@runsec/mcp 1.0.35 → 1.0.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (83) hide show
  1. package/dist/data/.rag-cache.json +1 -0
  2. package/dist/data/skills/_exploit_overrides.json +16 -0
  3. package/dist/data/skills/advanced-agent-cloud/index.md +94 -0
  4. package/dist/data/skills/advanced-agent-cloud/patterns.md +46 -0
  5. package/dist/data/skills/advanced-agent-cloud/skill.json +38 -0
  6. package/dist/data/skills/app-logic/index.md +69 -0
  7. package/dist/data/skills/app-logic/patterns.md +23 -0
  8. package/dist/data/skills/app-logic/skill.json +24 -0
  9. package/dist/data/skills/auth-keycloak/index.md +69 -0
  10. package/dist/data/skills/auth-keycloak/patterns.md +46 -0
  11. package/dist/data/skills/auth-keycloak/skill.json +51 -0
  12. package/dist/data/skills/browser-agent/index.md +58 -0
  13. package/dist/data/skills/browser-agent/patterns.md +15 -0
  14. package/dist/data/skills/browser-agent/skill.json +24 -0
  15. package/dist/data/skills/cloud-secrets/index.md +66 -0
  16. package/dist/data/skills/cloud-secrets/patterns.md +19 -0
  17. package/dist/data/skills/cloud-secrets/skill.json +28 -0
  18. package/dist/data/skills/csharp-dotnet/index.md +103 -0
  19. package/dist/data/skills/csharp-dotnet/patterns.md +270 -0
  20. package/dist/data/skills/csharp-dotnet/skill.json +27 -0
  21. package/dist/data/skills/desktop-vsto-suite/index.md +202 -0
  22. package/dist/data/skills/desktop-vsto-suite/patterns.md +154 -0
  23. package/dist/data/skills/desktop-vsto-suite/skill.json +26 -0
  24. package/dist/data/skills/devops-security/index.md +64 -0
  25. package/dist/data/skills/devops-security/patterns.md +23 -0
  26. package/dist/data/skills/devops-security/skill.json +42 -0
  27. package/dist/data/skills/domain-access-management/index.md +123 -0
  28. package/dist/data/skills/domain-access-management/patterns.md +58 -0
  29. package/dist/data/skills/domain-access-management/skill.json +36 -0
  30. package/dist/data/skills/domain-data-privacy/index.md +98 -0
  31. package/dist/data/skills/domain-data-privacy/patterns.md +48 -0
  32. package/dist/data/skills/domain-data-privacy/skill.json +36 -0
  33. package/dist/data/skills/domain-input-validation/index.md +210 -0
  34. package/dist/data/skills/domain-input-validation/patterns.md +158 -0
  35. package/dist/data/skills/domain-input-validation/skill.json +24 -0
  36. package/dist/data/skills/domain-platform-hardening/index.md +169 -0
  37. package/dist/data/skills/domain-platform-hardening/patterns.md +96 -0
  38. package/dist/data/skills/domain-platform-hardening/skill.json +27 -0
  39. package/dist/data/skills/ds-ml-security/patterns.md +137 -0
  40. package/dist/data/skills/fastapi-async/index.md +83 -0
  41. package/dist/data/skills/fastapi-async/patterns.md +329 -0
  42. package/dist/data/skills/fastapi-async/skill.json +32 -0
  43. package/dist/data/skills/frontend-react/index.md +26 -0
  44. package/dist/data/skills/frontend-react/patterns.md +226 -0
  45. package/dist/data/skills/frontend-react/skill.json +24 -0
  46. package/dist/data/skills/go-core/index.md +86 -0
  47. package/dist/data/skills/go-core/patterns.md +272 -0
  48. package/dist/data/skills/go-core/skill.json +22 -0
  49. package/dist/data/skills/hft-cpp-security/patterns.md +37 -0
  50. package/dist/data/skills/index.md +73 -0
  51. package/dist/data/skills/infra-k8s-helm/index.md +138 -0
  52. package/dist/data/skills/infra-k8s-helm/patterns.md +279 -0
  53. package/dist/data/skills/infra-k8s-helm/skill.json +41 -0
  54. package/dist/data/skills/integration-security/index.md +73 -0
  55. package/dist/data/skills/integration-security/patterns.md +132 -0
  56. package/dist/data/skills/integration-security/skill.json +30 -0
  57. package/dist/data/skills/java-enterprise/index.md +31 -0
  58. package/dist/data/skills/java-enterprise/patterns.md +816 -0
  59. package/dist/data/skills/java-enterprise/skill.json +26 -0
  60. package/dist/data/skills/java-spring/index.md +65 -0
  61. package/dist/data/skills/java-spring/patterns.md +22 -0
  62. package/dist/data/skills/java-spring/skill.json +23 -0
  63. package/dist/data/skills/license-compliance/index.md +58 -0
  64. package/dist/data/skills/license-compliance/patterns.md +12 -0
  65. package/dist/data/skills/license-compliance/skill.json +28 -0
  66. package/dist/data/skills/mobile-security/patterns.md +42 -0
  67. package/dist/data/skills/nodejs-nestjs/index.md +71 -0
  68. package/dist/data/skills/nodejs-nestjs/patterns.md +288 -0
  69. package/dist/data/skills/nodejs-nestjs/skill.json +24 -0
  70. package/dist/data/skills/observability/index.md +68 -0
  71. package/dist/data/skills/observability/patterns.md +22 -0
  72. package/dist/data/skills/observability/skill.json +26 -0
  73. package/dist/data/skills/php-security/patterns.md +202 -0
  74. package/dist/data/skills/ru-regulatory/index.md +72 -0
  75. package/dist/data/skills/ru-regulatory/patterns.md +28 -0
  76. package/dist/data/skills/ru-regulatory/skill.json +53 -0
  77. package/dist/data/skills/ruby-rails/index.md +65 -0
  78. package/dist/data/skills/ruby-rails/patterns.md +172 -0
  79. package/dist/data/skills/ruby-rails/skill.json +24 -0
  80. package/dist/data/skills/rust-security/patterns.md +152 -0
  81. package/dist/data/trufflehog-config.yaml +407 -0
  82. package/dist/index.js +3766 -372
  83. package/package.json +1 -1
package/dist/data/skills/infra-k8s-helm/patterns.md ADDED
@@ -0,0 +1,279 @@
1
+ | ID | Название метрики | Anti-Pattern (Vulnerable Code/YAML) | Safe-Pattern (Remediation) | Stack | Источник fix_template | Exploit scenario |
2
+ |---|---|---|---|---|---|---|
3
+ | INF-4.1 | Dockerfile без выделенного непривилегированного пользователя | `FROM python:3.11`<br>`WORKDIR /app`<br>`COPY . /app`<br>`CMD ["python","main.py"]` | `FROM python:3.11`<br>`WORKDIR /app`<br>`RUN groupadd -r app && useradd -r -g app app`<br>`COPY . /app`<br>`RUN chown -R app:app /app`<br>`USER app`<br>`CMD ["python","main.py"]` | Kubernetes/Infra | `CIS_Docker_Benchmark_v1.8.0.pdf, п. 4.1` | `FROM python:3.11` `WORKDIR /app` `RUN groupadd -r app && useradd -r -g app app` `COPY . /app` `RUN chown -R app:app /app` `USER app` `CMD ["python","main.py"]` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-4.1 dockerfile без выделенного непривилегированного пользователя from python 3 11 workdir app copy cmd main py run groupadd r useradd g -->
4
+ | INF-5.10 | Нет ограничений памяти и CPU для контейнера | `services:`<br>` api:`<br>` image: example/api:1.0.0` | `services:`<br>` api:`<br>` image: example/api:1.0.0`<br>` mem_limit: "512m"`<br>` cpu_shares: 512` | Kubernetes/Infra | `CIS_Docker_Benchmark_v1.8.0.pdf, п. 5.10` | `services:` ` api:` ` image: example/api:1.0.0` ` mem_limit: "512m"` ` cpu_shares: 512` | Атакующий исчерпывает CPU/RAM контейнера множеством запросов; при отсутствии limits — отказ в обслуживании (обычно не прямой RCE). | <!-- semantic_anchor: inf-5.10 нет ограничений памяти и cpu для контейнера services api image example 1 0 mem limit 512m shares 512 -->
5
+ | INF-5.2.1 | Привилегированный контейнер используется | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: privileged-pod`<br>`spec:`<br>` containers:`<br>` - name: app`<br>` image: nginx:1.27`<br>` securityContext:`<br>` privileged: true` | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: restricted-pod`<br>`spec:`<br>` containers:`<br>` - name: app`<br>` image: nginx:1.27`<br>` securityContext:`<br>` privileged: false` | Kubernetes/Infra | `CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.2.1` | `apiVersion: v1` `kind: Pod` `metadata:` ` name: restricted-pod` `spec:` ` containers:` ` - name: app` ` image: nginx:1.27` ` securityContext:` ` privileged: false` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-5.2.1 привилегированный контейнер используется apiversion v1 kind pod metadata name privileged spec containers app image nginx 1 27 securitycontext true restricted -->
6
+ | INF-5.2.4 | `allowPrivilegeEscalation` не запрещен | `apiVersion: apps/v1`<br>`kind: Deployment`<br>`metadata:`<br>` name: ape-on`<br>`spec:`<br>` template:`<br>` spec:`<br>` containers:`<br>` - name: app`<br>` image: example/app:1.0.0`<br>` securityContext:`<br>` allowPrivilegeEscalation: true` | `apiVersion: apps/v1`<br>`kind: Deployment`<br>`metadata:`<br>` name: ape-off`<br>`spec:`<br>` template:`<br>` spec:`<br>` containers:`<br>` - name: app`<br>` image: example/app:1.0.0`<br>` securityContext:`<br>` allowPrivilegeEscalation: false` | Kubernetes/Infra | `CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.2.4` | `apiVersion: apps/v1` `kind: Deployment` `metadata:` ` name: ape-off` `spec:` ` template:` ` spec:` ` containers:` ` - name: app` ` image: example/app:1.0.0` ` securityContext:` ` allowPrivilegeEscalation: false` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-5.2.4 allowprivilegeescalation не запрещен apiversion apps v1 kind deployment metadata name ape on spec template containers app image example 1 0 -->
7
