating systems are in use,a read-only OS with other services disabled. This provides isolation and resource confinement that enables developers to run isolated applications on a shared host kernel,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A 262 | 221,CNSWP v2.0,Compute,The hardware root of trust is based in a Trusted Platform Module (TPM) or virtual TPM (vTPM),"Ensure HW root of trust extends to the host OS kernel, modules, system images, container runtimes, and all software on the system.","SI-7 Software, Firmware, and Information Integrity",N/A,N/A 263 | 222,CNSWP v2.0,Compute,Minimize administrative access to the control plane,Enure both users and pods have the minimum necessary access,AC-6 Least Privilege,N/A,N/A 264 | 223,CNSWP v2.0,Compute,Object level and resource requests and limits are controlled through cgroups,"helps prevent exhaustion of node and cluster level resources by one misbehaving workload due to an intentional (e.g., fork bomb attack or cryptocurrency mining) or unintentional (e.g., reading a large file in memory without input validation, horizontal autoscaling to exhaust compute resources) issue","SI-7(16) Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision 265 | SI-7(17) Software, Firmware, and Information Integrity | Runtime Application Self-protection",N/A,N/A 266 | 224,CNSWP v2.0,Compute,Systems processing alerts are periodically tuned for false positives,"to avoid alert flooding, fatigue, and false negatives after security incidents that were not detected by the system",SI-4(13) System Monitoring | Analyze Traffic and Event Patterns,N/A,N/A 267 | 225,CNSWP v2.0,Compute,All orchestrator control plane components are configured to communicate via mutual authentication and certificate validation with a periodically rotated certificate,"In unfederated clusters, the CA should be used exclusively for the current cluster.",AC-3 Access Enforcement,N/A,N/A 268 | 226,CNSWP v2.0,Compute,"Only sanctioned capabilities and system calls (e.g. seccomp filters), are allowed to execute or be invoked in a container by the host operating system",Additional tooling should be installed that go beyond k8s capabilities to limit system calls. E.g. Falco.,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A 269 | 227,CNSWP v2.0,Compute,"Changes to critical mount points and files are prevented, monitored, and alerted",,CM-5 Access Restrictions for Change,N/A,N/A 270 | 228,CNSWP v2.0,Compute,"Runtime configuration control prevents changes to binaries, certificates, and remote access configurations",,CM-5 Access Restrictions for Change,N/A,N/A 271 | 229,CNSWP v2.0,Compute,Runtime configuration prevents ingress and egress network access for containers to only what is required to operate,,SC-7 Boundary Protection,N/A,N/A 272 | 230,CNSWP v2.0,Compute,Policies are defined that restrict communications to only occur between sanctioned microservice pairs,,SC-7 Boundary Protection,N/A,N/A 273 | 231,CNSWP v2.0,Compute,"Use a policy agent to control and enforce authorized, signed container images",,CM-5 Access Restrictions for Change,N/A,N/A 274 | 232,CNSWP v2.0,Compute,Use a policy agent to control provenance assurance for operational workloads,,CM-5 Access Restrictions for Change,N/A,N/A 275 | 233,CNSWP v2.0,Compute,"Use a service mesh that eliminates implicit trust through data-in-motion protection (i.e. confidentiality, integrity, authentication, authorization)",,SC-7 Boundary Protection,N/A,N/A 276 | 234,CNSWP v2.0,Compute,"Use components that detect, track, aggregate and report system calls and network traffic from a container",should be leveraged to look for unexpected or malicious behavior,SI-4 System Monitoring,N/A,N/A 277 | 235,CNSWP v2.0,Compute,Workloads should be dynamically scanned to detect malicious or insidious behavior for which no known occurrence yet exists,"Events such as an extended sleep command that executes data exfiltration from etcd after the workload has been running for X amount of days are not expected in the majority of environments and therefore are not included in security tests. The aspect that workloads can have time or event delayed trojan horses is only