@sulthonzh/mcp-audit 1.1.0

package/dist/scanners/docker-scanner.js

@@ -0,0 +1,384 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanDocker = scanDocker;
+const fs_extra_1 = __importDefault(require("fs-extra"));
+const path_1 = __importDefault(require("path"));
+const js_yaml_1 = __importDefault(require("js-yaml"));
+const logger_1 = require("../utils/logger");
+// ---- Public API ----
+async function scanDocker(targetPath, options = {}) {
+    const issues = [];
+    let filesScanned = 0;
+    try {
+        // Scan Dockerfiles
+        const dockerfiles = await findFiles(targetPath, ['Dockerfile', 'Dockerfile.*']);
+        for (const df of dockerfiles) {
+            filesScanned++;
+            const content = await fs_extra_1.default.readFile(df, 'utf8');
+            const rel = path_1.default.relative(targetPath, df);
+            issues.push(...checkDockerfile(content, rel));
+        }
+        // Scan docker-compose files
+        const composeFiles = await findFiles(targetPath, [
+            'docker-compose.yml', 'docker-compose.yaml',
+            'compose.yml', 'compose.yaml',
+        ]);
+        for (const cf of composeFiles) {
+            filesScanned++;
+            const content = await fs_extra_1.default.readFile(cf, 'utf8');
+            const rel = path_1.default.relative(targetPath, cf);
+            issues.push(...checkComposeFile(content, rel));
+        }
+        // Scan .env files for leaked secrets
+        const envFiles = await findFiles(targetPath, ['.env', '.env.*']);
+        for (const ef of envFiles) {
+            filesScanned++;
+            const content = await fs_extra_1.default.readFile(ef, 'utf8');
+            const rel = path_1.default.relative(targetPath, ef);
+            issues.push(...checkEnvFile(content, rel));
+        }
+    }
+    catch (err) {
+        logger_1.logger.warn('Docker scan error:', err);
+        issues.push({
+            type: 'medium',
+            category: 'config',
+            title: 'Docker Scan Error',
+            description: `Could not complete container scan: ${err instanceof Error ? err.message : String(err)}`,
+            recommendation: 'Ensure the target path is accessible',
+        });
+    }
+    const high = issues.filter(i => i.type === 'high').length;
+    const medium = issues.filter(i => i.type === 'medium').length;
+    const low = issues.filter(i => i.type === 'low').length;
+    // Score: start at 100, deduct per issue
+    const score = Math.max(0, 100 - high * 25 - medium * 10 - low * 3);
+    return {
+        scanType: 'server',
+        timestamp: new Date().toISOString(),
+        target: targetPath,
+        issues,
+        score,
+        summary: {
+            configFilesFound: filesScanned,
+            highRiskIssues: high,
+            mediumRiskIssues: medium,
+            lowRiskIssues: low,
+        },
+        metadata: { scanKind: 'docker' },
+    };
+}
+// ---- Dockerfile Checks ----
+function checkDockerfile(content, filePath) {
+    const issues = [];
+    const lines = content.split('\n');
+    const lineNo = (idx) => idx + 1;
+    lines.forEach((line, idx) => {
+        const trimmed = line.trim();
+        const upper = trimmed.toUpperCase();
+        // Running as root
+        if (/^USER\s+ROOT/i.test(upper)) {
+            issues.push({
+                type: 'high',
+                category: 'permissions',
+                title: 'Container Runs as Root',
+                description: `Line ${lineNo(idx)}: USER root — containers should run as non-root`,
+                recommendation: 'Add a non-root user: RUN adduser --disabled-password appuser && USER appuser',
+                evidence: `${filePath}:${lineNo(idx)}`,
+            });
+        }
+        // --no-auth or --insecure flags in RUN commands
+        if (/^RUN\b/i.test(trimmed)) {
+            if (/\b--no-verify-ssl\b|\b--insecure\b|\b--no-check-certificate\b/i.test(trimmed)) {
+                issues.push({
+                    type: 'high',
+                    category: 'transport',
+                    title: 'Insecure Download in Build',