+ | INF-5.2.5 | Контейнер запускается с root GID | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: root-gid`<br>`spec:`<br>` containers:`<br>` - name: app`<br>` image: example/app:1.0.0`<br>` securityContext:`<br>` runAsGroup: 0` | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: non-root-gid`<br>`spec:`<br>` containers:`<br>` - name: app`<br>` image: example/app:1.0.0`<br>` securityContext:`<br>` runAsNonRoot: true`<br>` runAsGroup: 10001` | Kubernetes/Infra | `CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.2.5` | `apiVersion: v1` `kind: Pod` `metadata:` ` name: non-root-gid` `spec:` ` containers:` ` - name: app` ` image: example/app:1.0.0` ` securityContext:` ` runAsNonRoot: true` ` runAsGroup: 10001` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-5.2.5 контейнер запускается с root gid apiversion v1 kind pod metadata name spec containers app image example 1 0 securitycontext runasgroup -->
8
+ | INF-5.3.1 | NetworkPolicies не определены | `apiVersion: apps/v1`<br>`kind: Deployment`<br>`metadata:`<br>` name: app`<br>`spec:`<br>` template:`<br>` metadata:`<br>` labels:`<br>` app: app`<br>` spec:`<br>` containers:`<br>` - name: app`<br>` image: example/app:1.0.0` | `apiVersion: networking.k8s.io/v1`<br>`kind: NetworkPolicy`<br>`metadata:`<br>` name: app-default-deny`<br>` namespace: default`<br>`spec:`<br>` podSelector:`<br>` matchLabels:`<br>` app: app`<br>` policyTypes:`<br>` - Ingress`<br>` - Egress`<br>` ingress: []`<br>` egress: []` | Kubernetes/Infra | `CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.3.1` | `apiVersion: networking.k8s.io/v1` `kind: NetworkPolicy` `metadata:` ` name: app-default-deny` ` namespace: default` `spec:` ` podSelector:` ` matchLabels:` ` app: app` ` policyTypes:` ` - Ingress` ` - Egress` ` ingress: []` ` egress: []` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-5.3.1 networkpolicies не определены apiversion apps v1 kind deployment metadata name app spec template labels containers image example 1 0 networking -->
9
+ | INF-2.5.1 | NGINX раскрывает версию (`server_tokens on`) | `server {`<br>` listen 80;`<br>` server_tokens on;`<br>`}` | `server {`<br>` listen 80;`<br>` server_tokens off; # CIS: скрыть версию NGINX`<br>`}` | Kubernetes/Infra | `CIS_NGINX_Benchmark_v3.0.0.pdf, п. 2.5.1` | `server {` ` listen 80;` ` server_tokens off; # CIS: скрыть версию NGINX` `}` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-2.5.1 nginx раскрывает версию server tokens on listen 80 off cis скрыть -->
10
+ | INF-5.3.2 | NGINX без Content-Security-Policy | `server {`<br>` listen 443 ssl;`<br>` location / { proxy_pass http://app; }`<br>`}` | `server {`<br>` listen 443 ssl;`<br>` add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; object-src 'none'" always; # CIS: CSP обязателен`<br>` location / { proxy_pass http://app; }`<br>`}` | Kubernetes/Infra | `CIS_NGINX_Benchmark_v3.0.0.pdf, п. 5.3.2` | `server {` ` listen 443 ssl;` ` add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; object-src 'none'" always; # CIS: CSP обязателен` ` location / { proxy_pass http://app; }` `}` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-5.3.2 nginx без content security policy server listen 443 ssl location proxy pass http app add header default src self frame -->
11
+ | INF-5.3.1-NGX | NGINX без X-Frame-Options | `server {`<br>` listen 443 ssl;`<br>` location / { proxy_pass http://app; }`<br>`}` | `server {`<br>` listen 443 ssl;`<br>` add_header X-Frame-Options "DENY" always; # CIS: разрешено DENY или SAMEORIGIN`<br>` location / { proxy_pass http://app; }`<br>`}` | Kubernetes/Infra | `CIS_NGINX_Benchmark_v3.0.0.pdf, п. 5.3.1` | `server {` ` listen 443 ssl;` ` add_header X-Frame-Options "DENY" always; # CIS: разрешено DENY или SAMEORIGIN` ` location / { proxy_pass http://app; }` `}` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-5.3.1-ngx nginx без x frame options server listen 443 ssl location proxy pass http app add header deny always cis разрешено -->
12
+ | INF-1.2.1 | API Server допускает anonymous auth | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: kube-apiserver`<br>`spec:`<br>` containers:`<br>` - name: kube-apiserver`<br>` command:`<br>` - kube-apiserver`<br>` - --anonymous-auth=true` | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: kube-apiserver`<br>`spec:`<br>` containers:`<br>` - name: kube-apiserver`<br>` command:`<br>` - kube-apiserver`<br>` - --anonymous-auth=false # CIS: запрет неаутентифицированного доступа` | Kubernetes/Infra | `CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 1.2.1` | `apiVersion: v1` `kind: Pod` `metadata:` ` name: kube-apiserver` `spec:` ` containers:` ` - name: kube-apiserver` ` command:` ` - kube-apiserver` ` - --anonymous-auth=false # CIS: запрет неаутентифицированного доступа` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-1.2.1 api server допускает anonymous auth apiversion v1 kind pod metadata name kube apiserver spec containers command true false cis запрет -->
13
+ | INF-1.2.6 | API Server без admission-control config файла | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: kube-apiserver`<br>`spec:`<br>` containers:`<br>` - name: kube-apiserver`<br>` command:`<br>` - kube-apiserver` | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: kube-apiserver`<br>`spec:`<br>` containers:`<br>` - name: kube-apiserver`<br>` command:`<br>` - kube-apiserver`<br>` - --admission-control-config-file=/etc/kubernetes/admission-control.yaml # CIS: явно задать политику admission` | Kubernetes/Infra | `CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 1.2.6` | `apiVersion: v1` `kind: Pod` `metadata:` ` name: kube-apiserver` `spec:` ` containers:` ` - name: kube-apiserver` ` command:` ` - kube-apiserver` ` - --admission-control-config-file=/etc/kubernetes/admission-control.yaml # CIS: явно задать политику admission` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-1.2.6 api server без admission control config файла apiversion v1 kind pod metadata name kube apiserver spec containers command file etc -->
14
+ | INF-5.1.1 | Избыточное использование `cluster-admin` | `apiVersion: rbac.authorization.k8s.io/v1`<br>`kind: ClusterRoleBinding`<br>`metadata:`<br>` name: app-cluster-admin`<br>`subjects:`<br>`- kind: ServiceAccount`<br>` name: app-sa`<br>` namespace: app`<br>`roleRef:`<br>` kind: ClusterRole`<br>` name: cluster-admin`<br>` apiGroup: rbac.authorization.k8s.io` | `apiVersion: rbac.authorization.k8s.io/v1`<br>`kind: Role`<br>`metadata:`<br>` name: app-read-only`<br>` namespace: app`<br>`rules:`<br>`- apiGroups: [""]`<br>` resources: ["pods","services"]`<br>` verbs: ["get","list","watch"] # CIS: минимум привилегий`<br>`---`<br>`apiVersion: rbac.authorization.k8s.io/v1`<br>`kind: RoleBinding`<br>`metadata:`<br>` name: app-read-only-binding`<br>` namespace: app`<br>`subjects:`<br>`- kind: ServiceAccount`<br>` name: app-sa`<br>` namespace: app`<br>`roleRef:`<br>` kind: Role`<br>` name: app-read-only`<br>` apiGroup: rbac.authorization.k8s.io` | Kubernetes/Infra | `CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.1.1` | `apiVersion: rbac.authorization.k8s.io/v1` `kind: Role` `metadata:` ` name: app-read-only` ` namespace: app` `rules:` `- apiGroups: [""]` ` resources: ["pods","services"]` ` verbs: ["get","list","watch"] # CIS: минимум привилегий` `---` `apiVersion: rbac.authorization.k8s.io/v1` `kind: RoleBinding` `metadata:` ` name: app-read-only-binding` ` namespace: app` `subjects:` `- kind: ServiceAccount` ` name: app-sa` ` namespace: app` `roleRef:` ` kind: Role` ` name: app-read-only` ` apiGroup: rbac.authorization.k8s.io` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-5.1.1 избыточное использование cluster admin apiversion rbac authorization k8s io v1 kind clusterrolebinding metadata name app subjects serviceaccount sa namespace roleref -->
15
+ | INF-5.6.2 | Pod без seccomp профиля | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: no-seccomp`<br>`spec:`<br>` containers:`<br>` - name: app`<br>` image: nginx:1.27` | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: with-seccomp`<br>`spec:`<br>` containers:`<br>` - name: app`<br>` image: nginx:1.27`<br>` securityContext:`<br>` seccompProfile:`<br>` type: RuntimeDefault # CIS: docker/default или runtime/default` | Kubernetes/Infra | `CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 5.6.2` | `apiVersion: v1` `kind: Pod` `metadata:` ` name: with-seccomp` `spec:` ` containers:` ` - name: app` ` image: nginx:1.27` ` securityContext:` ` seccompProfile:` ` type: RuntimeDefault # CIS: docker/default или runtime/default` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-5.6.2 pod без seccomp профиля apiversion v1 kind metadata name no spec containers app image nginx 1 27 with securitycontext seccompprofile -->
16
