@intentius/chant-lexicon-k8s 0.0.14 → 0.0.16

package/src/lint/rules/latest-image-tag.ts

@@ -0,0 +1,121 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+/**
+ * WK8002: Latest Image Tag
+ *
+ * Detects when a K8s workload resource uses the `:latest` image tag or no tag
+ * at all in a container image string literal. Untagged or `:latest` images are
+ * non-deterministic and can cause unexpected rollouts.
+ *
+ * Bad:  new Deployment({ spec: { template: { spec: { containers: [{ image: "nginx:latest" }] } } } })
+ * Bad:  new Deployment({ spec: { template: { spec: { containers: [{ image: "nginx" }] } } } })
+ * Good: new Deployment({ spec: { template: { spec: { containers: [{ image: "nginx:1.25" }] } } } })
+ */
+
+const WORKLOAD_KINDS = new Set([
+  "Deployment",
+  "StatefulSet",
+  "DaemonSet",
+  "CronJob",
+  "Job",
+  "ReplicaSet",
+  "Pod",
+]);
+
+/**
+ * Returns true if the string looks like a container image reference that is
+ * either untagged or using `:latest`.
+ *
+ * A string is considered a container image if it:
+ * - Contains at least one alphabetic character
+ * - Does not contain spaces
+ * - Is not a simple keyword like "true", "false", etc.
+ */
+function isProblematicImage(value: string): boolean {
+  if (!value || value.includes(" ") || value.length === 0) return false;
+
+  // Skip values that are clearly not images
+  const nonImagePatterns = [
+    /^(true|false|null|undefined|yes|no)$/i,
+    /^\d+$/, // pure numbers
+    /^[.\/]/, // relative/absolute paths without image-like structure
+  ];
+  for (const pat of nonImagePatterns) {
+    if (pat.test(value)) return false;
+  }
+
+  // Check for :latest explicitly
+  if (value.endsWith(":latest")) return true;
+
+  // Check for untagged image: no colon at all, but looks like an image name
+  // Images contain alphanumeric chars and may have / for registry prefix
+  // Must have at least one alpha char and match image naming conventions
+  if (!value.includes(":") && !value.includes("@") && /^[a-zA-Z0-9._\-\/]+$/.test(value) && /[a-zA-Z]/.test(value)) {
+    return true;
+  }
+
+  return false;
+}
+
+export const latestImageTagRule: LintRule = {
+  id: "WK8002",
+  severity: "warning",
+  category: "security",
+  description:
+    "Detects :latest or untagged container images — use explicit version tags for reproducibility",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function isInsideWorkloadConstructor(node: ts.Node): boolean {
+      let current: ts.Node | undefined = node.parent;
+      while (current) {
+        if (
+          ts.isNewExpression(current) &&
+          ts.isIdentifier(current.expression) &&
+          WORKLOAD_KINDS.has(current.expression.text)
+        ) {
+          return true;
+        }
+        current = current.parent;
+      }
+      return false;
+    }
+
+    function visit(node: ts.Node): void {
+      // Look for property assignments like `image: "nginx:latest"` or `image: "nginx"`
+      if (
+        ts.isPropertyAssignment(node) &&
+        ts.isIdentifier(node.name) &&
+        node.name.text === "image" &&
+        ts.isStringLiteral(node.initializer) &&
+        isInsideWorkloadConstructor(node)
+      ) {
+        const value = node.initializer.text;
+        if (isProblematicImage(value)) {
+          const { line, character } =
+            sourceFile.getLineAndCharacterOfPosition(
+              node.initializer.getStart(),
+            );
+          const isLatest = value.endsWith(":latest");
+          diagnostics.push({
+            file: sourceFile.fileName,
+            line: line + 1,
+            column: character + 1,
+            ruleId: "WK8002",
+            severity: "warning",
+            message: isLatest
+              ? `Container image "${value}" uses the :latest tag. Pin to a specific version for reproducibility.`
+              : `Container image "${value}" has no tag. Pin to a specific version for reproducibility.`,
+          });
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/src/lint/rules/missing-resource-limits.ts

