CSPM Controls (Preview)

Overview

With the CSPM Controls library, you can see the logic behind the compliance results by drilling into the control details:

  • To ensure that this compliance product is fit for your organization’s needs
  • To know precisely what has been or will be evaluated
  • To review a specific control to see its logic and remediation

The features are under development.

Prerequisites

This feature requires the Actionable Compliance component, also currently in preview state.

If necessary, review:

How Controls are Structured

Sysdig controls are built on the Open Policy Agent (OPA) engine, using OPA’s policy language, Rego. The CSPM Controls library exposes the code used to create the controls and the inputs they evaluate, providing full visibility into their logic. You can download the code as a JSON file.

  1. Select Policies > Actionable Compliance | CSPM Controls.

  2. Select a specific control to open it in the right panel and work with it.

Filter the List

Use the unified filter bar on the left side to limit the control list by:

  • Name: Use Contains to enter free text on any word or part of a word in the name
  • Severity: Choose the severity level(s) assigned to the control(s) from the drop-down list
  • Type: Choose an infrastructure type from the drop-down list

Add multiple parameters to create more specific filter expressions.

Review Control Logic and Remediation

  1. Select a specific control.

  2. Review basic attributes. At the top of the right panel you can see:

    • Control title

    • Severity

    • Type (e.g. Host)

    • Author (e.g. Sysdig for out-of-the-box controls)

    • Description

    • The policies to which the control is linked.

      Hover over the policy names to get full details, such as the exact requirement number for the particular compliance standard.

  3. Code: Use the provided code snippets.

    At this time, the code provides visibility into the precise objects that are evaluated and how the evaluation rules are structured. The display includes Inputs (where applicable) and the evaluation code written in Rego.

    • You can copy and/or download the input as a .json file and the
  4. Remediation Playbook: Follow the recommended steps in the Remediation Playbook to resolve failing controls.

    In some cases, you will need to provide the applicable input in the provided remediation code.