+ | INF-1.2.33 | Шифрование секретов в etcd не включено | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: kube-apiserver`<br>`spec:`<br>` containers:`<br>` - name: kube-apiserver`<br>` command:`<br>` - kube-apiserver` | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: kube-apiserver`<br>`spec:`<br>` containers:`<br>` - name: kube-apiserver`<br>` command:`<br>` - kube-apiserver`<br>` - --encryption-provider-config=/etc/kubernetes/encryption-provider.yaml # CIS: encryption at rest for secrets` | Kubernetes/Infra | `CIS_Kubernetes_Benchmark_V1.12.0_PDF.pdf, п. 1.2.33` | `apiVersion: v1` `kind: Pod` `metadata:` ` name: kube-apiserver` `spec:` ` containers:` ` - name: kube-apiserver` ` command:` ` - kube-apiserver` ` - --encryption-provider-config=/etc/kubernetes/encryption-provider.yaml # CIS: encryption at rest for secrets` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-1.2.33 шифрование секретов в etcd не включено apiversion v1 kind pod metadata name kube apiserver spec containers command encryption provider config -->
17
+ | INF-4.4 | Dockerfile содержит секреты в `ENV`/`LABEL` | `FROM python:3.11`<br>`ENV DB_PASSWORD=supersecret`<br>`LABEL api_token=\"prod-token-123\"` | `FROM python:3.11`<br>`ENV DB_PASSWORD_FILE=/run/secrets/db_password`<br>`LABEL security.secrets=\"external-secret-store\" # no plaintext secrets` | Kubernetes/Infra | `CIS_Docker_Benchmark_v1.8.0.pdf, п. 4.4` | `FROM python:3.11` `ENV DB_PASSWORD_FILE=/run/secrets/db_password` `LABEL security.secrets=\"external-secret-store\" # no plaintext secrets` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-4.4 dockerfile содержит секреты в env label from python 3 11 db password supersecret api token prod 123 file run secrets -->
18
+ | INF-5.25 | Монтирование `/var/run/docker.sock` в контейнер | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: docker-sock-pod`<br>`spec:`<br>` containers:`<br>` - name: app`<br>` image: alpine:3.20`<br>` volumeMounts:`<br>` - name: dockersock`<br>` mountPath: /var/run/docker.sock`<br>` volumes:`<br>` - name: dockersock`<br>` hostPath:`<br>` path: /var/run/docker.sock` | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: no-docker-sock`<br>`spec:`<br>` containers:`<br>` - name: app`<br>` image: alpine:3.20`<br>` volumeMounts:`<br>` - name: app-tmp`<br>` mountPath: /tmp`<br>` volumes:`<br>` - name: app-tmp`<br>` emptyDir: {}` | Kubernetes/Infra | `CIS_Docker_Benchmark_v1.8.0.pdf, п. 5.25` | `apiVersion: v1` `kind: Pod` `metadata:` ` name: no-docker-sock` `spec:` ` containers:` ` - name: app` ` image: alpine:3.20` ` volumeMounts:` ` - name: app-tmp` ` mountPath: /tmp` ` volumes:` ` - name: app-tmp` ` emptyDir: {}` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-5.25 монтирование var run docker sock в контейнер apiversion v1 kind pod metadata name spec containers app image alpine 3 20 -->
19
+ | INF-5.1.2-TLS | Разрешены TLS 1.0/1.1 в NGINX | `server {`<br>` listen 443 ssl;`<br>` ssl_protocols TLSv1 TLSv1.1 TLSv1.2;`<br>`}` | `server {`<br>` listen 443 ssl;`<br>` ssl_protocols TLSv1.2 TLSv1.3; # CIS: disable legacy TLS`<br>`}` | Kubernetes/Infra | `CIS_NGINX_Benchmark_v3.0.0.pdf, п. 5.1.2` | `server {` ` listen 443 ssl;` ` ssl_protocols TLSv1.2 TLSv1.3; # CIS: disable legacy TLS` `}` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-5.1.2-tls разрешены tls 1 0 в nginx server listen 443 ssl protocols tlsv1 2 3 cis disable legacy -->
20
+ | INF-5.5.1 | Не ограничены HTTP-методы | `location /api/ {`<br>` proxy_pass http://backend;`<br>`}` | `location /api/ {`<br>` limit_except GET POST HEAD {`<br>` deny all; # CIS: allow only approved methods`<br>` }`<br>` proxy_pass http://backend;`<br>`}` | Kubernetes/Infra | `CIS_NGINX_Benchmark_v3.0.0.pdf, п. 5.5.1` | `location /api/ {` ` limit_except GET POST HEAD {` ` deny all; # CIS: allow only approved methods` ` }` ` proxy_pass http://backend;` `}` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-5.5.1 не ограничены http методы location api proxy pass backend limit except get post head deny all cis allow only approved -->
21
+ | INF-010 | Hardcoded Credentials: захардкоженные пароли и токены в коде/манифестах | `services:`<br>` db:`<br>` image: postgres:16`<br>` environment:`<br>` POSTGRES_PASSWORD: "supersecret"`<br>` API_TOKEN: "prod-token-123"` | `services:`<br>` db:`<br>` image: postgres:16`<br>` environment:`<br>` POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password`<br>` API_TOKEN_FILE: /run/secrets/api_token`<br>`secrets:`<br>` postgres_password:`<br>` file: ./secrets/postgres_password`<br>` api_token:`<br>` file: ./secrets/api_token` | Kubernetes/Infra | `OWASP API Security Top 10 (API8: Security Misconfiguration); FastAPI Production Readiness (secret management)` | `services:` ` db:` ` image: postgres:16` ` environment:` ` POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password` ` API_TOKEN_FILE: /run/secrets/api_token` `secrets:` ` postgres_password:` ` file: ./secrets/postgres_password` ` api_token:` ` file: ./secrets/api_token` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-010 hardcoded credentials захардкоженные пароли и токены в коде манифестах services db image postgres 16 environment password supersecret api token prod -->
22
+ | INF-011 | Committed Private Keys: приватные ключи в репозитории | `-----BEGIN RSA PRIVATE KEY-----`<br>`MIIEowIBAAKCAQEA...`<br>`-----END RSA PRIVATE KEY-----` | `tls.crt`<br>`tls.key`<br>`# secrets are provisioned at deploy time via external secret manager`<br>`apiVersion: external-secrets.io/v1beta1`<br>`kind: ExternalSecret`<br>`metadata:`<br>` name: app-tls`<br>`spec:`<br>` secretStoreRef:`<br>` name: vault-store`<br>` kind: ClusterSecretStore`<br>` target:`<br>` name: app-tls`<br>` data:`<br>` - secretKey: tls.key`<br>` remoteRef:`<br>` key: kv/prod/app/tls_key` | Kubernetes/Infra | `OWASP API Security Top 10 (API8: Security Misconfiguration); FastAPI Production Readiness (key material handling)` | `tls.crt` `tls.key` `# secrets are provisioned at deploy time via external secret manager` `apiVersion: external-secrets.io/v1beta1` `kind: ExternalSecret` `metadata:` ` name: app-tls` `spec:` ` secretStoreRef:` ` name: vault-store` ` kind: ClusterSecretStore` ` target:` ` name: app-tls` ` data:` ` - secretKey: tls.key` ` remoteRef:` ` key: kv/prod/app/tls_key` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-011 committed private keys приватные ключи в репозитории begin rsa key miieowibaakcaqea end tls crt secrets are provisioned at deploy time -->
23
+ | INF-012 | Insecure .gitignore: секретные конфиги не исключены из Git | `# .gitignore`<br>`__pycache__/`<br>`*.pyc`<br>`# secrets are not ignored` | `# .gitignore`<br>`.env`<br>`.env.*`<br>`secrets/`<br>`*.pem`<br>`*.key`<br>`*credentials*.json`<br>`!.env.example` | Kubernetes/Infra | `OWASP API Security Top 10 (API8: Security Misconfiguration); FastAPI Production Readiness (repository hygiene)` | `# .gitignore` `.env` `.env.*` `secrets/` `*.pem` `*.key` `*credentials*.json` `!.env.example` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-012 insecure gitignore секретные конфиги не исключены из git pycache pyc secrets are not ignored env pem key credentials json example -->
24
+ | INF-013 | Mutable Image Tags: использование `:latest` без digest pinning | `apiVersion: apps/v1`<br>`kind: Deployment`<br>`spec:`<br>` template:`<br>` spec:`<br>` containers:`<br>` - name: api`<br>` ...`<br>` image: org/api:latest` | `apiVersion: apps/v1`<br>`kind: Deployment`<br>`spec:`<br>` template:`<br>` spec:`<br>` containers:`<br>` - name: api`<br>` ...`<br>` image: org/api@sha256:3b5f...` | Kubernetes/Infra | `CWE-494` | `apiVersion: apps/v1` `kind: Deployment` `spec:` ` template:` ` spec:` ` containers:` ` - name: api` ` ...` ` image: org/api@sha256:3b5f...` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-013 mutable image tags использование latest без digest pinning apiversion apps v1 kind deployment spec template containers name api org sha256 -->
25
+ | INF-014 | Auto-mounted ServiceAccount Token: токен пода доступен без необходимости | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: app-pod`<br>`spec:`<br>` ...`<br>` containers:`<br>` - name: app`<br>` image: org/app:1.0.0` | `apiVersion: v1`<br>`kind: Pod`<br>`metadata:`<br>` name: app-pod`<br>`spec:`<br>` automountServiceAccountToken: false`<br>` ...`<br>` containers:`<br>` - name: app`<br>` image: org/app:1.0.0` | Kubernetes/Infra | `CWE-269` | `apiVersion: v1` `kind: Pod` `metadata:` ` name: app-pod` `spec:` ` automountServiceAccountToken: false` ` ...` ` containers:` ` - name: app` ` image: org/app:1.0.0` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-014 auto mounted serviceaccount token токен пода доступен без необходимости apiversion v1 kind pod metadata name app spec containers image org -->
26
+ | K8S-010 | Missing capabilities drop (`ALL`) | `securityContext:`<br>` capabilities:`<br>` add: ["NET_ADMIN"]` | `securityContext:`<br>` allowPrivilegeEscalation: false`<br>` capabilities:`<br>` drop: ["ALL"]` | Kubernetes/Infra | `CIS Kubernetes` | `securityContext:` ` allowPrivilegeEscalation: false` ` capabilities:` ` drop: ["ALL"]` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-010 capabilities drop all missing -->
27
+ | K8S-011 | Host networking enabled | `spec:`<br>` hostNetwork: true` | `spec:`<br>` hostNetwork: false` | Kubernetes/Infra | `CIS Kubernetes` | `spec:` ` hostNetwork: false` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-011 hostnetwork true -->
28