detectable by comparing to baseline expected behavior, often discovered during thorough activity and scan monitoring",SI-3 Malicious Code Protection,N/A,N/A 278 | 236,CNSWP v2.0,Compute,Environments are continuously scanned to detect new vulnerabilities in workloads,"Vulnerabilities are constantly being discovered, just because it wasnt vulnerable at deploy, doesn't mean it won't be vulnerable in two weeks",RA-5 Vulnerability Monitoring and Scanning,N/A,N/A 279 | 237,CNSWP v2.0,Compute,"Actionable audit events are generated that correlate/contextualize data from logs into ""information"" that can drive decision trees/incident response",,AU-3 Content of Audit Records,N/A,N/A 280 | 238,CNSWP v2.0,Compute,Segregation of duties and the principle of least privilege is enforced,,AC-6 Least Privilege,N/A,N/A 281 | 239,CNSWP v2.0,Compute,Non-compliant violations are detected based on a pre-configured set of rules defined by the organization's policies,,"SI-7 Software, Firmware, and Information Integrity",N/A,N/A 282 | 240,CNSWP v2.0,Compute,Native secret stores encrypt with keys from an external Key Management Store (KMS),,SC-12(3) Systems & Communication Protection,N/A,N/A 283 | 241,CNSWP v2.0,Compute,Native secret stores are not configured for base64 encoding or stored in clear-text in the key-value store by default,Encoding is not encryption,SC-12(3) Systems & Communication Protection,N/A,N/A 284 | 242,CNSWP v2.0,Compute,Network traffic to malicious domains is detected and denied,,SI-4 System Monitoring,N/A,N/A 285 | 243,CNSWP v2.0,Compute,"Use encrypted containers for sensitive sources, methods, and data",,SC-28 Protection of Information at Rest,N/A,N/A 286 | 244,CNSWP v2.0,Compute,"Use SBOMs to identify current deployments of vulnerable libraries, dependencies, and packages",,CM-8 System Component Inventory,N/A,N/A 287 | 245,CNSWP v2.0,Compute,Processes must execute only functions explicitly defined in an allow list,,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A 288 | 246,CNSWP v2.0,Compute,Functions are not be allowed to make changes to critical file system mount points,,CM-5 Access Restrictions for Change,N/A,N/A 289 | 247,CNSWP v2.0,Compute,Function access is only permitted to sanctioned services,Either through networking restrictions or least privilege in permission models,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A 290 | 248,CNSWP v2.0,Compute,Egress network connection is monitored to detect and prevent access to C&C (command and control) and other malicious network domains,,SI-4 System Monitoring,N/A,N/A 291 | 249,CNSWP v2.0,Compute,Ingress network inspection is employed detect and remove malicious payloads and commands,"For instance, SQL injection attacks can be detected using inspection.",SI-4 System Monitoring,N/A,N/A 292 | 250,CNSWP v2.0,Compute,Serverless functions are run in tenant-based resource or performance isolation for similar data classifications,This may impact the performance due to limitations in the address space available to the isolation environment and should be considered for only the most sensitive workloads.,SC-7(21) Boundary Protection | Isolation of System Components,N/A,N/A 293 | 251,CNSWP v2.0,Deploy,Trust confirmation verifies the image has a valid signature from an authorized source,,"SR-4 (3) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED 294 | SR-4 (4) PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE",N/A,N/A 295 | 252,CNSWP v2.0,Deploy,Image runtime policies are enforced prior to deployment,,"SI-7 (17) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | RUNTIME APPLICATION SELF-PROTECTION",N/A,N/A 296 | 253,CNSWP v2.0,Deploy,Image integrity and signature are verified prior to deployment,,"SR-4 (3) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED 297 | SR-4 (4) PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE",N/A,N/A 298 | 254,CNSWP v2.0,Deploy,"Applications provide logs regarding authentication, authorization, actions, and failures",,CM-3 CONFIGURATION CHANGE CONTROL,N/A,N/A 299 | 255,CNSWP v2.0,Deploy,Forensics capabilities are integrated into an incident response plan and procedures,,INCIDENT HANDLING | MALICIOUS CODE