+                    description: `Line ${lineNo(idx)}: skips TLS/SSL verification during build`,
+                    recommendation: 'Remove --insecure/--no-verify-ssl flags and use trusted registries',
+                    evidence: `${filePath}:${lineNo(idx)}`,
+                });
+            }
+            // curl | sh patterns
+            if (/curl.*\|\s*(sh|bash|sudo)/i.test(trimmed)) {
+                issues.push({
+                    type: 'high',
+                    category: 'supply-chain',
+                    title: 'Pipe to Shell in Build',
+                    description: `Line ${lineNo(idx)}: downloading and executing code in one step`,
+                    recommendation: 'Download first, verify checksum/signature, then execute',
+                    evidence: `${filePath}:${lineNo(idx)}`,
+                });
+            }
+            // apt-get without --no-install-recommends
+            if (/apt-get install(?!.*--no-install-recommends)/i.test(trimmed)) {
+                issues.push({
+                    type: 'low',
+                    category: 'config',
+                    title: 'Bloated apt-get Install',
+                    description: `Line ${lineNo(idx)}: apt-get install without --no-install-recommends bloats image`,
+                    recommendation: 'Use: apt-get install --no-install-recommends',
+                    evidence: `${filePath}:${lineNo(idx)}`,
+                });
+            }
+        }
+        // EXPOSE privileged ports
+        const exposeMatch = upper.match(/^EXPOSE\s+(\d+)/);
+        if (exposeMatch && parseInt(exposeMatch[1]) < 1024) {
+            issues.push({
+                type: 'low',
+                category: 'network',
+                title: 'Privileged Port Exposed',
+                description: `Line ${lineNo(idx)}: EXPOSE ${exposeMatch[1]} — privileged port (<1024)`,
+                recommendation: 'Use high ports (>1024) and map to privileged ports at runtime if needed',
+                evidence: `${filePath}:${lineNo(idx)}`,
+            });
+        }
+        // ADD from URL (use COPY instead)
+        if (/^ADD\s+https?:\/\//i.test(trimmed)) {
+            issues.push({
+                type: 'medium',
+                category: 'supply-chain',
+                title: 'ADD from Remote URL',
+                description: `Line ${lineNo(idx)}: ADD from URL is not reproducible and can't be cached`,
+                recommendation: 'Use COPY with files checked into the repo, or download + verify in a RUN step',
+                evidence: `${filePath}:${lineNo(idx)}`,
+            });
+        }
+        // :latest tag
+        if (/^FROM\s+.*:latest/i.test(trimmed)) {
+            issues.push({
+                type: 'medium',
+                category: 'supply-chain',
+                title: 'Floating Image Tag (:latest)',
+                description: `Line ${lineNo(idx)}: using :latest tag — non-reproducible builds`,
+                recommendation: 'Pin to a specific version, e.g. node:20.11-alpine',
+                evidence: `${filePath}:${lineNo(idx)}`,
+            });
+        }
+        // Hardcoded secrets
+        if (/(?:password|secret|token|api_key|apikey)\s*=\s*\S+/i.test(trimmed) && !trimmed.startsWith('#')) {
+            issues.push({
+                type: 'high',
+                category: 'config',
+                title: 'Hardcoded Secret in Dockerfile',
+                description: `Line ${lineNo(idx)}: possible secret in plaintext`,
+                recommendation: 'Use build args, Docker secrets, or environment variables',
+                evidence: `${filePath}:${lineNo(idx)}`,
+            });
+        }
+    });
+    // Check if no USER directive at all (likely running as root by default)
+    const hasUserDirective = lines.some(l => /^USER\s+/i.test(l.trim()));
+    if (!hasUserDirective && lines.some(l => /^FROM\s+/i.test(l.trim()))) {
+        issues.push({
+            type: 'medium',
+            category: 'permissions',
+            title: 'No USER Directive',
+            description: 'No USER instruction found — container will run as root by default',