+ | K8S-012 | Host PID namespace enabled | `spec:`<br>` hostPID: true` | `spec:`<br>` hostPID: false` | Kubernetes/Infra | `CIS Kubernetes` | `spec:` ` hostPID: false` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-012 hostpid true -->
29
+ | K8S-013 | Host IPC namespace enabled | `spec:`<br>` hostIPC: true` | `spec:`<br>` hostIPC: false` | Kubernetes/Infra | `CIS Kubernetes` | `spec:` ` hostIPC: false` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-013 hostipc true -->
30
+ | K8S-014 | Missing readOnlyRootFilesystem | `securityContext:`<br>` readOnlyRootFilesystem: false` | `securityContext:`<br>` readOnlyRootFilesystem: true` | Kubernetes/Infra | `CIS Kubernetes` | `securityContext:` ` readOnlyRootFilesystem: true` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-014 readonlyrootfilesystem false -->
31
+ | K8S-015 | runAsNonRoot not enforced | `securityContext:`<br>` runAsNonRoot: false` | `securityContext:`<br>` runAsNonRoot: true` | Kubernetes/Infra | `CIS Kubernetes` | `securityContext:` ` runAsNonRoot: true` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-015 runasnonroot false -->
32
+ | K8S-016 | AppArmor profile not set | `metadata:`<br>` annotations: {}` | `metadata:`<br>` annotations:`<br>` container.apparmor.security.beta.kubernetes.io/app: runtime/default` | Kubernetes/Infra | `Kubernetes Hardening` | `metadata:` ` annotations:` ` container.apparmor.security.beta.kubernetes.io/app: runtime/default` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-016 apparmor runtime default missing -->
33
+ | K8S-017 | Seccomp profile Unconfined | `seccompProfile:`<br>` type: Unconfined` | `seccompProfile:`<br>` type: RuntimeDefault` | Kubernetes/Infra | `CIS Kubernetes` | `seccompProfile:` ` type: RuntimeDefault` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-017 seccomp unconfined runtimedefault -->
34
+ | K8S-018 | No liveness probe | `containers:`<br>`- name: api` | `containers:`<br>`- name: api`<br>` livenessProbe:`<br>` httpGet:`<br>` path: /healthz` | Kubernetes/Infra | `Kubernetes Reliability` | `containers:` `- name: api` ` livenessProbe:` ` httpGet:` ` path: /healthz` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-018 missing livenessprobe -->
35
+ | K8S-019 | No readiness probe | `containers:`<br>`- name: api` | `containers:`<br>`- name: api`<br>` readinessProbe:`<br>` httpGet:`<br>` path: /ready` | Kubernetes/Infra | `Kubernetes Reliability` | `containers:` `- name: api` ` readinessProbe:` ` httpGet:` ` path: /ready` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-019 missing readinessprobe -->
36
+ | K8S-020 | No resource limits | `resources: {}` | `resources:`<br>` limits:`<br>` cpu: "500m"`<br>` memory: "512Mi"` | Kubernetes/Infra | `CIS Kubernetes` | `resources:` ` limits:` ` cpu: "500m"` ` memory: "512Mi"` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-020 resources limits missing -->
37
+ | K8S-021 | NetworkPolicy absent for namespace | `kind: Deployment`<br>`metadata:`<br>` namespace: prod` | `kind: NetworkPolicy`<br>`metadata:`<br>` namespace: prod`<br>`spec:`<br>` policyTypes: ["Ingress","Egress"]` | Kubernetes/Infra | `Kubernetes NetworkPolicy` | `kind: NetworkPolicy` `metadata:` ` namespace: prod` `spec:` ` policyTypes: ["Ingress","Egress"]` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-021 networkpolicy enforcement namespace -->
38
+ | K8S-022 | Service of type NodePort exposed by default | `kind: Service`<br>`spec:`<br>` type: NodePort` | `kind: Service`<br>`spec:`<br>` type: ClusterIP` | Kubernetes/Infra | `Kubernetes Exposure` | `kind: Service` `spec:` ` type: ClusterIP` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-022 service nodeport clusterip -->
39
+ | K8S-023 | Wildcard RBAC verbs/resources | `verbs: ["*"]`<br>`resources: ["*"]` | `verbs: ["get","list"]`<br>`resources: ["pods"]` | Kubernetes/Infra | `CIS Kubernetes RBAC` | `verbs: ["get","list"]` `resources: ["pods"]` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-023 rbac wildcard verbs resources -->
40
+ | K8S-024 | automountServiceAccountToken enabled | `automountServiceAccountToken: true` | `automountServiceAccountToken: false` | Kubernetes/Infra | `CIS Kubernetes` | `automountServiceAccountToken: false` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-024 automountserviceaccounttoken true -->
41
+ | K8S-025 | Latest image tag in workload | `image: org/api:latest` | `image: org/api@sha256:abcd...` | Kubernetes/Infra | `Supply Chain` | `image: org/api@sha256:abcd...` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-025 image latest digest pinning -->
42
+ | DOCK-010 | Container runs as root | `USER root` | `RUN adduser -D appuser`<br>`USER appuser` | Kubernetes/Infra | `CIS Docker` | `RUN adduser -D appuser` `USER appuser` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-010 user root nonroot -->
43
+ | DOCK-011 | Missing non-root USER in final stage | `FROM alpine:3.20`<br>`CMD ["app"]` | `FROM alpine:3.20`<br>`USER 10001`<br>`CMD ["app"]` | Kubernetes/Infra | `CIS Docker` | `FROM alpine:3.20` `USER 10001` `CMD ["app"]` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-011 missing non-root user root docker final stage -->
44
+ | DOCK-012 | Writable root filesystem by default | `docker run app:latest` | `docker run --read-only --tmpfs /tmp app@sha256:...` | Kubernetes/Infra | `Docker Runtime Hardening` | `docker run --read-only --tmpfs /tmp app@sha256:...` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-012 read only rootfs missing -->
45
+ | DOCK-013 | Base image uses latest tag | `FROM node:latest` | `FROM node:20.11.1@sha256:...` | Kubernetes/Infra | `Supply Chain` | `FROM node:20.11.1@sha256:...` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-013 from latest tag -->
46
+ | DOCK-014 | ADD used for remote URL | `ADD https://example.com/app.tar.gz /opt/` | `COPY app.tar.gz /opt/` | Kubernetes/Infra | `Docker Best Practices` | `COPY app.tar.gz /opt/` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-014 add remote url copy -->
47
+ | DOCK-015 | Package manager cache not cleaned | `RUN apt-get update && apt-get install -y curl` | `RUN apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/*` | Kubernetes/Infra | `Container Minimization` | `RUN apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/*` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-015 apt cache cleanup -->
48
+ | DOCK-016 | Sensitive values in ENV/ARG | `ARG API_TOKEN=prod-secret` | `ARG API_TOKEN`<br>`# inject via runtime secrets` | Kubernetes/Infra | `Secret Management` | `ARG API_TOKEN` `# inject via runtime secrets` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-016 env arg secret -->
49
+ | DOCK-017 | No HEALTHCHECK instruction | `FROM python:3.11`<br>`CMD ["python","app.py"]` | `HEALTHCHECK CMD curl -f http://localhost:8080/health | Kubernetes/Infra | exit 1` | `Container Reliability` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-017 healthcheck missing -->
50
+ | DOCK-018 | Privileged container run flags | `docker run --privileged app:1.0` | `docker run --cap-drop ALL --security-opt no-new-privileges app:1.0` | Kubernetes/Infra | `Docker Runtime Hardening` | `docker run --cap-drop ALL --security-opt no-new-privileges app:1.0` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-018 docker privileged run -->
51
+ | DOCK-019 | Docker socket mounted into container | `-v /var/run/docker.sock:/var/run/docker.sock` | `# do not mount docker.sock` | Kubernetes/Infra | `Container Escape Prevention` | `# do not mount docker.sock` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-019 docker sock mount -->
52
+ | DOCK-020 | No seccomp profile at runtime | `docker run app:1.0` | `docker run --security-opt seccomp=default.json app:1.0` | Kubernetes/Infra | `Docker Runtime Hardening` | `docker run --security-opt seccomp=default.json app:1.0` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-020 seccomp profile missing -->
53
+ | NGX-001 | HSTS header missing | `server {`<br>` listen 443 ssl;`<br>`}` | `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` | Kubernetes/Infra | `CIS NGINX` | `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-001 hsts header missing -->
54
+ | NGX-002 | Content-Security-Policy missing | `# no CSP header` | `add_header Content-Security-Policy "default-src 'self'" always;` | Kubernetes/Infra | `CIS NGINX` | `add_header Content-Security-Policy "default-src 'self'" always;` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-002 csp header missing -->
55
+ | NGX-003 | X-Content-Type-Options missing | `# no X-Content-Type-Options` | `add_header X-Content-Type-Options "nosniff" always;` | Kubernetes/Infra | `CIS NGINX` | `add_header X-Content-Type-Options "nosniff" always;` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-003 nosniff header missing -->
56
+ | NGX-004 | X-Frame-Options missing | `# no X-Frame-Options` | `add_header X-Frame-Options "DENY" always;` | Kubernetes/Infra | `CIS NGINX` | `add_header X-Frame-Options "DENY" always;` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-004 x frame options missing -->
57
+ | NGX-005 | Weak TLS protocols enabled | `ssl_protocols TLSv1 TLSv1.1 TLSv1.2;` | `ssl_protocols TLSv1.2 TLSv1.3;` | Kubernetes/Infra | `TLS hardening` | `ssl_protocols TLSv1.2 TLSv1.3;` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-005 tls protocols weak -->