AND FORENSIC ANALYSIS,N/A,N/A 300 | 256,CNSWP v2.0,Deploy,"AI, ML, or statistical modeling are used for behavioural and heuristic environment analysis to detect unwanted activities",,SI-3 SYSTEM AND INFORMATION INTEGRITY,N/A,N/A 301 | 257,CNSWP v2.0,Develop,Establish a dedicated Production environment,"Ensure that production workloads are in a separate, dedicated environment from non-production workloads. In the context of containers, this can mean separate clusters. In the case of VMs, separate networks.",SA-3(1) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT,N/A,N/A 302 | 258,CNSWP v2.0,Develop,Leverage Dynamic deployments,"Blue/Green, Alpha/Beta, Canary, red-black deployments",SA-8(31) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE SYSTEM MODIFICATION,N/A,N/A 303 | 259,CNSWP v2.0,Develop,Integrate vulnerability and configuration scanning in both the IDE and at the CI system during pull request,,SA-11(1) DEVELOPER TESTING AND EVALUATION | STATIC CODE ANALYSIS,N/A,N/A 304 | 260,CNSWP v2.0,Develop,"Establish dedicated development, testing, and production environment",,"SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS",N/A,N/A 305 | 261,CNSWP v2.0,Develop,Build tests for business-critical code,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 306 | 262,CNSWP v2.0,Develop,Build tests for business-critical infrastructure,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 307 | 263,CNSWP v2.0,Develop,Test suite able to be ran locally,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 308 | 264,CNSWP v2.0,Develop,Test suites should be available to run in a shared environment,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 309 | 265,CNSWP v2.0,Develop,Implement at least one other non-author reviewer/approver prior to merging,,SA-11(4) DEVELOPER TESTING AND EVALUATION | MANUAL CODE REVIEWS,N/A,N/A 310 | 266,CNSWP v2.0,Develop,Code should be clean and well commented,,,N/A,N/A 311 | 267,CNSWP v2.0,Develop,Full infrastructure tests are used,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 312 | 268,CNSWP v2.0,Develop,Regression tests are used,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 313 | 269,CNSWP v2.0,Develop,Test suites are updated against new and emerging threats and developed into security regressions tests,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A 314 | 270,CNSWP v2.0,Develop,Establish a dedicated Testing environment,,SA-3(1) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT,N/A,N/A 315 | 271,CNSWP v2.0,Develop,Continuous integration server is isolated and hardened,,SC-39 PROCESS ISOLATION,N/A,N/A 316 | 272,CNSWP v2.0,Develop,Use threat model results to determine ROI for test development,,SA-11(2) DEVELOPER TESTING AND EVALUATION | THREAT MODELING AND VULNERABILITY ANALYSES,N/A,N/A 317 | 273,CNSWP v2.0,Develop,Implement secure configuration as the default state of the system,"Transitioning towards such a system involves making security a design requirement, inheriting default security configuration and supporting an exception process",SA-8(23) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE DEFAULTS,N/A,N/A 318 | 274,CNSWP v2.0,Distribute,"Should software artifacts become untrusted due to compromise or other incident, teams should revoke signing keys to ensure repudiation",,,N/A,N/A 319 | 275,CNSWP v2.0,Distribute,Artifacts ready for deployment are managed in a staging or pre-prod registry,,,N/A,N/A 320 | 276,CNSWP v2.0,Distribute,container images are hardened following best practices,"Images contain least permissions to remain functional, do not allow for shell, do not include unnecessary libraries and dependencies, do not bind mount files in from the host, etc.",,N/A,N/A 321 | 277,CNSWP v2.0,Distribute,Static application security testing (SAST) is performed,Static analysis is performed by dedicated SAST tools as well as linters,,N/A,N/A 322 | 278,CNSWP v2.0,Distribute,Test suites follow the test pyramid,,,N/A,N/A 323 | 279,CNSWP v2.0,Distribute,Artifacts undergoing active development are held in a private registery,,,N/A,N/A 324 | 280,CNSWP v2.0,Distribute,Scan application manifests in CI pipeline,,RA-5 VULNERABILITY MONITORING