@deniscuciuc/compose-analyzer 1.0.0

package/CHANGELOG.md

@@ -0,0 +1,24 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [1.0.0] - 2026-06-14
+
+### Added
+
+- Docker Compose analyzer CLI with full, health, image, security, reliability, resource, and network commands
+- YAML parsing for Compose v2, v3, and versionless files
+- Image analysis for unpinned images and `:latest` tags
+- Security analysis for secrets in environment variables, privileged containers, and exposed database ports
+- Reliability analysis for healthchecks, `depends_on` conditions, and restart policies
+- Resource analysis for missing CPU and memory limits
+- Network analysis for default-network usage and random host port publishing
+- Health score (0–100), Markdown/JSON/HTML reports, and report diffing
+- Optional Docker daemon runtime enrichment with `--with-docker`
+- Interactive CLI flows for analysis, reports, and settings
+- Node built-in tests, GitHub Actions CI workflow, publish workflow, and OSS project metadata

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Denis Cuciuc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,164 @@
+# Docker Compose Analyzer
+
+[![Node.js 20+](https://img.shields.io/badge/node-20%2B-339933?logo=node.js)](https://nodejs.org/)
+[![npm version](https://img.shields.io/npm/v/@deniscuciuc/compose-analyzer?logo=npm&color=cb3837)](https://www.npmjs.com/package/@deniscuciuc/compose-analyzer)
+[![npm downloads](https://img.shields.io/npm/dm/@deniscuciuc/compose-analyzer)](https://www.npmjs.com/package/@deniscuciuc/compose-analyzer)
+[![License: MIT](https://img.shields.io/badge/license-MIT-green)](LICENSE)
+[![TypeScript](https://img.shields.io/badge/types-TypeScript-3178C6?logo=typescript)](https://www.typescriptlang.org/)
+[![CI](https://github.com/deniscuciuc/compose-analyzer/actions/workflows/ci.yml/badge.svg)](https://github.com/deniscuciuc/compose-analyzer/actions/workflows/ci.yml)
+
+A CLI that analyzes Docker Compose files for image hygiene, security risk, reliability gaps, resource limits, and network exposure. It emits JSON to stdout with `-j`, or writes Markdown/JSON/HTML reports to `./reports`.
+
+## Quick start
+
+No installation required:
+
+```bash
+npx @deniscuciuc/compose-analyzer -f docker-compose.yml -c health
+npx @deniscuciuc/compose-analyzer -f docker-compose.yml -c full --html
+```
+
+Or install globally:
+
+```bash
+npm install -g @deniscuciuc/compose-analyzer
+compose-analyzer -f docker-compose.yml -c security
+```
+
+---
+
+## Features
+
+- Unpinned image and `:latest` detection
+- Plain-text secret detection in Compose environment variables
+- Privileged container and exposed database port checks
+- Missing healthcheck, weak `depends_on`, and restart policy analysis
+- Missing CPU / memory limit detection for both legacy and deploy-based formats
+- Default-network and random host-port publishing checks
+- Markdown, JSON, HTML, and diffable report output
+- Optional Docker runtime enrichment via `--with-docker`
+- Interactive CLI mode for browsing analysis and report flows
+
+## Requirements
+
+- Node.js >= 20
+- pnpm >= 10