@@ -0,0 +1,111 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+/**
+ * WK8003: Missing Resource Limits
+ *
+ * Detects when a container in a Deployment/StatefulSet spec doesn't have
+ * resource limits or requests. Without resource limits, a container can
+ * consume unbounded cluster resources and cause noisy-neighbour issues.
+ *
+ * Bad:  new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "app:1.0" }] } } } })
+ * Good: new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "app:1.0", resources: { limits: { cpu: "500m", memory: "256Mi" } } }] } } } })
+ */
+
+const WORKLOAD_KINDS = new Set([
+  "Deployment",
+  "StatefulSet",
+  "DaemonSet",
+  "CronJob",
+  "Job",
+  "ReplicaSet",
+]);
+
+export const missingResourceLimitsRule: LintRule = {
+  id: "WK8003",
+  severity: "warning",
+  category: "correctness",
+  description:
+    "Detects containers without resource limits/requests — always set resource constraints",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function isInsideWorkloadConstructor(node: ts.Node): boolean {
+      let current: ts.Node | undefined = node.parent;
+      while (current) {
+        if (
+          ts.isNewExpression(current) &&
+          ts.isIdentifier(current.expression) &&
+          WORKLOAD_KINDS.has(current.expression.text)
+        ) {
+          return true;
+        }
+        current = current.parent;
+      }
+      return false;
+    }
+
+    function objectLiteralHasProperty(
+      obj: ts.ObjectLiteralExpression,
+      name: string,
+    ): boolean {
+      return obj.properties.some(
+        (p) =>
+          ts.isPropertyAssignment(p) &&
+          ts.isIdentifier(p.name) &&
+          p.name.text === name,
+      );
+    }
+
+    function visit(node: ts.Node): void {
+      // Look for object literals inside arrays that represent container specs.
+      // A container object literal typically has "name" and "image" properties.
+      // We flag it if it lacks a "resources" property.
+      if (
+        ts.isObjectLiteralExpression(node) &&
+        isInsideWorkloadConstructor(node)
+      ) {
+        const hasName = objectLiteralHasProperty(node, "name");
+        const hasImage = objectLiteralHasProperty(node, "image");
+        const hasResources = objectLiteralHasProperty(node, "resources");
+
+        if (hasName && hasImage && !hasResources) {
+          // Confirm we're inside an array literal (containers array)
+          if (node.parent && ts.isArrayLiteralExpression(node.parent)) {
+            const { line, character } =
+              sourceFile.getLineAndCharacterOfPosition(node.getStart());
+
+            // Try to extract the container name for a better message
+            let containerName = "unknown";
+            for (const prop of node.properties) {
+              if (
+                ts.isPropertyAssignment(prop) &&
+                ts.isIdentifier(prop.name) &&
+                prop.name.text === "name" &&
+                ts.isStringLiteral(prop.initializer)
+              ) {
+                containerName = prop.initializer.text;
+                break;
+              }
+            }
+
+            diagnostics.push({
+              file: sourceFile.fileName,
+              line: line + 1,
+              column: character + 1,
+              ruleId: "WK8003",
+              severity: "warning",
+              message: `Container "${containerName}" is missing resource limits/requests. Set resources.limits and resources.requests to prevent unbounded resource consumption.`,
+            });
+          }
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/src/lint/rules/rules.test.ts

@@ -1,5 +1,7 @@
 import { describe, test, expect } from "bun:test";
 import { hardcodedNamespaceRule } from "./hardcoded-namespace";
+import { latestImageTagRule } from "./latest-image-tag";
+import { missingResourceLimitsRule } from "./missing-resource-limits";
 import * as ts from "typescript";
 