AND SCANNING,N/A,N/A 325 | 281,CNSWP v2.0,Distribute,CI server's for sensitive workloads are isolated from other workloads,,SC-39 PROCESS ISOLATION,N/A,N/A 326 | 282,CNSWP v2.0,Distribute,Builds requiring elevated privileges must run on dedicated servers,,SC-39 PROCESS ISOLATION,N/A,N/A 327 | 283,CNSWP v2.0,Distribute,Build policies are enforced on the CI pipeline,,SA-1 POLICY AND PROCEDURES,N/A,N/A 328 | 284,CNSWP v2.0,Distribute,Sign pipeline metadata,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 329 | 285,CNSWP v2.0,Distribute,Build stages are verified prior to the next stage executing,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 330 | 286,CNSWP v2.0,Distribute,Images are scanned within the CI pipeline,,"RA-5 VULNERABILITY MONITORING AND SCANNING 331 | SA-3 SYSTEM DEVELOPMENT LIFE CYCLE",N/A,N/A 332 | 287,CNSWP v2.0,Distribute,Vulnerability scans are coupled with pipeline compliance rules,Prevent insecure images and artifacts from being deployed,SA-1 POLICY AND PROCEDURES,N/A,N/A 333 | 288,CNSWP v2.0,Distribute,Dynamic application security testing (DAST) is performed,,SA-11 (8) & (9) INTERACTIVE APPLICATION SECURITY TESTING,N/A,N/A 334 | 289,CNSWP v2.0,Distribute,Application instrumentation is employed,,SI-4 SYSTEM MONITORING,N/A,N/A 335 | 290,CNSWP v2.0,Distribute,Automated test results map back to requirements,"Requirements include feature, function, security, and complaince",,N/A,N/A 336 | 291,CNSWP v2.0,Distribute,Infrastructure security tests must be employed,"firewall rules open to the world, overprivileged Identity & Access Management (IAM) policies, unauthenticated endpoints, etc",,N/A,N/A 337 | 292,CNSWP v2.0,Distribute,Tests to verify the security health are executed at time of build and at time of deploy,to evaluate any changes or regressions that may have occurred throughout the lifecycle.,SI-4 SYSTEM MONITORING,N/A,N/A 338 | 293,CNSWP v2.0,Distribute,IaC is subject to the same pipeline policy controls as application code,,,N/A,N/A 339 | 294,CNSWP v2.0,Distribute,Security testing is automated,,"SA-11 DEVELOPER TESTING AND EVALUATION 340 | CA-8 PENETRATION TESTING",N/A,N/A 341 | 295,CNSWP v2.0,Distribute,Registries require mutually authenticated TLS for all registry connections,,IA-3(1) CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION,N/A,N/A 342 | 296,CNSWP v2.0,Distribute,Image and metadata are signed,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 343 | 297,CNSWP v2.0,Distribute,Workload-related configuration is signed,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 344 | 298,CNSWP v2.0,Distribute,Workload-related package is signed,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 345 | 299,CNSWP v2.0,Distribute,Validate integrity of images,,SI-7 SYSTEM & INFORMATION INTEGRITY,N/A,N/A 346 | 300,CNSWP v2.0,Distribute,Scan images for vulnerabilities and malware,,"RA-5 VULNERABILITY MONITORING AND SCANNING 347 | SA-3 SYSTEM DEVELOPMENT LIFE CYCLE",N/A,N/A 348 | 301,CNSWP v2.0,Distribute,Enable image signing key revokation in the event of compromise,,SI-7 SYSTEM & INFORMATION INTEGRITY,N/A,N/A 349 | 302,CNSWP v2.0,Distribute,Security updates are prioritized,,SI-2(3) SYSTEM & INFORMATION INTEGRITY,N/A,N/A 350 | 303,CNSWP v2.0,Distribute,"HSMs or credential managers should be used for protecting credentials. If this is not possible, software-based credential managers should be used.",,SC-12(3) SYSTEMS & COMMUNICATION PROTECTION,N/A,N/A 351 | 304,CNSWP v2.0,Distribute,Container image scanning findings are acted upon,,SI-2(3) SYSTEM & INFORMATION INTEGRITY,N/A,N/A 352 | 305,CNSWP v2.0,Distribute,Organizational compliance rules are enforced,,PL-1 POLICY AND PROCEDURES,N/A,N/A 353 | 306,CNSWP v2.0,Distribute,Incremental hardening of the infrastructure is employed,,,N/A,N/A 354 | 307,CNSWP v2.0,Distribute,pulls from public registries are controlled and only from authorized engineers or internal registries,,AC-6(3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS,N/A,N/A 355 | 308,CNSWP v2.0,Distribute,Image encryption is coupled with key management attestation and/or authorization and credential distribution,This restricts the image to only be