ACTA
ACTA

Container Security
Built for Compliance

ACTA is a self-hosted container security platform that maps every finding to DISA controls, CCI identifiers, and NIST frameworks — giving compliance teams exactly what they need for Authority to Operate.

Scan container images, Dockerfiles, and Kubernetes manifests in a single pass
Every finding mapped to DISA, NIST 800-53, and FedRAMP controls out of the box
ATO artifact generation: POA&M, STIG checklists, and evidence packages — not just vulnerability lists
ENGINES: GRYPE // TRIVY
Scroll to brief
SITUATION REPORT

General-purpose scanners weren't built for regulated environments

Tools like Trivy, Grype, and Snyk find vulnerabilities — but they stop there. Compliance teams still have to manually map findings to DISA controls, build POA&M spreadsheets, generate STIG checklists, and assemble ATO evidence packages. That manual translation layer is where timelines slip, audits stall, and risk gets lost in spreadsheets.

ACTA closes that gap. It scans the same artifacts, then carries every finding through to the compliance deliverables your ISSM actually needs.

MOSTCONTAINERSECURITYTOOLSFOCUSON:FINDINGVULNERABILITIES.
WE FOCUS ON: GETTING YOU TO AUTHORIZATION.
Scan results without ATO artifacts are just noise. ACTA closes the loop.
CAPABILITY BRIEF

What ACTA Does

Six integrated modules. One scan pipeline. Every artifact your ISSM needs.

CAP-01 // MULTI-ENGINE VULN SCAN

Multi-Engine Vulnerability Scanning

Powered by Grype and Trivy with automatic cross-engine deduplication. Select one or both engines per scan. Every finding is enriched with EPSS exploit probability scores and CISA Known Exploited Vulnerability (KEV) flags, then ranked by a composite risk score that weighs CVSS, EPSS, and KEV status together — so your team triages what matters first.

GRYPETRIVYEPSSKEVCVSS
CAP-02 // DOCKERFILE COMPLIANCE

Dockerfile Compliance

Automated checks against the DISA Container Image Creation Guide: non-root user enforcement, no SSH daemons, HEALTHCHECK required, COPY over ADD, no privileged ports, no embedded secrets, and approved base image validation. Each check maps directly to a DISA control and CCI identifier.

DISA CICCCISTIG
CAP-03 // K8S MANIFEST ANALYSIS

Kubernetes Manifest Analysis

Validates deployment manifests for resource limits, security contexts, liveness and readiness probes, read-only root filesystems, and host namespace isolation. Findings map to DISA Container Deployment Environment controls.

DISA CDECCIKUBERNETES
CAP-04 // SBOM & LICENSING

SBOM Generation and Licensing

Syft-powered CycloneDX SBOMs with license extraction for every package. Deny/allow lists for SPDX license expressions support FAR/DFARS-aware procurement decisions. Vendor SBOMs can be imported, vulnerability-matched, and evaluated for completeness.

CYCLONEDXSPDXFAR/DFARSSYFT
CAP-05 // ATO ARTIFACTS

ATO Artifact Generation

Produces eMASS-importable POA&M CSVs, STIG CKL XML checklists, and NIST 800-53 control assessment JSON — directly from scan results. No manual mapping, no copy-paste.

eMASSPOA&MSTIG CKLNIST 800-53
CAP-06 // CONTINUOUS ATO

Continuous ATO (cATO)

Baseline management, drift detection, evidence packaging, and CI/CD posture gates. Set an approved baseline, monitor for degradation, and generate evidence packages for ISSM review on demand.

cATOCI/CDBASELINEDRIFT DETECTION
PHASE 01 // SCAN

Multi-Engine Vulnerability Scan

Grype and Trivy run in parallel against your container image. Findings are deduplicated, enriched with EPSS and KEV data, and ranked by composite risk score.

PHASE 02 // COMPLY

Automated Compliance Mapping

Dockerfile and Kubernetes manifests are validated against DISA STIG controls. Every finding maps to a CCI identifier. SBOM license analysis flags FAR/DFARS compliance risks.

PHASE 03 // AUTHORIZE

ATO Artifact Generation & Baseline Lock

POA&M CSVs, STIG CKL checklists, and NIST 800-53 assessment JSON are generated from scan data. Set your baseline. Monitor drift. Package evidence for your ISSM.