+- Any Docker Compose YAML file (`docker-compose.yml`, `compose.yml`, etc.)
+- Optional: Docker socket access for `--with-docker`
+
+## Usage
+
+### Interactive mode
+
+```bash
+pnpm start -- --file docker-compose.yml
+```
+
+### npm scripts
+
+```bash
+pnpm analyze -- --file docker-compose.yml
+pnpm analyze:health -- --file docker-compose.yml
+pnpm analyze:security -- --file docker-compose.yml
+pnpm analyze:html -- --file docker-compose.yml
+pnpm test
+```
+
+### Direct CLI
+
+```bash
+node -r ts-node/register index.ts -f docker-compose.yml -j -c full
+node -r ts-node/register index.ts -f docker-compose.yml -c images
+node -r ts-node/register index.ts -f docker-compose.yml --with-docker -c full --html
+```
+
+## Commands
+
+| Command | Description |
+| --- | --- |
+| `full` | Complete analysis and report generation (default) |
+| `health` | Health score and issue summary |
+| `images` | Image pinning and tag analysis |
+| `security` | Secrets in env, privileged containers, and exposed DB ports |
+| `reliability` | Healthchecks, `depends_on`, and restart policy analysis |
+| `resources` | CPU and memory limit analysis |
+| `networks` | Default network usage and risky port publishing |
+
+## CLI options
+
+| Option | Short | Description | Default |
+| --- | --- | --- | --- |
+| `--file` | `-f` | Path to Compose file | `docker-compose.yml` |
+| `--with-docker` |  | Enrich the report with Docker daemon runtime status | `false` |
+| `--compare` |  | Previous JSON report to diff against | — |
+| `--html` |  | Also generate HTML for `full` | `false` |
+| `--command` | `-c` | Command to run | `full` |
+| `--json` | `-j` | Print JSON to stdout | `false` |
+| `--output` | `-o` | Reports directory | `./reports` |
+| `--interactive` | `-i` | Interactive menu | `false` |
+| `--config` |  | Path to a config file (non-connection settings only) | auto-search |
+
+> This tool intentionally has **no** watch mode and **no** connection/profile handling. It analyzes static files only.
+
+## Configuration
+
+Copy `analyzerrc.example.json` to `.analyzerrc.json` if you want a default reports directory:
+
+```bash
+cp analyzerrc.example.json .analyzerrc.json
+```
+
+Example:
+
+```json
+{
+  "output": "./reports"
+}
+```
+
+## Output formats
+
+- **JSON** to stdout with `-j`
+- **Markdown** report on `full`
+- **HTML** report on `full --html`
+- **Diff** summary with `--compare previous-report.json`
+
+## Health score
+
+Health starts at `100` and deductions are applied per issue severity:
+
+- `critical`: -15
+- `high`: -8
+- `medium`: -4
+- `low`: -1
+
+Interpretation:
+
+| Score | Status |
+| --- | --- |
+| `90–100` | Excellent |
+| `70–89` | Good |
+| `50–69` | Warning |
+| `0–49` | Critical |
+
+## Architecture
+
+```text
+index.ts
+src/cli/{options,runner}.ts
+src/config/loader.ts
+src/collectors/{compose-collector,docker-collector}.ts
+src/analyzers/*.ts
+src/reporters/{report-generator,html-reporter,diff-reporter}.ts
+src/interactive/{index,menus,display}.ts
+src/utils/{format,print}.ts
+```
+
+## Development
+
+```bash
+pnpm install
+pnpm lint
+pnpm build
+pnpm test
+```