58
+ | NGX-006 | TLS 1.3 not enforced for strict profile | `ssl_protocols TLSv1.2;` | `ssl_protocols TLSv1.3;` | Kubernetes/Infra | `Fortress Policy` | `ssl_protocols TLSv1.3;` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-006 tls13 enforcement -->
59
+ | NGX-007 | No request rate limiting | `location /api { proxy_pass http://api; }` | `limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;` | Kubernetes/Infra | `DDoS resilience` | `limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-007 rate limiting missing -->
60
+ | NGX-008 | Client body size unlimited | `# no client_max_body_size` | `client_max_body_size 10m;` | Kubernetes/Infra | `NGINX hardening` | `client_max_body_size 10m;` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-008 client max body size missing -->
61
+ | NGX-009 | Proxy timeouts missing | `proxy_pass http://backend;` | `proxy_connect_timeout 5s; proxy_read_timeout 30s;` | Kubernetes/Infra | `Gateway resilience` | `proxy_connect_timeout 5s; proxy_read_timeout 30s;` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-009 proxy timeout missing -->
62
+ | NGX-010 | server_tokens enabled | `server_tokens on;` | `server_tokens off;` | Kubernetes/Infra | `CIS NGINX` | `server_tokens off;` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-010 server tokens on -->
63
+ | SQD-001 | Squid allows all clients | `http_access allow all` | `http_access deny all`<br>`http_access allow localnet` | Kubernetes/Infra | `Squid hardening` | `http_access deny all` `http_access allow localnet` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-001 squid egress proxy allow all access -->
64
+ | SQD-002 | Squid cache_peer uses plaintext HTTP | `cache_peer upstream.example parent 3128 0 no-query` | `cache_peer upstream.example parent 3129 0 no-query tls` | Kubernetes/Infra | `Proxy transport security` | `cache_peer upstream.example parent 3129 0 no-query tls` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-002 squid cache peer tls -->
65
+ | SQD-003 | ssl_bump without certificate validation policy | `ssl_bump stare all` | `sslproxy_cert_error deny all` | Kubernetes/Infra | `Squid TLS interception` | `sslproxy_cert_error deny all` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-003 squid ssl_bump cert validation -->
66
+ | SQD-004 | Weak ACL for CONNECT methods | `acl SSL_ports port 1-65535` | `acl SSL_ports port 443` | Kubernetes/Infra | `Squid ACL hardening` | `acl SSL_ports port 443` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-004 squid connect acl weak -->
67
+ | SQD-005 | No request rate/connection controls | `# no delay_pools / conn limits` | `maxconn 100` | Kubernetes/Infra | `Proxy abuse prevention` | `maxconn 100` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-005 squid maxconn missing -->
68
+ | SQD-006 | Access logs disabled | `access_log none` | `access_log stdio:/var/log/squid/access.log` | Kubernetes/Infra | `Audit logging` | `access_log stdio:/var/log/squid/access.log` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-006 squid access log none -->
69
+ | SQD-007 | Unsafe refresh_pattern wildcard | `refresh_pattern . 0 100% 4320 override-expire` | `refresh_pattern -i \\.(html | Kubernetes/Infra | js)$ 0 20% 1440` | `Cache control security` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-007 squid refresh pattern wildcard -->
70
+ | SQD-008 | DNS over insecure resolver | `dns_nameservers 8.8.8.8` | `dns_nameservers 10.0.0.53` | Kubernetes/Infra | `Regulatory resolver policy` | `dns_nameservers 10.0.0.53` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-008 squid dns nameserver public -->
71
+ | SQD-009 | Proxy auth not required for sensitive egress | `http_access allow corp_users` | `auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd` | Kubernetes/Infra | `Proxy authentication` | `auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-009 squid auth required -->
72
+ | SQD-010 | No domain allowlist on egress | `http_access allow all` | `acl allowed_domains dstdomain .corp.local`<br>`http_access allow allowed_domains` | Kubernetes/Infra | `Egress control` | `acl allowed_domains dstdomain .corp.local` `http_access allow allowed_domains` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-010 squid domain allowlist egress -->
73
+ | SQD-011 | Unsafe forwarded_for policy | `forwarded_for off` | `forwarded_for transparent` | Kubernetes/Infra | `Proxy traceability` | `forwarded_for transparent` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-011 squid forwarded_for policy -->
74
+ | SQD-012 | Insecure cache_dir permissions | `cache_dir ufs /var/spool/squid 100 16 256` | `cache_effective_user squid`<br>`cache_effective_group squid` | Kubernetes/Infra | `Proxy filesystem hardening` | `cache_effective_user squid` `cache_effective_group squid` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-012 squid cache dir permissions -->
75
+ | SQD-013 | No denylist for metadata endpoints | `http_access allow all` | `acl cloud_meta dst 169.254.169.254/32`<br>`http_access deny cloud_meta` | Kubernetes/Infra | `SSRF/metadata protection` | `acl cloud_meta dst 169.254.169.254/32` `http_access deny cloud_meta` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-013 squid deny metadata endpoint -->
76
+ | SQD-014 | Squid final deny rule missing / overly broad localnet ACL | Отсутствует `http_access deny all` в конце<br>`acl localnet src 0.0.0.0/0` | Завершать ACL цепочку `http_access deny all` и ограничивать `localnet` только доверенными CIDR-сетями. | Kubernetes/Infra | CWE Final Certification | Завершать ACL цепочку `http_access deny all` и ограничивать `localnet` только доверенными CIDR-сетями. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-014 squid http_access deny all missing broad localnet acl -->
77
+ | NGX-011 | Nginx request limiting zone missing (`limit_req_zone`) | Нет `limit_req_zone $binary_remote_addr ...` в http block | Добавить `limit_req_zone` с разумным rate/burst и применять `limit_req` на чувствительных location. | Kubernetes/Infra | CWE Final Certification | Добавить `limit_req_zone` с разумным rate/burst и применять `limit_req` на чувствительных location. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-011 nginx limit_req_zone missing -->
78
+ | NGX-012 | Nginx version disclosure via missing `server_tokens off` | Отсутствует `server_tokens off;` | Отключить `server_tokens`, скрывать версию веб-сервера и минимизировать fingerprinting surface. | Kubernetes/Infra | CWE Final Certification | Отключить `server_tokens`, скрывать версию веб-сервера и минимизировать fingerprinting surface. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-012 nginx server_tokens off missing -->
79
+ | DOCK-021 | Docker base image uses mutable `latest` tag (`FROM ...:latest`) | `FROM python:latest`<br>`FROM node:latest` | Пиновать base image на конкретную версию и digest (`FROM python:3.12.3@sha256:...`) для воспроизводимости и supply-chain контроля. | Kubernetes/Infra | CWE Final Certification | Пиновать base image на конкретную версию и digest (`FROM python:3.12.3@sha256:...`) для воспроизводимости и supply-chain контроля. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-021 docker from latest tag mutable base image -->
80
+ | DOCK-022 | Unpinned `apt-get install` packages in Dockerfile | `RUN apt-get update && apt-get install -y curl openssl` | Фиксировать версии пакетов (`curl=... openssl=...`), использовать `--no-install-recommends` и очищать apt cache. | Kubernetes/Infra | CWE Final Certification | Фиксировать версии пакетов (`curl=... openssl=...`), использовать `--no-install-recommends` и очищать apt cache. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-022 docker apt-get install packages without version pinning -->
81
+ | INF-015 | Unintended proxy path allows access to internal K8s endpoints (CWE-441) | `location /proxy/ { proxy_pass $arg_url; }` без denylist внутренних CIDR/metadata | Блокировать proxy к internal ranges (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `169.254.169.254`) и использовать strict upstream allowlist. | Kubernetes/Infra | CWE Final Certification | Блокировать proxy к internal ranges (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `169.254.169.254`) и использовать strict upstream allowlist. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-015 unintended proxy internal k8s endpoints denylist cidr metadata -->
82
+ | INF-016 | Helm chart defaults privileged pod/container security context (CWE-1188) | `values.yaml: securityContext.privileged: true` | Дефолтно выставлять безопасные значения (`privileged: false`, `allowPrivilegeEscalation: false`, `runAsNonRoot: true`). | Kubernetes/Helm | CWE Final Certification | Дефолтно выставлять безопасные значения (`privileged: false`, `allowPrivilegeEscalation: false`, `runAsNonRoot: true`). | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-016 helm insecure default initialization privileged true values yaml -->
83