POLICY ENGINE

Composable Policy Engine

YAML-based, auditable, and designed for real-world compliance workflows. Policies define rules with configurable thresholds, actions, and per-environment overrides — so the same policy can FAIL in production and WARN in development.

Built-in Compliance Packs

Pre-built policy packs aligned to major frameworks. Combine multiple packs per scan.

PackDescription
DISA CICContainer Image Creation requirements (8 rules)
DISA CDEContainer Deployment Environment requirements (6 rules)
Vulnerability GatesSeverity threshold enforcement (5 rules)
Iron Bank PipelineIron Bank container hardening (7 rules)
Procurement ValidationOMB M-22-18 procurement compliance (5 rules)
NIST 800-53Control family mapping (7 rules)
NIST 800-190Container-specific security (7 rules)
FedRAMP HighFedRAMP High baseline thresholds (4 rules)

Environment Overrides

Rules behave differently per deployment target. A critical vulnerability can block production deploys while only warning in development — same policy file, no duplication.

Waivers with Accountability

Temporarily exempt specific CVEs with tracked, expiring waivers tied to ticket numbers. Blast radius analysis shows what a waiver covers. Expiration alerts prevent waivers from going stale. Simulate revoking a waiver before you do it.

Policy Management Tools

Diff two policies before deploying changes. Validate syntax and semantics. Dry-run against historical scans. Generate human-readable explanations of what a policy enforces.

# policy/prod.yaml
$api_version: v1
$kind: Policy
$metadata:
$ name: production-gate
$spec:
$ # Enforce DISA Container Image Creation requirements
$ require_packs:
$ - disa-cic-v2
$ - vulnerability-gates

$ # Environment overrides
$ overrides:
$ - threshold: CRITICAL
$ action: BLOCK_DEPLOYMENT # Fails CI/CD

$ - threshold: HIGH
$ has_fix: true
$ action: BLOCK_DEPLOYMENT # Block only if fixable

$ - package: "curl"
$ # Legacy dependency exception
$ waiver_id: "JIRA-9412"
$ expires: "2025-06-01"
$ action: WARN

CONTROL MAPPING

Direct DISA Control Mapping

Every check maps to a specific control from the DISA Container Image Creation and Deployment Guide (V2 R0.6), with CCI identifiers for traceability.

CheckDISA ControlCCIWhat It Enforces
SSH disabledCM-7aCCI-000381No SSH daemon in container
Non-root userAC-6(10)CCI-002235Must not run as root
COPY over ADDCM-7aCCI-000381Use COPY instead of ADD
Non-privileged portsCM-7(1)(b)CCI-001762Ports above 1024 only
HEALTHCHECK requiredSC-5CCI-002385Process health monitoring
No embedded secretsCM-6bCCI-000366No credentials in image layers
Approved base imageSC-8(2)CCI-003782DoD-approved registry only
Resource limitsSC-5(1)CCI-002386CPU and memory limits set
Read-only root FSCM-5(1)CCI-001813Immutable root filesystem
Liveness probeSC-5CCI-002385Kubernetes liveness check
Readiness probeSC-5CCI-002385Kubernetes readiness check
No host namespacesSC-4CCI-001090No hostPID or hostNetwork
OUTPUT FORMATS

Reports That Go Where You Need Them

ACTA produces outputs in formats that integrate directly into your existing toolchain — from CI/CD dashboards to compliance management systems.

Human-readable summary

CLI

Quick review and terminal output

GitLab SAST JSON

JSON

GitLab Security Dashboard integration

SARIF

JSON

GitHub Code Scanning and VS Code

CycloneDX 1.5 VDR

XML/JSON

Vulnerability disclosure reporting

SPDX 2.3

JSON/TAG

Software supply chain compliance

CSV

CSV

Spreadsheet analysis and stakeholder sharing

OpenVEX

JSON

Vulnerability exploitability exchange

POA&M CSV

CSV

eMASS import for Plan of Action & Milestones

STIG CKL XML

XML

STIG Viewer checklist import

1 PIPELINE STAGE
3 SCAN TYPES
MACHINE-READABLE ARTIFACTS

Native CI/CD Integration

Native support for GitLab CI and GitHub Actions with exit codes that gate your pipeline. Scans produce machine-readable reports as build artifacts. A single pipeline stage covers image scanning, Dockerfile compliance, and manifest validation.