package/analyzerrc.example.json

@@ -0,0 +1,3 @@
+{
+  "output": "./reports"
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,35 @@
+#!/usr/bin/env node
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const package_json_1 = __importDefault(require("./package.json"));
+const options_1 = require("./src/cli/options");
+const runner_1 = require("./src/cli/runner");
+const loader_1 = require("./src/config/loader");
+const constants_1 = require("./src/constants");
+const interactive_1 = require("./src/interactive");
+async function main() {
+    const options = (0, options_1.parseOptions)();
+    if (options.version) {
+        console.log(package_json_1.default.version);
+        return;
+    }
+    const config = (0, loader_1.loadConfig)(options.config);
+    const runtimeOptions = {
+        ...options,
+        outputDir: options.outputDir ?? config.output ?? constants_1.DEFAULTS.output,
+    };
+    if (runtimeOptions.interactive) {
+        const cli = new interactive_1.InteractiveCLI(runtimeOptions);
+        await cli.start();
+        return;
+    }
+    await (0, runner_1.executeCommand)(runtimeOptions);
+}
+main().catch((error) => {
+    const message = error instanceof Error ? error.message : String(error);
+    console.error("Error during analysis:", message);
+    process.exit(1);
+});

package/dist/package.json

@@ -0,0 +1,81 @@
+{
+    "name": "@deniscuciuc/compose-analyzer",
+    "version": "1.0.0",
+    "description": "CLI tool that analyzes Docker Compose files for image hygiene, security, reliability, resource limits, and network exposure.",
+    "keywords": [
+        "docker",
+        "docker-compose",
+        "compose",
+        "analyzer",
+        "security",
+        "devops",
+        "cli",
+        "containers"
+    ],
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/deniscuciuc/compose-analyzer.git"
+    },
+    "bugs": {
+        "url": "https://github.com/deniscuciuc/compose-analyzer/issues"
+    },
+    "license": "MIT",
+    "author": "Denis Cuciuc <denis@deniscuciuc.dev>",
+    "homepage": "https://github.com/deniscuciuc/compose-analyzer#readme",
+    "private": false,
+    "publishConfig": {
+        "access": "public"
+    },
+    "bin": {
+        "compose-analyzer": "./dist/index.js"
+    },
+    "main": "./dist/index.js",
+    "types": "./dist/index.d.ts",
+    "files": [
+        "dist/",
+        "README.md",
+        "LICENSE",
+        "CHANGELOG.md",
+        "analyzerrc.example.json"
+    ],
+    "scripts": {
+        "start": "node -r ts-node/register index.ts start",
+        "analyze": "node -r ts-node/register index.ts",
+        "analyze:help": "node -r ts-node/register index.ts --help",
+        "analyze:health": "node -r ts-node/register index.ts -j -c health",
+        "analyze:images": "node -r ts-node/register index.ts -j -c images",
+        "analyze:security": "node -r ts-node/register index.ts -j -c security",
+        "analyze:reliability": "node -r ts-node/register index.ts -j -c reliability",
+        "analyze:resources": "node -r ts-node/register index.ts -j -c resources",
+        "analyze:networks": "node -r ts-node/register index.ts -j -c networks",
+        "analyze:html": "node -r ts-node/register index.ts --html -c full",
+        "build": "tsc",
+        "postbuild": "node scripts/add-shebang.js",
+        "lint": "biome check .",
+        "lint:fix": "biome check --write .",
+        "test": "node -r ts-node/register --test test/*.test.ts",
+        "prepublishOnly": "pnpm lint && pnpm build && pnpm test",
+        "release:patch": "npm version patch && git push && git push --tags",
+        "release:minor": "npm version minor && git push && git push --tags",
+        "release:major": "npm version major && git push && git push --tags"
+    },
+    "dependencies": {
+        "@inquirer/prompts": "^8.1.0",
+        "js-yaml": "^4.1.0"
+    },
+    "optionalDependencies": {
+        "dockerode": "^4.0.9"
+    },
+    "devDependencies": {
+        "@biomejs/biome": "2.3.11",
+        "@types/dockerode": "^3.3.38",
+        "@types/js-yaml": "^4.0.9",
+        "@types/node": "^22.15.0",
+        "ts-node": "^10.9.2",
+        "typescript": "^5.9.3"
+    },
+    "engines": {
+        "node": ">=20",
+        "pnpm": ">=10"
+    }
+}

package/dist/src/analyzers/image-analyzer.d.ts

@@ -0,0 +1,8 @@
+import type { ComposeService, ImageAnalysis } from "../types";
+export declare class ImageAnalyzer {
+    analyze(services: Array<{
+        name: string;
+        service: ComposeService;
+    }>): ImageAnalysis;
+}
+//# sourceMappingURL=image-analyzer.d.ts.map

package/dist/src/analyzers/image-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"image-analyzer.d.ts","sourceRoot":"","sources":["../../../src/analyzers/image-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAgB,cAAc,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAE5E,qBAAa,aAAa;IACzB,OAAO,CACN,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,cAAc,CAAA;KAAE,CAAC,GACxD,aAAa;CA6DhB"}