+ | INF-017 | Helm chart default enables host namespace sharing (CWE-1188) | `hostNetwork: true`/`hostPID: true` в values по умолчанию | По умолчанию отключать host namespaces и разрешать их только explicit opt-in с security review. | Kubernetes/Helm | CWE Final Certification | По умолчанию отключать host namespaces и разрешать их только explicit opt-in с security review. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-017 helm default hostnetwork hostpid true insecure defaults -->
84
+ | INF-018 | Helm default grants broad capabilities without drop-all baseline (CWE-1188) | Отсутствует `capabilities.drop: ["ALL"]` в chart defaults | В chart defaults задавать `drop: ["ALL"]` и точечно добавлять только необходимые capabilities. | Kubernetes/Helm | CWE Final Certification | В chart defaults задавать `drop: ["ALL"]` и точечно добавлять только необходимые capabilities. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: inf-018 helm default capabilities drop all missing -->
85
+ | NGX-013 | Nginx forward proxy behavior enables unintended internal routing (CWE-441) | `resolver ...; proxy_pass http://$http_host$request_uri;` | Запретить dynamic upstream от пользовательских заголовков, фиксировать upstreams и блокировать internal dns zones/cluster domains. | Kubernetes/Infra | CWE Final Certification | Запретить dynamic upstream от пользовательских заголовков, фиксировать upstreams и блокировать internal dns zones/cluster domains. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ngx-013 nginx unintended proxy http_host dynamic upstream -->
86
+ | SQD-015 | Squid ACL permits proxying to Kubernetes control-plane/internal services (CWE-441) | `http_access allow localnet` без deny для `kubernetes.default.svc`/cluster CIDR | Добавить explicit deny ACL для `*.svc`, control-plane IPs и metadata endpoints перед allow rules. | Kubernetes/Infra | CWE Final Certification | Добавить explicit deny ACL для `*.svc`, control-plane IPs и metadata endpoints перед allow rules. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: sqd-015 squid unintended proxy kubernetes svc cluster cidr deny -->
87
+ | K8S-026 | Helm values default `automountServiceAccountToken: true` for all workloads (CWE-1188) | `automountServiceAccountToken: true` в chart defaults | Устанавливать default `false` и включать токен только для конкретных сервисов, где это необходимо. | Kubernetes/Helm | CWE Final Certification | Устанавливать default `false` и включать токен только для конкретных сервисов, где это необходимо. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-026 helm default automountserviceaccounttoken true -->
88
+ | DOCK-023 | Docker: `docker load` образа без проверки подписи Cosign (CWE-347) | `docker load -i release.tar`<br>`# cosign verify skipped` | `cosign verify --key cosign.pub image@sha256:...` до deploy; policy в CI. | Kubernetes/Infra | `CWE-347` | Подпись артефакта в registry; SBOM + verify в pipeline. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-023 docker load release tar cosign verify skipped guardian -->
89
+ | DOCK-024 | Dockerfile: `FROM` без проверки digest при pull в CI (CWE-347) | `docker build -t app:latest .` без `cosign verify` base | Пиновать digest и верифицировать base image подписью поставщика. | Kubernetes/Infra | `CWE-347` | `FROM repo/img@sha256:...` + verify attestation. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-024 docker build latest without digest verify guardian -->
90
+ | DOCK-025 | Docker Compose pull без trust policy (CWE-347) | `docker compose pull` без Notary/cosign | Включить content-trust / cosign verify в CD. | Kubernetes/Infra | `CWE-347` | Подписанные образы и политика deploy only if verified. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: dock-025 docker compose pull without trust guardian -->
91
+ | K8S-027 | Helm: `helm install` без `--verify` provenance (CWE-347) | `helm install rel ./chart.tgz` без `.prov` | `helm install --verify` + подписанные charts из trusted repo. | Kubernetes/Helm | `CWE-347` | Helm provenance + GPG/cosign для chart packages. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-027 helm install chart tgz without verify prov guardian -->
92
+ | K8S-028 | Helm: `values.yaml` с `image: tag` без digest и без policy (CWE-347) | `image: myreg/app:1.0.0` без digest | Фиксировать `image@sha256` и verify signature в admission. | Kubernetes/Helm | `CWE-347` | OCI artifact signing + Kyborio/OPA policy. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: k8s-028 helm values image tag without digest guardian -->
93
+ | IAC-001 | Terraform S3 bucket allows public ACL/read (Logic: strong) | `resource "aws_s3_bucket_public_access_block" "b" {`<br>` block_public_acls = false`<br>`}` | `resource "aws_s3_bucket_public_access_block" "b" {`<br>` block_public_acls = true`<br>` block_public_policy = true`<br>`}` | Terraform/IaC (Logic: strong) | `CWE-1188` | Enforce public access block on all buckets. |
94
+ | IAC-002 | Terraform S3 bucket without server-side encryption (Logic: strong) | `resource "aws_s3_bucket" "logs" { bucket = "corp-logs" }` | `resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {`<br>` bucket = aws_s3_bucket.logs.id`<br>` rule { apply_server_side_encryption_by_default { sse_algorithm = "aws:kms" } }`<br>`}` | Terraform/IaC (Logic: strong) | `CWE-311` | Require KMS-backed encryption by default. |
95
+ | IAC-003 | Terraform bucket policy permits wildcard principal (Logic: strong) | `"Principal":"*"` | `"Principal":{"AWS":"arn:aws:iam::123456789012:root"}` | Terraform/IaC (Logic: strong) | `CWE-284` | Restrict principals with least privilege policy. |
96
+ | IAC-004 | Terraform S3 object ownership not enforced (Logic: strong) | `object_ownership = "BucketOwnerPreferred"` | `object_ownership = "BucketOwnerEnforced"` | Terraform/IaC (Logic: strong) | `CWE-1188` | Disable ACL-based ownership drift. |
97
+ | IAC-005 | Terraform S3 versioning disabled on critical bucket (Logic: strong) | `status = "Disabled"` | `status = "Enabled"` | Terraform/IaC (Logic: strong) | `CWE-1025` | Enable versioning for rollback and integrity. |
98
+ | IAC-006 | Terraform lifecycle allows permanent delete without retention (Logic: strong) | `expiration { days = 1 }` | `lifecycle_rule { noncurrent_version_expiration { noncurrent_days = 30 } }` | Terraform/IaC (Logic: strong) | `CWE-1188` | Apply retention policy for forensic recovery. |
99
+ | IAC-007 | Terraform state bucket lacks access logging (Logic: strong) | `resource "aws_s3_bucket" "tf_state" { ... }` | `resource "aws_s3_bucket_logging" "tf_state" {`<br>` bucket = aws_s3_bucket.tf_state.id`<br>` target_bucket = aws_s3_bucket.audit.id`<br>`}` | Terraform/IaC (Logic: strong) | `CWE-778` | Enable immutable audit logging. |
100
+ | IAC-008 | Terraform IAM policy allows `s3:*` on `*` (Logic: strong) | `"Action":"s3:*","Resource":"*"` | `"Action":["s3:GetObject","s3:PutObject"],"Resource":"arn:aws:s3:::corp/*"` | Terraform/IaC (Logic: strong) | `CWE-732` | Scope IAM actions/resources minimally. |
101
+ | IAC-009 | Helm chart default `service.type: LoadBalancer` for internal apps (Logic: strong) | `service:`<br>` type: LoadBalancer` | `service:`<br>` type: ClusterIP` | Helm/K8s Defaults (Logic: strong) | `CWE-1188` | Use internal exposure by default. |
102
+ | IAC-010 | Helm default enables ingress without TLS (Logic: strong) | `ingress:`<br>` enabled: true`<br>` tls: []` | `ingress:`<br>` enabled: true`<br>` tls:`<br>` - secretName: app-tls` | Helm/K8s Defaults (Logic: strong) | `CWE-319` | Require TLS secrets in default values. |
103
+ | IAC-011 | Helm values set `resources: {}` with no limits (Logic: strong) | `resources: {}` | `resources:`<br>` limits: { cpu: "500m", memory: "512Mi" }`<br>` requests: { cpu: "100m", memory: "128Mi" }` | Helm/K8s Defaults (Logic: strong) | `CWE-770` | Ship safe resource defaults for pods. |
104
+ | IAC-012 | Helm default `image.pullPolicy: Always` with mutable tags (Logic: strong) | `image:`<br>` tag: latest`<br>` pullPolicy: Always` | `image:`<br>` digest: "sha256:..."`<br>` pullPolicy: IfNotPresent` | Helm/K8s Defaults (Logic: strong) | `CWE-494` | Pin digest and deterministic pull policy. |
105
+ | IAC-013 | Helm securityContext omits `runAsNonRoot` and `readOnlyRootFilesystem` (Logic: strong) | `securityContext: {}` | `securityContext:`<br>` runAsNonRoot: true`<br>` readOnlyRootFilesystem: true` | Helm/K8s Defaults (Logic: strong) | `CWE-250` | Harden pod runtime baseline defaults. |
106
+ | IAC-014 | Helm default allows privilege escalation (Logic: strong) | `allowPrivilegeEscalation: true` | `allowPrivilegeEscalation: false` | Helm/K8s Defaults (Logic: strong) | `CWE-269` | Disable privilege escalation by default. |
107
+ | IAC-015 | Helm default exposes admin endpoint path publicly (Logic: strong) | `ingress.paths: ["/", "/admin"]` | `ingress.paths: ["/"]`<br>`admin.route.enabled: false` | Helm/K8s Defaults (Logic: strong) | `CWE-200` | Keep admin routes disabled by default. |
108
+ | IAC-016 | Helm chart auto-mounts service account token globally (Logic: strong) | `automountServiceAccountToken: true` | `automountServiceAccountToken: false` | Helm/K8s Defaults (Logic: strong) | `CWE-1188` | Opt-in token mount only where needed. |