deployed to authorized platforms. Container image authorization is useful for compliance use cases such as geo-fencing or export control and digital rights media management,"SC-12(2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC & ASYMMETRIC KEYS 356 | SC-12(3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC & ASYMMETRIC KEYS",N/A,N/A 357 | 309,CNSWP v2.0,Distribute,At-risk applications are prioritized for remediation by the exploit maturity and vulnerable path presence in addition to the CVSS score,,SI-2(3) SYSTEM & INFORMATION INTEGRITY,N/A,N/A 358 | 310,CNSWP v2.0,Security Assurance,Network policies enforce east-west network communication within the container deployment is limited to only that which is authorized for access,,AC-6(3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS,N/A,N/A 359 | 311,CNSWP v2.0,Security Assurance,Incident reponse considers cloud native workloads,"workloads which may not always conform with some underlying assumptions about node isolation (new pod instances could run on a different server), networking (e.g. IP addresses are assigned dynamically) and immutability (e.g. runtime changes to container are not persisted across restarts)","IR-4 INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES 360 | IR-4(5) INCIDENT HANDLING | AUTOMATIC DISABLING OF SYSTEM 361 | CA-7 CONTINUOUS MONITORING",N/A,N/A 362 | 312,CNSWP v2.0,Security Assurance,Incident response accounts for appropriate evidence handling and collection of coud native workloads,,"IR-5(1) INCIDENT MONITORING | AUTOMATED TRACKING, DATA COLLECTION, AND ANALYSIS",N/A,N/A 363 | 313,CNSWP v2.0,Security Assurance,Rootless builds are employed,,,N/A,N/A 364 | 314,CNSWP v2.0,Security Assurance,cgroups and system groups are used to isolate workloads and deployments,,,N/A,N/A 365 | 315,CNSWP v2.0,Security Assurance,MAC implementations are employed,"SELinux, AppArmor",AC-3(3) ACCESS ENFORCEMENT | MANDATORY ACCESS CONTROL,N/A,N/A 366 | 316,CNSWP v2.0,Security Assurance,Threat model code and infrastructure,"While various strategies are available, the MITRE ATT&CK matrix is an excellent starting point",SA-11(2) DEVELOPER TESTING AND EVALUATION | THREAT MODELING AND VULNERABILITY ANALYSES,N/A,N/A 367 | 317,CNSWP v2.0,Security Assurance,Entities are able to independently authenticate other identities,Public Key Infrastructure,IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION,N/A,N/A 368 | 318,CNSWP v2.0,Security Assurance,Each entity can create proof of who the identity is,,IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION,N/A,N/A 369 | 319,CNSWP v2.0,Security Assurance,"Orchestrator is running on an a trusted OS, BIOS, etc",,CM-14 SIGNED COMPONENTS,N/A,N/A 370 | 320,CNSWP v2.0,Security Assurance,Orchestrator verifies the claims of a container,,SI-6 SECURITY AND PRIVACY FUNCTION VERIFICATION,N/A,N/A 371 | 321,CNSWP v2.0,Security Assurance,Orchestrator network policies are used in conjunction with a service mesh,,,N/A,N/A 372 | 322,CNSWP v2.0,Security Assurance,Adhere to supply chain security best practices,The SSCP controls in this document provide the necessary controls for best practices,,N/A,N/A 373 | 323,CNSWP v2.0,Security Assurance,Restrict access to repository and branches,The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices,,N/A,N/A 374 | 324,CNSWP v2.0,Security Assurance,Never store unencrypted credentials or secrets in the Git repository and block sensitive data being pushed to Git,The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices,,N/A,N/A 375 | 325,CNSWP v2.0,Security Assurance,"Enforce strong identity with GPG Signed Commits, to give accountability and traceability",The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices,,N/A,N/A 376 | 326,CNSWP v2.0,Security Assurance,Require linear history and maintain a commit history by disallowing force pushes,The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices,,N/A,N/A 377 | 327,CNSWP v2.0,Security Assurance,Enforce branching policy. Especially protect the main branch and require code review before merging,The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices,,N/A,N/A 378 | 328,CNSWP v2.0,Security