+            recommendation: 'Add USER directive with a non-root user',
+            evidence: filePath,
+        });
+    }
+    // Check for HEALTHCHECK
+    const hasHealthcheck = lines.some(l => /^HEALTHCHECK\b/i.test(l.trim()));
+    if (!hasHealthcheck && lines.some(l => /^FROM\s+/i.test(l.trim()))) {
+        issues.push({
+            type: 'low',
+            category: 'config',
+            title: 'No HEALTHCHECK Defined',
+            description: 'No HEALTHCHECK instruction — orchestrators cannot monitor container health',
+            recommendation: 'Add HEALTHCHECK for production containers',
+            evidence: filePath,
+        });
+    }
+    return issues;
+}
+// ---- Docker Compose Checks ----
+function checkComposeFile(content, filePath) {
+    const issues = [];
+    let doc;
+    try {
+        doc = js_yaml_1.default.load(content);
+    }
+    catch {
+        issues.push({
+            type: 'low',
+            category: 'config',
+            title: 'Invalid YAML',
+            description: `Could not parse ${filePath}`,
+            recommendation: 'Fix YAML syntax errors',
+        });
+        return issues;
+    }
+    const services = doc?.services || {};
+    for (const [name, svc] of Object.entries(services)) {
+        const s = svc;
+        // privileged: true
+        if (s.privileged === true) {
+            issues.push({
+                type: 'high',
+                category: 'permissions',
+                title: 'Privileged Container',
+                description: `Service "${name}" runs in privileged mode — full host access`,
+                recommendation: 'Remove privileged: true and use specific capabilities instead',
+                evidence: `${filePath} → services.${name}.privileged`,
+            });
+        }
+        // host network
+        if (s.network_mode === 'host') {
+            issues.push({
+                type: 'high',
+                category: 'network',
+                title: 'Host Network Mode',
+                description: `Service "${name}" uses host networking — bypasses container isolation`,
+                recommendation: 'Use bridge networking with port mapping',
+                evidence: `${filePath} → services.${name}.network_mode`,
+            });
+        }
+        // bind mount to sensitive host paths
+        const volumes = s.volumes || [];
+        volumes.forEach(v => {
+            const bindPath = typeof v === 'string' ? v.split(':')[0] : v?.source;
+            if (typeof bindPath === 'string') {
+                const sensitivePaths = ['/var/run/docker.sock', '/', '/etc', '/root', '/home', '/var'];
+                const risky = sensitivePaths.find(p => bindPath === p || bindPath === '/var/run/docker.sock');
+                if (risky) {
+                    issues.push({
+                        type: 'high',
+                        category: 'filesystem',
+                        title: 'Sensitive Host Mount',
+                        description: `Service "${name}" mounts ${bindPath} from host`,
+                        recommendation: 'Avoid mounting sensitive host paths into containers',
+                        evidence: `${filePath} → services.${name}.volumes: ${v}`,
+                    });
+                }
+            }
+        });
+        // Docker socket mount
+        const hasSocket = volumes.some((v) => {
+            const src = typeof v === 'string' ? v.split(':')[0] : v?.source;
+            return src === '/var/run/docker.sock';
+        });
+        if (hasSocket) {
+            issues.push({
+                type: 'high',
+                category: 'permissions',
+                title: 'Docker Socket Mounted',
+                description: `Service "${name}" has access to Docker socket — equivalent to root on host`,
+                recommendation: 'Avoid mounting docker.sock; use TCP with TLS or Docker API proxy',
+                evidence: `${filePath} → services.${name}`,
+            });
+        }
+        // no read_only / no resource limits
+        if (s.read_only !== true) {