109
+ | IAC-017 | Helm chart sets permissive network policy defaults (Logic: strong) | `networkPolicy.enabled: false` | `networkPolicy.enabled: true`<br>`networkPolicy.egressDenyAll: true` | Helm/K8s Defaults (Logic: strong) | `CWE-284` | Enable deny-by-default network policy. |
110
+ | IAC-018 | Terraform security group allows all egress by default (Logic: strong) | `egress { cidr_blocks = ["0.0.0.0/0"] }` | `egress { cidr_blocks = ["10.0.0.0/8"] }` | Terraform/IaC (Logic: strong) | `CWE-918` | Restrict egress to approved CIDRs/services. |
111
+ | IAC-019 | Terraform EC2 metadata v1 not disabled (Logic: strong) | `metadata_options { http_tokens = "optional" }` | `metadata_options { http_tokens = "required" }` | Terraform/IaC (Logic: strong) | `CWE-1188` | Force IMDSv2 for metadata protection. |
112
+ | IAC-020 | Helm values allow host aliases to internal metadata endpoints (Logic: strong) | `hostAliases:`<br>`- ip: "169.254.169.254"` | `hostAliases: []` | Helm/K8s Defaults (Logic: strong) | `CWE-918` | Block host alias overrides to metadata IPs. |
113
+ | MSH-001 | Istio PeerAuthentication `PERMISSIVE` mTLS (mesh-wide downgrade) | `mode: PERMISSIVE` | `mode: STRICT` | Istio / Service Mesh | `CWE-295` | Enforce STRICT mTLS for workload identity. |
114
+ | MSH-002 | Istio PeerAuthentication missing for namespace (implicit PERMISSIVE) | `# no PeerAuthentication in prod-ns` | `apiVersion: security.istio.io/v1beta1`<br>`kind: PeerAuthentication`<br>`metadata: { name: default, namespace: prod }`<br>`spec: { mtls: { mode: STRICT } }` | Istio / Service Mesh | `CWE-295` | Default-deny with explicit STRICT policy. |
115
+ | MSH-003 | Istio DestinationRule TLS `DISABLE` on egress | `trafficPolicy: { tls: { mode: DISABLE } }` | `trafficPolicy: { tls: { mode: SIMPLE, sni: app.internal } }` | Istio / Service Mesh | `CWE-319` | Never disable TLS to upstream. |
116
+ | MSH-004 | Istio AuthorizationPolicy allows `*` principal | `principals: ["*"]` | `principals: ["cluster.local/ns/app/sa/workload"]` | Istio / Service Mesh | `CWE-284` | Scope to SPIFFE IDs. |
117
+ | MSH-005 | Istio Sidecar outbound captures all hosts without egress restriction | `egress: { hosts: ["*/*"] }` | `egress: { hosts: ["./app.ns.svc.cluster.local"] }` | Istio / Service Mesh | `CWE-918` | Limit egress to required services. |
118
+ | MSH-006 | K8s Gateway API `Gateway` listener TLS mode `Passthrough` without cert policy | `protocol: TLS`<br>`tls: { mode: Passthrough }` | Add `TLSRoute` + cert management or terminate TLS at gateway with certs | Gateway API | `CWE-295` | Explicit TLS termination policy. |
119
+ | MSH-007 | Gateway API `HTTPRoute` attaches to public Gateway without `HTTPSRedirect` | `parentRefs: [{ name: public-gw }]` без redirect | `filters: [{ type: RequestRedirect, requestRedirect: { scheme: https } }]` | Gateway API | `CWE-319` | Force HTTPS upgrade. |
120
+ | MSH-008 | Gateway API `HTTPRoute` rule matches `PathPrefix: /` with no auth filter | `path: { type: PathPrefix, value: "/" }` | Add `extensionRef` to auth policy or mesh `AuthorizationPolicy` | Gateway API | `CWE-306` | Require auth at gateway/mesh. |
121
+ | MSH-009 | Istio `Telemetry` disables access logging globally | `accessLogging: [{ providers: [{ name: none }] }]` | Enable default provider or mesh-wide logging | Istio / Service Mesh | `CWE-778` | Preserve audit trail. |
122
+ | MSH-010 | Istio `RequestAuthentication` missing for JWT on public ingress | `# no RequestAuthentication` | `apiVersion: security.istio.io/v1beta1`<br>`kind: RequestAuthentication` + `JWTRule` | Istio / Service Mesh | `CWE-287` | Validate JWT at mesh edge. |
123
+ | MSH-011 | Gateway API `BackendTLSPolicy` absent for cross-namespace backend | `backendRefs: [{ name: api, namespace: other }]` | Attach `BackendTLSPolicy` with SNI and CA bundle | Gateway API | `CWE-295` | Encrypt backend hop. |
124
+ | MSH-012 | Istio `WorkloadEntry` allows arbitrary endpoint without auth | `address: 203.0.113.10` | Restrict WE to mesh-internal addresses + auth | Istio / Service Mesh | `CWE-284` | Control external workload registration. |
125
+ | MSH-013 | Gateway API `GRPCRoute` without TLS on listener | `protocol: HTTP` for gRPC | `protocol: HTTPS` + `TLS` on `Gateway` | Gateway API | `CWE-319` | Use TLS for gRPC listeners. |
126
+ | MSH-014 | Istio `EnvoyFilter` patches raw Lua from ConfigMap without review | `lua: { inlineString: "..." }` | Pin filters in Git with review; signed bundles only | Istio / Service Mesh | `CWE-94` | Prevent arbitrary Lua injection. |
127
+ | MSH-015 | Gateway API `ReferenceGrant` missing for cross-namespace route | `namespace: team-a` route to `team-b` svc | Add `ReferenceGrant` for explicit backend reference | Gateway API | `CWE-284` | Enforce cross-namespace grants. |
128
+
129
+
130
+ | CLD-001 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
131
+ | CLD-002 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
132
+ | CLD-003 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
133
+ | CLD-004 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
134
+ | CLD-005 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
135
+ | CLD-006 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
136
+ | CLD-007 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
137
+ | CLD-008 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
138
+ | CLD-009 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
139
+ | CLD-010 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
140
+ | CLD-011 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
141
+ | CLD-012 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
142
+ | CLD-013 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
143
+ | CLD-014 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
144
+ | CLD-015 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
145
+ | CLD-016 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
146
+ | CLD-017 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
147
+ | CLD-018 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
148
+ | CLD-019 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
149
+ | CLD-020 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
150
+ | CLD-021 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
151
+ | CLD-022 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
152
+ | CLD-023 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
153
+ | CLD-024 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
154
+ | CLD-025 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
155
+ | CLD-026 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
156
+ | CLD-027 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
157
+ | CLD-028 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
158
+ | CLD-029 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
159
+ | CLD-030 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
160
+ | CLD-031 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
161
+ | CLD-032 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
162
+ | CLD-033 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
163
+ | CLD-034 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
164
+ | CLD-035 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
165
+ | CLD-036 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
166
+ | CLD-037 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
167
+ | CLD-038 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
168
+ | CLD-039 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
169
+ | CLD-040 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
170
+ | CLD-041 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
171
+ | CLD-042 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
172
+ | CLD-043 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
173
+ | CLD-044 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
174
+ | CLD-045 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
175
+ | CLD-046 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
176
+ | CLD-047 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
177
+ | CLD-048 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
178
+ | CLD-049 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
179
+ | CLD-050 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
180
+ | CLD-051 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
181
+ | CLD-052 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
182
+ | CLD-053 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
183
+ | CLD-054 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
184
+ | CLD-055 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
185
+ | CLD-056 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
186
+ | CLD-057 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
187
+ | CLD-058 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
188
+ | CLD-059 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
189
+ | CLD-060 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
190
+ | CLD-061 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
191
+ | CLD-062 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