Assurance,"Monitor for vulnerabilities, and keep Git and GitOps tools up to date",The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices,,N/A,N/A 379 | 329,CNSWP v2.0,Security Assurance,"Rotate SSH keys and Personal Access Tokens, block unauthorized access to Git repositories",The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices,,N/A,N/A 380 | 330,CNSWP v2.0,Security Assurance,Utilize a dedicated non-user technical account for access where credentials are frequently rotated and short-lived,The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices,,N/A,N/A 381 | 331,CNSWP v2.0,Security Assurance,Limit users who can elevate permissions to remove security features to cover their tracks via deletion of audit trails and silencing of alerts,The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices,,N/A,N/A 382 | 332,CNSWP v2.0,Storage,Storage control plane management interface requires mutual authentication and TLS for connections,,SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY,N/A,N/A 383 | 333,CNSWP v2.0,Storage,"Data availability is achieved through parity or mirroring, erasure coding or replicas",,SI-13 PREDICTABLE FAILURE PREVENTION,N/A,N/A 384 | 334,CNSWP v2.0,Storage,"Hashing and checksums are added to blocks, objects or files","primarily designed to detect and recover from corrupted data, but can also add a layer of protection against the tampering of data.","CM-7 LEAST FUNCTIONALITY 385 | SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 386 | 335,CNSWP v2.0,Storage,Data backup storage and data source storage should have same security controls,,"SA-9 EXTERNAL SYSTEM SERVICES 387 | SC-30 CONCEALMENT AND MISDIRECTION",N/A,N/A 388 | 336,CNSWP v2.0,Storage,Secure erasure adhering to OPAL standards is employed for returned or non-functional devices,," 389 | CP-9 SYSTEM BACKUP 390 | MP-6 MEDIA SANITIZATION",N/A,N/A 391 | 337,CNSWP v2.0,Storage,"Encryption at rest considers data path, size, and frequency of access when determing additional security protections and cryptographic algorithms to employ","The encryption may be implemented in the storage client or storage server and granularity of the encryption will vary by system (e.g. per volume, per group or global keys)",SC-28 PROTECTION OF INFORMATION AT REST,N/A,N/A 392 | 338,CNSWP v2.0,Storage,Caching is considered for determining encryption requirements in archictures,,,N/A,N/A 393 | 339,CNSWP v2.0,Storage,Namespaces have defined trust boundaries to cordon access to volumes,,,N/A,N/A 394 | 340,CNSWP v2.0,Storage,Security policies are used to prevent containers from accessing volume mounts on worker nodes,,"SC-7 BOUNDARY PROTECTION 395 | SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES 396 | CM-6 CONFIGURATION SETTINGS",N/A,N/A 397 | 341,CNSWP v2.0,Storage,Security policies are used enforce authorized worker node access to volumes,,"SC-7 BOUNDARY PROTECTION 398 | SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES 399 | CM-6 CONFIGURATION SETTINGS",N/A,N/A 400 | 342,CNSWP v2.0,Storage,Volume UID and GID are inaccessible to containers,,"AC-4 INFORMATION FLOW ENFORCEMENT 401 | AC-16 SECURITY AND PRIVACY ATTRIBUTES 402 | SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A 403 | 343,CNSWP v2.0,Storage,Artifact registry supports OCI artifacts,,,N/A,N/A 404 | 344,CNSWP v2.0,Storage,Artifact registry supports signed artifacts,,CM-14 SIGNED COMPONENTS,N/A,N/A 405 | 345,CNSWP v2.0,Storage,Artifact registry verifies artifacts against organizational policies,,"AU-10 NON-REPUDIATION 406 | CM-6 CONFIGURATION SETTINGS",N/A,N/A -------------------------------------------------------------------------------- /csv_to_oscal.