+            issues.push({
+                type: 'low',
+                category: 'config',
+                title: 'Writable Container Filesystem',
+                description: `Service "${name}" has writable root filesystem`,
+                recommendation: 'Add read_only: true and use tmpfs for writable paths',
+                evidence: `${filePath} → services.${name}`,
+            });
+        }
+        // Floating image tag
+        if (typeof s.image === 'string' && (s.image.endsWith(':latest') || !s.image.includes(':'))) {
+            issues.push({
+                type: 'medium',
+                category: 'supply-chain',
+                title: 'Floating Image Tag in Compose',
+                description: `Service "${name}" uses ${s.image} — non-reproducible`,
+                recommendation: 'Pin image versions: image: node:20.11-alpine',
+                evidence: `${filePath} → services.${name}.image`,
+            });
+        }
+    }
+    return issues;
+}
+// ---- .env File Checks ----
+function checkEnvFile(content, filePath) {
+    const issues = [];
+    const lines = content.split('\n');
+    lines.forEach((line, idx) => {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#'))
+            return;
+        const match = trimmed.match(/^(\w+)\s*=\s*(.+)$/);
+        if (!match)
+            return;
+        const [, key, value] = match;
+        const cleanVal = value.replace(/^["']|["']$/g, '');
+        // Detect secrets in .env
+        const secretKeys = /(?:password|secret|token|api[_-]?key|private[_-]?key|auth|credential)/i;
+        if (secretKeys.test(key) && cleanVal.length > 0 && cleanVal !== 'CHANGEME' && cleanVal !== 'xxx') {
+            issues.push({
+                type: 'high',
+                category: 'config',
+                title: 'Secret in .env File',
+                description: `${key} appears to contain a secret value`,
+                recommendation: 'Use Docker secrets, vault, or CI secret management instead of .env files',
+                evidence: `${filePath}:${idx + 1} (${key}=***)`,
+            });
+        }
+    });
+    // Warn about .env not in .dockerignore
+    issues.push({
+        type: 'medium',
+        category: 'config',
+        title: '.env File Present',
+        description: `${filePath} — ensure .env is in .dockerignore to avoid leaking secrets into images`,
+        recommendation: 'Add .env to .dockerignore and use runtime environment variables or secrets',
+        evidence: filePath,
+    });
+    return issues;
+}
+// ---- Helpers ----
+async function findFiles(root, patterns) {
+    const found = [];
+    async function walk(dir, depth) {
+        if (depth > 5)
+            return; // don't go too deep
+        let entries;
+        try {
+            entries = await fs_extra_1.default.readdir(dir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            if (entry.name.startsWith('.') && entry.name !== '.env')
+                continue;
+            const full = path_1.default.join(dir, entry.name);
+            if (entry.isDirectory()) {
+                // skip node_modules and common junk dirs
+                if (['node_modules', '.git', 'dist', 'build', '__pycache__'].includes(entry.name))
+                    continue;
+                await walk(full, depth + 1);
+            }
+            else {
+                for (const p of patterns) {
+                    if (p.includes('*')) {
+                        // simple glob: Dockerfile.*
+                        const prefix = p.replace(/\.\*.*/, '');
+                        if (entry.name.startsWith(prefix) || matchGlob(entry.name, p)) {
+                            found.push(full);
+                        }
+                    }
+                    else if (entry.name === p) {
+                        found.push(full);
+                    }
+                }
+            }
+        }
+    }
+    await walk(root, 0);
+    return found;
+}
+function matchGlob(name, pattern) {
+    const re = new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '.*') + '$');