 function createContext(code: string) {
@@ -67,3 +69,193 @@ describe("WK8001: Hardcoded Namespace", () => {
     expect(diags.length).toBe(2);
   });
 });
+
+// ── WK8002: Latest Image Tag ────────────────────────────────────────
+
+describe("WK8002: Latest Image Tag", () => {
+  test("rule metadata", () => {
+    expect(latestImageTagRule.id).toBe("WK8002");
+    expect(latestImageTagRule.severity).toBe("warning");
+    expect(latestImageTagRule.category).toBe("security");
+  });
+
+  test("flags image: 'nginx:latest'", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "nginx:latest" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].ruleId).toBe("WK8002");
+    expect(diags[0].message).toContain(":latest");
+  });
+
+  test("flags untagged image: 'nginx'", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "nginx" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].ruleId).toBe("WK8002");
+    expect(diags[0].message).toContain("no tag");
+  });
+
+  test("flags registry-prefixed untagged image: 'ghcr.io/org/app'", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "ghcr.io/org/app" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+  });
+
+  test("does NOT flag explicitly tagged image: 'nginx:1.25'", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "nginx:1.25" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+
+  test("does NOT flag image with digest", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "nginx@sha256:abc123" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+
+  test("flags :latest in StatefulSet", () => {
+    const ctx = createContext(
+      `new StatefulSet({ spec: { template: { spec: { containers: [{ name: "db", image: "postgres:latest" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+  });
+
+  test("flags :latest in DaemonSet", () => {
+    const ctx = createContext(
+      `new DaemonSet({ spec: { template: { spec: { containers: [{ name: "agent", image: "datadog:latest" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+  });
+
+  test("flags :latest in CronJob", () => {
+    const ctx = createContext(
+      `new CronJob({ spec: { jobTemplate: { spec: { template: { spec: { containers: [{ name: "job", image: "worker:latest" }] } } } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+  });
+
+  test("does NOT flag image property outside workload constructor", () => {
+    const ctx = createContext(
+      `const config = { image: "nginx:latest" };`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+
+  test("flags multiple containers with bad images", () => {
+    const ctx = createContext(`
+      new Deployment({
+        spec: {
+          template: {
+            spec: {
+              containers: [
+                { name: "app", image: "nginx:latest" },
+                { name: "sidecar", image: "envoy" },
+              ],
+            },
+          },
+        },
+      });
+    `);
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(2);
+  });
+});
+
+// ── WK8003: Missing Resource Limits ─────────────────────────────────
+
+describe("WK8003: Missing Resource Limits", () => {
+  test("rule metadata", () => {
+    expect(missingResourceLimitsRule.id).toBe("WK8003");
+    expect(missingResourceLimitsRule.severity).toBe("warning");
+    expect(missingResourceLimitsRule.category).toBe("correctness");
+  });
+
+  test("flags container without resources property", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "app:1.0" }] } } } });`,
+    );
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].ruleId).toBe("WK8003");
+    expect(diags[0].message).toContain("app");
+    expect(diags[0].message).toContain("resource limits");
+  });
+
+  test("does NOT flag container with resources property", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "app:1.0", resources: { limits: { cpu: "500m", memory: "256Mi" } } }] } } } });`,
+    );
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+
+  test("flags container in StatefulSet", () => {
+    const ctx = createContext(
+      `new StatefulSet({ spec: { template: { spec: { containers: [{ name: "db", image: "postgres:15" }] } } } });`,
+    );
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].message).toContain("db");
+  });
+
+  test("flags only containers without resources in mixed array", () => {
+    const ctx = createContext(`
+      new Deployment({
+        spec: {
+          template: {
+            spec: {
+              containers: [
+                { name: "app", image: "app:1.0", resources: { limits: { cpu: "1" } } },
+                { name: "sidecar", image: "envoy:1.0" },
+              ],
+            },
+          },
+        },
+      });
+    `);
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].message).toContain("sidecar");
+  });
+
+  test("does NOT flag outside workload constructor", () => {
+    const ctx = createContext(
+      `const containers = [{ name: "app", image: "app:1.0" }];`,
+    );
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+
+  test("flags multiple containers without resources", () => {
+    const ctx = createContext(`
+      new Deployment({
+        spec: {
+          template: {
+            spec: {
+              containers: [
+                { name: "web", image: "nginx:1.25" },
+                { name: "api", image: "api:2.0" },
+              ],
+            },
+          },
+        },
+      });
+    `);
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(2);
+  });
+});

package/src/plugin.test.ts

@@ -30,10 +30,10 @@ describe("k8sPlugin", () => {
     expect(rules.some((r) => r.id === "WK8001")).toBe(true);
   });
 
-  test("postSynthChecks() returns array of 20 checks", () => {
+  test("postSynthChecks() returns array of 22 checks", () => {
     const checks = k8sPlugin.postSynthChecks!();
     expect(Array.isArray(checks)).toBe(true);
-    expect(checks.length).toBe(20);
+    expect(checks.length).toBe(23);
   });
 
   test("intrinsics() returns empty array", () => {