GRC Store

Search / finos-ccc/ccc.build.cn / v2026.06-rc5

Release · v2026.06-rc5

FINOS-CCC/CCC.Build.CN Control Catalog

FINOS-CCC/CCC.Build.CN

Controls for Build technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.build.cn --tag v2026.06-rc5
Coordinate
oci.grc.store/finos-ccc/ccc.build.cn:v2026.06-rc5
Manifest digest
sha256:025facb3b2fbc7f552f0adba7a1b6ab69fda81f91f19df6807a7cf6749d17f72

Provenance

1 layer
Digest Media type Size
4525739f6877… application/vnd.gemara.artifact.v1+yaml 4.9 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.Build.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.build.cn",
            "tag": "v2026.06-rc5"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26771723499",
          "GITHUB_SHA": "a9503345caf59a144d8ab9b4bede212b393ca56a",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/devtools/build/controls.yaml",
            "uri": "file://artifacts/devtools/build/controls.yaml",
            "digest": {
              "sha256": "4525739f6877607e5ffe2d06d9681f649ef57ef14a4ede3472f21ad63dae17ee"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@a9503345caf59a144d8ab9b4bede212b393ca56a",
            "digest": {
              "gitCommit": "a9503345caf59a144d8ab9b4bede212b393ca56a"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26771723499",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26771723499-1",
          "startedOn": "2026-06-01T17:47:47.260102921Z",
          "finishedOn": "2026-06-01T17:47:47.367018278Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "4525739f6877607e5ffe2d06d9681f649ef57ef14a4ede3472f21ad63dae17ee"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.Build.CN",
      "role": "artifact"
    }
  ]
}

CCC Build Controls

Controls for Build technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.Build.CN
Version
v2026.06-rc5
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Orchestration

The Orchestration group covers entries related to coordinating and managing workloads across distributed systems. This includes container orchestration, job scheduling, CI/CD pipelines, build automation, and service mesh management.

  1. CCC.Build.CN01 Restrict Allowed Build Agents

    Objective

    Ensure that builds are executed only on authorized build agents to maintain control over the build environment and prevent unauthorized code execution.

    Assessment requirements

    1. Attempt to initiate a build using an unauthorized build agent and verify that the build is rejected.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.AC-4
    • NIST_800_53
      • AC-3
      • AC-6
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH01

  2. CCC.Build.CN02 Restrict Allowed External Services for Build Triggers

    Objective

    Ensure that builds can only be triggered by authorized external services or repositories to prevent unauthorized code execution or tampering.

    Assessment requirements

    1. Attempt to trigger a build from an unauthorized external service or repository and verify that the build does not start.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.AC-4
    • NIST_800_53
      • AC-3
      • AC-6
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH01

Networking

The Networking group covers entries related to network infrastructure, connectivity, and traffic management. This includes virtual networks, subnets, load balancing, DNS, routing, peering, and network-level access controls.

  1. CCC.Build.CN03 Deny External Network Access for Build Environments

    Objective

    Ensure that build environments do not have external network access to prevent unauthorized external access and data exfiltration.

    Assessment requirements

    1. Attempt to access the build environment from an external network and verify that access is denied.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.AC-5
    • NIST_800_53
      • SC-7
      • SC-5
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH02
      • CCC.Core.TH05