package/dist/src/analyzers/image-analyzer.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ImageAnalyzer = void 0;
+const compose_collector_1 = require("../collectors/compose-collector");
+class ImageAnalyzer {
+    analyze(services) {
+        const unpinnedImages = [];
+        const latestTagImages = [];
+        const issues = [];
+        for (const { name, service } of services) {
+            if (!service.image) {
+                if (service.build) {
+                    continue;
+                }
+                issues.push({
+                    service: name,
+                    severity: "high",
+                    category: "image",
+                    title: "No image or build context",
+                    detail: `Service "${name}" has neither an image nor a build context.`,
+                    fix: "Add an image reference or a build.context definition.",
+                });
+                continue;
+            }
+            if (compose_collector_1.ComposeCollector.hasDigest(service.image)) {
+                continue;
+            }
+            const tag = compose_collector_1.ComposeCollector.imageTag(service.image);
+            const base = compose_collector_1.ComposeCollector.baseImageName(service.image);
+            if (!tag) {
+                unpinnedImages.push({
+                    service: name,
+                    image: service.image,
+                    recommendation: `Pin ${service.image} to a stable version such as ${base}:<version>.`,
+                });
+                issues.push({
+                    service: name,
+                    severity: "medium",
+                    category: "image",
+                    title: "Image not version-pinned",
+                    detail: `${service.image} has no explicit tag or digest, which hurts reproducibility.`,
+                    fix: `Change to image: ${service.image}:<version> or pin by digest.`,
+                });
+                continue;
+            }
+            if (tag === "latest") {
+                latestTagImages.push({ service: name, image: service.image });
+                issues.push({
+                    service: name,
+                    severity: "medium",
+                    category: "image",
+                    title: "Image uses :latest tag",
+                    detail: `${service.image} can change between deploys without notice.`,
+                    fix: `Pin to a specific version tag such as ${base}:<version>.`,
+                });
+            }
+        }
+        return { unpinnedImages, latestTagImages, issues };
+    }
+}
+exports.ImageAnalyzer = ImageAnalyzer;

package/dist/src/analyzers/network-analyzer.d.ts

@@ -0,0 +1,8 @@
+import type { ComposeService, NetworkAnalysis } from "../types";
+export declare class NetworkAnalyzer {
+    analyze(services: Array<{
+        name: string;
+        service: ComposeService;
+    }>, fileNetworks: Record<string, unknown> | undefined): NetworkAnalysis;
+}
+//# sourceMappingURL=network-analyzer.d.ts.map

package/dist/src/analyzers/network-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-analyzer.d.ts","sourceRoot":"","sources":["../../../src/analyzers/network-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAgB,cAAc,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE9E,qBAAa,eAAe;IAC3B,OAAO,CACN,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,cAAc,CAAA;KAAE,CAAC,EAC1D,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,GAC/C,eAAe;CAkDlB"}

package/dist/src/analyzers/network-analyzer.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NetworkAnalyzer = void 0;
+const compose_collector_1 = require("../collectors/compose-collector");
+class NetworkAnalyzer {
+    analyze(services, fileNetworks) {
+        const servicesOnDefaultNetwork = [];
+        const exposedInternalPorts = [];
+        const issues = [];
+        const hasTopLevelNetworks = Boolean(fileNetworks && Object.keys(fileNetworks).length > 0);
+        for (const { name, service } of services) {
+            const hasExplicitNetwork = Array.isArray(service.networks)
+                ? service.networks.length > 0
+                : Boolean(service.networks && Object.keys(service.networks).length > 0);
+            if (!hasExplicitNetwork && hasTopLevelNetworks) {
+                servicesOnDefaultNetwork.push({ service: name });
+                issues.push({
+                    service: name,
+                    severity: "low",
+                    category: "network",
+                    title: "Service uses default network",
+                    detail: `Service "${name}" is not attached to an explicit top-level network.`,
+                    fix: "Assign the service to a named network so network intent is explicit.",
+                });
+            }
+            for (const port of compose_collector_1.ComposeCollector.normalizePorts(service)) {
+                if (!port.randomHostBinding) {
+                    continue;
+                }
+                exposedInternalPorts.push({
+                    service: name,
+                    port: port.raw,
+                    note: "Published without an explicit host port or host IP binding.",
+                });
+                issues.push({
+                    service: name,
+                    severity: "low",
+                    category: "network",
+                    title: "Published port uses random host binding",
+                    detail: `Service "${name}" publishes ${port.raw}, which lets Docker choose a host port on all interfaces.`,
+                    fix: "Prefer explicit mappings such as 127.0.0.1:8080:80, or remove the published port for internal-only services.",
+                });
+            }
+        }
+        return { servicesOnDefaultNetwork, exposedInternalPorts, issues };
+    }
+}
+exports.NetworkAnalyzer = NetworkAnalyzer;