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import csv 4 | import logging 5 | import sys 6 | from argparse import ArgumentParser 7 | from datetime import datetime, timezone 8 | from os import PathLike 9 | from pathlib import Path 10 | from typing import NamedTuple 11 | from uuid import uuid4 12 | 13 | from trestle.oscal.catalog import Catalog, Control 14 | from trestle.oscal.common import Metadata, Property 15 | from pydantic.error_wrappers import ValidationError 16 | 17 | class CloudNativeControlCsvRow(NamedTuple): 18 | origin_doc: str 19 | section: str 20 | title: str 21 | implementation: str 22 | nist_sp80053_refs: str 23 | assurance_level: str 24 | risk_categories: str 25 | 26 | 27 | def read_csv(file_path: PathLike, *args, **kwargs) -> list[list[str]]: 28 | try: 29 | with open(file_path, "r", newline="", encoding="UTF-8") as fd: 30 | csv_reader = csv.reader(fd, *args, **kwargs) 31 | return list(csv_reader) 32 | except FileNotFoundError: 33 | logging.error(f"File not found a path: {file_path}") 34 | sys.exit(1) 35 | except Exception as err: 36 | logging.exception(f"error reading csv: {err}") 37 | sys.exit(1) 38 | 39 | 40 | def transform_csv(csv_rows: list[list[str]]) -> list[CloudNativeControlCsvRow]: 41 | try: 42 | controls = [] 43 | header_cols = ( 44 | True if csv_rows and len(csv_rows) > 0 and len(csv_rows[0]) > 0 else False 45 | ) 46 | header_cols_count = len(csv_rows[0]) if header_cols else None 47 | 48 | for idx, r in enumerate(csv_rows): 49 | if header_cols and idx == 0: 50 | continue 51 | 52 | if not r or not len(r) == header_cols_count: 53 | logging.error(f"Row {idx} does not have correct column count") 54 | sys.exit(1) 55 | 56 | # Remove ID in column 0, we do not need it, keep the rest 57 | controls.append(CloudNativeControlCsvRow(*r[1:])) 58 | 59 | return controls 60 | except (ValueError, IndexError) as err: 61 | logging.error(f"Error in Transform CSV: {err}") 62 | sys.exit(1) 63 | except Exception as err: 64 | logging.exception(f"Unknown error in transforming CSV: {err}") 65 | sys.exit(1) 66 | 67 | 68 | def sanitize_value(value: str) -> str: 69 | value = value.removeprefix("\n").removesuffix(" ").replace("\n", ", ") 70 | return value 71 | 72 | 73 | def create_catalog(controls: list[CloudNativeControlCsvRow]) -> Catalog: 74 | oscal_controls = [] 75 | 76 | for idx, c in enumerate(controls): 77 | props = [] 78 | try: 79 | props.append(Property(name="section", value=c.section)) 80 | props.append(Property(name="assurance-level", value=c.assurance_level)) 81 | props.append(Property(name="risk-categories", value=c.risk_categories)) 82 | if c.implementation: 83 | value = sanitize_value(c.implementation) 84 | props.append(Property(name="description", value=value)) 85 | if c.nist_sp80053_refs: 86 | value = sanitize_value(c.nist_sp80053_refs) 87 | props.append(Property(name="refs", value=value)) 88 | except ValidationError as e: 89 | print(c) 90 | raise e 91 | oscal_control = Control(id=f"control-{idx+1}", 92 | title=c.title, 93 | class_=c.origin_doc.replace(' ', '-'), 94 | props=props) 95 | oscal_controls.append(oscal_control) 96 | 97 | timestamp = datetime.now() 98 | timestamp = timestamp.replace(tzinfo=timezone.utc) 99 | metadata = Metadata( 100 | title="Cloud Native Security Controls Catalog", 101 | last_modified=timestamp.isoformat(), 102 | version="0.0.1", 103 | oscal_version="1.0.4", 104 | ) 105 | 106 | return Catalog(uuid=str(uuid4()), metadata=metadata, controls=oscal_controls) 107 | 108 | 109 | def write_catalog(catalog: Catalog, output: PathLike) -> None: 110 | with open(output, "w") as fh: 111 | fh.write(catalog.json(exclude_unset=True, indent=4)) 112 | 113 | 114 | def get_args_config() -> dict: 115 | """Turn parse arguments into a config""" 116 | parser = ArgumentParser() 117 | 118 | parser.add_argument( 119 | "--input", 120 | type=Path, 121 | default=Path(__file__).absolute().parent / "controls/controls_catalog.csv", 122 | help="The input file", 123 | ) 124 | 125 | parser.add_argument( 126 | "--output", 127 | type=Path, 128 | default=Path(__file__).absolute().parent / "controls/controls_catalog.json", 129 | help="The output file", 130 | ) 131 | 132 | return vars(parser.parse_args()) 133 | 134 | 135 | def run(): 136 | try: 137 | args = get_args_config() 138 | 139 | input_file = args["input"] 140 | output_file = args["output"] 141 | 142 | csv_rows = read_csv(input_file) 143 | controls = transform_csv(csv_rows) 144 | catalog = create_catalog(controls) 145 | write_catalog(catalog, output_file) 146 | except Exception as err: 147 | raise err 148 | 149 | 150 | if __name__ == "__main__": 151 | run() 152 | --------------------------------------------------------------------------------