192
+ | CLD-063 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
193
+ | CLD-064 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
194
+ | CLD-065 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
195
+ | CLD-066 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
196
+ | CLD-067 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
197
+ | CLD-068 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
198
+ | CLD-069 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
199
+ | CLD-070 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
200
+ | CLD-071 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
201
+ | CLD-072 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
202
+ | CLD-073 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
203
+ | CLD-074 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
204
+ | CLD-075 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
205
+ | CLD-076 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
206
+ | CLD-077 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
207
+ | CLD-078 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
208
+ | CLD-079 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
209
+ | CLD-080 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
210
+ | CLD-081 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
211
+ | CLD-082 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
212
+ | CLD-083 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
213
+ | CLD-084 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
214
+ | CLD-085 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
215
+ | CLD-086 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
216
+ | CLD-087 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
217
+ | CLD-088 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
218
+ | CLD-089 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
219
+ | CLD-090 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
220
+ | CLD-091 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
221
+ | CLD-092 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
222
+ | CLD-093 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
223
+ | CLD-094 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
224
+ | CLD-095 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
225
+ | CLD-096 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
226
+ | CLD-097 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
227
+ | CLD-098 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
228
+ | CLD-099 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
229
+ | CLD-100 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
230
+ | CLD-101 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
231
+ | CLD-102 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
232
+ | CLD-103 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
233
+ | CLD-104 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
234
+ | CLD-105 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
235
+ | CLD-106 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
236
+ | CLD-107 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
237
+ | CLD-108 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
238
+ | CLD-109 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
239
+ | CLD-110 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
240
+ | CLD-111 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
241
+ | CLD-112 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
242
+ | CLD-113 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
243
+ | CLD-114 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
244
+ | CLD-115 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
245
+ | CLD-116 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
246
+ | CLD-117 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
247
+ | CLD-118 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
248
+ | CLD-119 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
249
+ | CLD-120 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
250
+ | CLD-121 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
251
+ | CLD-122 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
252
+ | CLD-123 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
253
+ | CLD-124 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
254
+ | CLD-125 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
255
+ | CLD-126 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
256
+ | CLD-127 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
257
+ | CLD-128 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
258
+ | CLD-129 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
259
+ | CLD-130 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
260
+ | CLD-131 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
261
+ | CLD-132 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
262
+ | CLD-133 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
263
+ | CLD-134 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
264
+ | CLD-135 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
265
+ | CLD-136 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
266
+ | CLD-137 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
267
+ | CLD-138 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
268
+ | CLD-139 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
269
+ | CLD-140 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
270
+ | CLD-141 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
271
+ | CLD-142 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
272
+ | CLD-143 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
273
+ | CLD-144 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
274
+ | CLD-145 | Terraform AWS IAM role trust policy allows wildcard principal | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = '*' } }] })` | `assume_role_policy = jsonencode({ Statement = [{ Principal = { AWS = var.trusted_role_arn } }] })` | Cloud IaC | CWE-284 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Wildcard trust policy allows untrusted principal role assumption. |
275
+ | CLD-146 | AWS S3 bucket encryption disabled in IaC | `resource 'aws_s3_bucket_server_side_encryption_configuration' 'x' {}` | `rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } }` | Cloud IaC | CWE-311 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Unencrypted object storage exposes data at rest risks. |
276
+ | CLD-147 | Azure Blob Storage allows public access | `allow_blob_public_access = true` | `allow_blob_public_access = false` | Cloud IaC | CWE-200 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Public blob exposure can leak sensitive tenant data. |
277
+ | CLD-148 | GCP VPC firewall permits 0.0.0.0/0 ingress to admin ports | `source_ranges = ['0.0.0.0/0']` | `source_ranges = var.trusted_cidrs` | Cloud IaC | CWE-732 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Open ingress on admin surfaces increases remote attackability. |
278
+ | CLD-149 | CloudFormation IAM policy uses Action '*' Resource '*' | `Action: '*'` | `Action: ['s3:GetObject']` | Cloud IaC | CWE-250 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Over-privileged wildcard policy enables privilege abuse. |
279
+ | CLD-150 | Network isolation missing between app and data subnets | `network_acl { ingress { cidr_block = '0.0.0.0/0' } }` | `network_acl { ingress { cidr_block = var.private_cidr } }` | Cloud IaC | CWE-668 | Autofix: enforce least-privilege IAM, encryption-at-rest, and private network segmentation in IaC. | Lack of subnet isolation allows lateral movement to data tiers. |
package/dist/data/skills/infra-k8s-helm/skill.json ADDED
@@ -0,0 +1,41 @@
1
+ {
2
+ "skill_id": "infra-k8s-helm",
3
+ "name": "Infra / Kubernetes / Helm",
4
+ "activation_triggers": [
5
+ "inf-k8s-privileged",
6
+ "inf-helm-values",
7
+ "inf-dockerfile-root",
8
+ "inf-nginx-method-limit",
9
+ "inf-k8s-networkpolicy",
10
+ "k8s-seccomp-apparmor",
11
+ "dock-readonly-rootfs",
12
+ "ngx-header-hardening",
13
+ "squid-egress-policy"
14
+ ],
15
+ "relevant_extensions": [
16
+ ".yaml",
17
+ ".yml",
18
+ ".tpl",
19
+ ".dockerfile",
20
+ ".conf"
21
+ ],
22
+ "tools": [
23
+ "semgrep",
24
+ "syft",
25
+ "trufflehog"
26
+ ],
27
+ "rules_path": "core/skills/infra-k8s-helm/patterns.md",
28
+ "few_shot_examples": "core/gold-standard-testbed/infra_vulnerable.yaml",
29
+ "mitigation_logic": {
30
+ "RRC-024": {
31
+ "exception_rule": "Для Next.js приложений допускается `unsafe-inline` в CSP при отсутствии прямой обработки недоверенного пользовательского контента (UGC) в рендеринг-пути.",
32
+ "status_override": "OK",
33
+ "validation_requirements": [
34
+ "Подтверждено отсутствие UGC sink-ов (user-controlled HTML/JS injection paths).",
35
+ "Применены компенсирующие меры: ограниченный `script-src` host allowlist и запрет `unsafe-eval`."
36
+ ],
37
+ "rationale": "Технические ограничения SSR/hydration-цепочки Next.js могут требовать `unsafe-inline`; при отсутствии UGC-поверхности риск XSS контролируется архитектурно."
38
+ }
39
+ },
40
+ "security_priority": 5
41
+ }