package/dist/src/analyzers/reliability-analyzer.d.ts

@@ -0,0 +1,8 @@
+import type { ComposeService, ReliabilityAnalysis } from "../types";
+export declare class ReliabilityAnalyzer {
+    analyze(services: Array<{
+        name: string;
+        service: ComposeService;
+    }>): ReliabilityAnalysis;
+}
+//# sourceMappingURL=reliability-analyzer.d.ts.map

package/dist/src/analyzers/reliability-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reliability-analyzer.d.ts","sourceRoot":"","sources":["../../../src/analyzers/reliability-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAEX,cAAc,EACd,mBAAmB,EACnB,MAAM,UAAU,CAAC;AAElB,qBAAa,mBAAmB;IAC/B,OAAO,CACN,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,cAAc,CAAA;KAAE,CAAC,GACxD,mBAAmB;CAyFtB"}

package/dist/src/analyzers/reliability-analyzer.js

@@ -0,0 +1,84 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ReliabilityAnalyzer = void 0;
+const constants_1 = require("../constants");
+class ReliabilityAnalyzer {
+    analyze(services) {
+        const missingHealthcheck = [];
+        const unsafeDepends = [];
+        const missingRestart = [];
+        const insecureRestartPolicy = [];
+        const issues = [];
+        const servicesWithHealthcheck = new Set(services
+            .filter(({ service }) => service.healthcheck && !service.healthcheck.disable)
+            .map(({ name }) => name));
+        for (const { name, service } of services) {
+            if (!service.healthcheck || service.healthcheck.disable) {
+                missingHealthcheck.push({ service: name });
+                issues.push({
+                    service: name,
+                    severity: "medium",
+                    category: "reliability",
+                    title: "No healthcheck defined",
+                    detail: `Service "${name}" does not define a usable healthcheck.`,
+                    fix: "Add healthcheck.test, interval, timeout, and retries so readiness can be verified.",
+                });
+            }
+            if (service.depends_on) {
+                const dependencies = Array.isArray(service.depends_on)
+                    ? service.depends_on.map((dependency) => ({
+                        dependency,
+                        condition: "service_started",
+                    }))
+                    : Object.entries(service.depends_on).map(([dependency, details]) => ({
+                        dependency,
+                        condition: details.condition ?? "service_started",
+                    }));
+                for (const { dependency, condition } of dependencies) {
+                    if (condition !== "service_healthy" &&
+                        servicesWithHealthcheck.has(dependency)) {
+                        unsafeDepends.push({ service: name, dependency, condition });
+                        issues.push({
+                            service: name,
+                            severity: "high",
+                            category: "reliability",
+                            title: `depends_on "${dependency}" uses ${condition}`,
+                            detail: `Service "${name}" may start before "${dependency}" is actually ready.`,
+                            fix: `Use depends_on.${dependency}.condition: service_healthy.`,
+                        });
+                    }
+                }
+            }
+            if (!service.restart) {
+                missingRestart.push({ service: name });
+                issues.push({
+                    service: name,
+                    severity: "low",
+                    category: "reliability",
+                    title: "No restart policy",
+                    detail: `Service "${name}" has no restart policy and will not recover automatically after a crash.`,
+                    fix: "Set restart: unless-stopped or restart: on-failure.",
+                });
+            }
+            else if (constants_1.WEAK_RESTART_POLICIES.has(service.restart)) {
+                insecureRestartPolicy.push({ service: name, policy: service.restart });
+                issues.push({
+                    service: name,
+                    severity: "low",
+                    category: "reliability",
+                    title: `Weak restart policy: ${service.restart}`,
+                    detail: `Service "${name}" uses restart: ${service.restart}, which provides poor crash recovery.`,
+                    fix: "Use restart: unless-stopped or restart: on-failure.",
+                });
+            }
+        }
+        return {
+            missingHealthcheck,
+            unsafeDepends,
+            missingRestart,
+            insecureRestartPolicy,
+            issues,
+        };
+    }
+}
+exports.ReliabilityAnalyzer = ReliabilityAnalyzer;

