Fintech & regulatory

Compliance

How the current policy set maps to common compliance frameworks. Coverage is advisory: it is measured against the controls mapped in opserapol, not the full framework, and is not an audit artifact.

PCI DSS4.0100%

Payment Card Industry Data Security Standard

14 of 14 mapped controls covered
SOC 22017 TSC100%

AICPA Trust Services Criteria (Security)

6 of 6 mapped controls covered
CIS Kubernetes Benchmarkv1.8100%

Section 5 — policies enforceable at admission

16 of 16 mapped controls covered
NIST SP 800-53rev. 5100%

Security and privacy controls

13 of 13 mapped controls covered
ISO/IEC 270012022100%

Annex A controls

7 of 7 mapped controls covered
DORAEU 2022/2554100%

Digital Operational Resilience Act (EU financial entities)

5 of 5 mapped controls covered
ISO/IEC 27001 2022iso-27001
7/7 (100%)
ControlTitleMapped policies
A.8.2Privileged access rights
A.8.7Protection against malware
A.8.8Management of technical vulnerabilities
A.8.9Configuration management
30-Day Scan Age90-Day Image AgeADD Command used instead of COPYAlpine Linux Package Manager (apk) in ImageContainer using read-write root filesystemContainer with privilege escalation allowedCurl in ImageDeployments should have at least one ingress Network PolicyDeployments with externally exposed endpointsDocker CIS 4.1: Ensure That a User for the Container Has Been CreatedDocker CIS 4.4: Ensure images are scanned and rebuilt to include security patchesDocker CIS 4.7: Alert on Update InstructionDocker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabledDocker CIS 5.15: Ensure that the host's process namespace is not sharedDocker CIS 5.16: Ensure that the host's IPC namespace is not sharedDocker CIS 5.19: Ensure mount propagation mode is not enabledDocker CIS 5.21: Ensure the default seccomp profile is not disabledDocker CIS 5.7: Ensure privileged ports are not mapped within containersDocker CIS 5.9 and 5.20: Ensure that the host's network namespace is not sharedEmergency Deployment AnnotationEnvironment Variable Contains SecretInsecure specified in CMDIptables or nftables Executed in Privileged ContainerKubernetes Dashboard DeployedLogin BinariesMount Container Runtime SocketMounting Sensitive Host DirectoriesNo CPU request or memory limit specifiedPod Service Account Token Automatically MountedPrivileged ContainerProcess with UID 0Red Hat Package Manager ExecutionRed Hat Package Manager in ImageRequired Annotation: EmailRequired Annotation: Owner/TeamRequired Image LabelRequired Label: Owner/TeamSecret Mounted as Environment VariableSecure Shell (ssh) Port ExposedSecure Shell (ssh) Port Exposed in ImageSecure Shell Server (sshd) ExecutionUbuntu Package Manager in ImageWget in Image
A.8.16Monitoring activities
A.8.20Networks security
A.8.25Secure development life cycle