OPERATIONS

Built for How Teams Actually Work

Scan History & Baselines

Every scan is persisted to a local SQLite database. Browse past scans, show full details, compare any two scans side-by-side, and track how your security posture changes over time. Baseline resolution is automatic — when you specify a branch, ACTA finds the most recent scan for comparison.

$$ acta history list
$ID DATE TARGET ENGINE FINDINGS STATUS
$0xA7F3 2025-03-15T08:42:00Z nginx:latest Trivy 0 CRIT COMPLIANT
$0xA7F2 2025-03-14T10:15:33Z api-server:v2 Grype 2 CRIT FAILED
$0xA7F1 2025-03-14T09:00:12Z postgres:15-alp Trivy 0 CRIT COMPLIANT

$> Showing 3 of 142 records.

Embedded Dashboard

An embedded dark-themed dashboard for visual scan browsing, vulnerability trends over time, and scan-to-scan comparison. Everything is compiled into the single binary — no npm, no database server, no external dependencies. Works fully offline.

Dash // Posture Overview

Air-Gapped Support

Offline vulnerability database and feed caches for disconnected environments. Download EPSS, KEV, and NVD feeds when connected, then scan without network access.

FEEDS: CACHEDOFFLINE MODE: ACTIVE

Procurement Validation

Evaluate vendor-supplied SBOMs against OMB M-22-18 requirements. Import external SBOMs, run vulnerability matching, assess completeness, and produce APPROVE, CONDITIONAL, or REJECT recommendations.

$$ acta vendor evaluate ./vendor-sbom.json
$[+] Parsing CycloneDX 1.5 document...
$[+] Analyzing dependencies (142 components)...
$[!] Missing NTIA minimum elements: Author missing for 3 components.
$[+] Vulnerability correlation (offline database)...

$RECOMMENDATION: CONDITIONAL
$Reason: 2 HIGH vulnerabilities found (non-KEV). Remediation required within 30 days.

Threat Intelligence Feeds

Advisory source tracking, remediation SLA enforcement, FIPS readiness checking, and Iron Bank pipeline compliance validation — all driven by regularly updated feed data.

ARCHITECTURE

Single Binary, Full Platform

ACTA ships as a single binary with no runtime dependencies beyond the scanner engines (Syft, Grype). The command structure is organized around workflows, not implementation details.

  • Scanning

    Image, Dockerfile, directory, and manifest scanning with combined passes and engine selection.

  • Policy

    Validate, diff, test, and explain policies. List available compliance packs. Re-evaluate findings against updated policies without re-scanning.

  • History

    Browse, inspect, compare, and manage scan records in the local database.

  • cATO

    Set baselines, check posture, generate evidence packages, and gate CI/CD pipelines on continuous compliance status.

  • Procurement

    Validate vendor SBOMs against federal procurement requirements.

  • Waivers

    Impact analysis, expiration tracking, audit reports, and revocation simulation.

  • SBOM

    Sign, verify, and import SBOMs with HMAC-SHA256 integrity checking.

  • Feeds

    Update and check status of offline vulnerability and enrichment data.

  • Infrastructure

    REST API server, registry monitoring daemon, and Kubernetes admission controller for runtime enforcement.

DEPLOYMENT

Get Running in Minutes

LINUX (AMD64) / MACOS (APPLE SILICON)
$$ curl -LO https://github.com/acta/acta/releases/latest/download/acta-linux-amd64
$$ chmod +x acta-linux-amd64
$$ ./acta-linux-amd64 scan image nginx:latest
DOCKER
$$ docker run -v /var/run/docker.sock:/var/run/docker.sock \
$ acta/acta scan image nginx:latest
BUILD FROM SOURCE (GO 1.24+)
$$ git clone https://github.com/acta/acta.git
$$ cd acta && go build -o acta .
$$ ./acta scan image nginx:latest
OPEN SOURCE

Open Source, Apache 2.0

ACTA is open source under the Apache 2.0 license. Contributions are welcome — whether that's new policy packs, scanner engine integrations, output format support, or documentation improvements.

Stop translating scan results into compliance artifacts by hand.

Get started with ACTA and generate ATO artifacts from your first scan.

OPEN SOURCE//APACHE 2.0//SELF-HOSTED//AIR-GAP READY