package/dist/src/analyzers/resource-analyzer.d.ts

@@ -0,0 +1,8 @@
+import type { ComposeService, ResourceAnalysis } from "../types";
+export declare class ResourceAnalyzer {
+    analyze(services: Array<{
+        name: string;
+        service: ComposeService;
+    }>): ResourceAnalysis;
+}
+//# sourceMappingURL=resource-analyzer.d.ts.map

package/dist/src/analyzers/resource-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-analyzer.d.ts","sourceRoot":"","sources":["../../../src/analyzers/resource-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAgB,cAAc,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAE/E,qBAAa,gBAAgB;IAC5B,OAAO,CACN,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,cAAc,CAAA;KAAE,CAAC,GACxD,gBAAgB;CAmCnB"}

package/dist/src/analyzers/resource-analyzer.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ResourceAnalyzer = void 0;
+class ResourceAnalyzer {
+    analyze(services) {
+        const missingLimits = [];
+        const issues = [];
+        for (const { name, service } of services) {
+            const cpuLimit = service.deploy?.resources?.limits?.cpus ?? service.cpus;
+            const memoryLimit = service.deploy?.resources?.limits?.memory ?? service.mem_limit;
+            const missing = [];
+            if (cpuLimit === undefined || cpuLimit === "") {
+                missing.push("cpu");
+            }
+            if (!memoryLimit) {
+                missing.push("memory");
+            }
+            if (missing.length === 0) {
+                continue;
+            }
+            missingLimits.push({ service: name, missing });
+            issues.push({
+                service: name,
+                severity: "medium",
+                category: "resources",
+                title: "Missing resource limits",
+                detail: `Service "${name}" is missing ${missing.join(" and ")} limits. Unbounded containers can starve neighboring workloads.`,
+                fix: "Add deploy.resources.limits for both memory and cpus, or set mem_limit and cpus in legacy Compose syntax.",
+            });
+        }
+        return { missingLimits, issues };
+    }
+}
+exports.ResourceAnalyzer = ResourceAnalyzer;

package/dist/src/analyzers/security-analyzer.d.ts

@@ -0,0 +1,9 @@
+import type { ComposeService, SecurityAnalysis } from "../types";
+export declare class SecurityAnalyzer {
+    analyze(services: Array<{
+        name: string;
+        service: ComposeService;
+    }>): SecurityAnalysis;
+    private isInterpolatedValue;
+}
+//# sourceMappingURL=security-analyzer.d.ts.map

package/dist/src/analyzers/security-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-analyzer.d.ts","sourceRoot":"","sources":["../../../src/analyzers/security-analyzer.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAgB,cAAc,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAE/E,qBAAa,gBAAgB;IAC5B,OAAO,CACN,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,cAAc,CAAA;KAAE,CAAC,GACxD,gBAAgB;IAoFnB,OAAO,CAAC,mBAAmB;CAG3B"}