+    return re.test(name);
+}
+//# sourceMappingURL=docker-scanner.js.map

package/dist/scanners/docker-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"docker-scanner.js","sourceRoot":"","sources":["../../src/scanners/docker-scanner.ts"],"names":[],"mappings":";;;;;AAmBA,gCAkEC;AArFD,wDAA0B;AAC1B,gDAAwB;AACxB,sDAA2B;AAC3B,4CAAyC;AAczC,uBAAuB;AAEhB,KAAK,UAAU,UAAU,CAAC,UAAkB,EAAE,UAA6B,EAAE;IAClF,MAAM,MAAM,GAAoB,EAAE,CAAC;IACnC,IAAI,YAAY,GAAG,CAAC,CAAC;IAErB,IAAI,CAAC;QACH,mBAAmB;QACnB,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC,CAAC;QAChF,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;YAC7B,YAAY,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YAC9C,MAAM,GAAG,GAAG,cAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,4BAA4B;QAC5B,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE;YAC/C,oBAAoB,EAAE,qBAAqB;YAC3C,aAAa,EAAE,cAAc;SAC9B,CAAC,CAAC;QACH,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;YAC9B,YAAY,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YAC9C,MAAM,GAAG,GAAG,cAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;QACjD,CAAC;QAED,qCAAqC;QACrC,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;QACjE,KAAK,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;YAC1B,YAAY,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YAC9C,MAAM,GAAG,GAAG,cAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,eAAM,CAAC,IAAI,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,mBAAmB;YAC1B,WAAW,EAAE,sCAAsC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YACrG,cAAc,EAAE,sCAAsC;SACvD,CAAC,CAAC;IACL,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAC1D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;IAC9D,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,MAAM,CAAC;IAExD,wCAAwC;IACxC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,IAAI,GAAG,EAAE,GAAG,MAAM,GAAG,EAAE,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC;IAEnE,OAAO;QACL,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,MAAM,EAAE,UAAU;QAClB,MAAM;QACN,KAAK;QACL,OAAO,EAAE;YACP,gBAAgB,EAAE,YAAY;YAC9B,cAAc,EAAE,IAAI;YACpB,gBAAgB,EAAE,MAAM;YACxB,aAAa,EAAE,GAAG;SACnB;QACD,QAAQ,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE;KACjC,CAAC;AACJ,CAAC;AAED,8BAA8B;AAE9B,SAAS,eAAe,CAAC,OAAe,EAAE,QAAgB;IACxD,MAAM,MAAM,GAAoB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,CAAC,GAAW,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC;IAExC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAEpC,kBAAkB;QAClB,IAAI,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,aAAa;gBACvB,KAAK,EAAE,wBAAwB;gBAC/B,WAAW,EAAE,QAAQ,MAAM,CAAC,GAAG,CAAC,iDAAiD;gBACjF,cAAc,EAAE,8EAA8E;gBAC9F,QAAQ,EAAE,GAAG,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE;aACvC,CAAC,CAAC;QACL,CAAC;QAED,gDAAgD;QAChD,IAAI,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,IAAI,gEAAgE,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnF,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,MAAM;oBACZ,QAAQ,EAAE,WAAW;oBACrB,KAAK,EAAE,4BAA4B;oBACnC,WAAW,EAAE,QAAQ,MAAM,CAAC,GAAG,CAAC,2CAA2C;oBAC3E,cAAc,EAAE,oEAAoE;oBACpF,QAAQ,EAAE,GAAG,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE;iBACvC,CAAC,CAAC;YACL,CAAC;YAED,qBAAqB;YACrB,IAAI,4BAA4B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC/C,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,MAAM;oBACZ,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,wBAAwB;oBAC/B,WAAW,EAAE,QAAQ,MAAM,CAAC,GAAG,CAAC,8CAA8C;oBAC9E,cAAc,EAAE,yDAAyD;oBACzE,QAAQ,EAAE,GAAG,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE;iBACvC,CAAC,CAAC;YACL,CAAC;YAED,0CAA0C;YAC1C,IAAI,+CAA+C,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClE,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,KAAK;oBACX,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,yBAAyB;oBAChC,WAAW,EAAE,QAAQ,MAAM,CAAC,GAAG,CAAC,gEAAgE;oBAChG,cAAc,EAAE,8CAA8C;oBAC9D,QAAQ,EAAE,GAAG,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE;iBACvC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QACnD,IAAI,WAAW,IAAI,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,yBAAyB;gBAChC,WAAW,EAAE,QAAQ,MAAM,CAAC,GAAG,CAAC,YAAY,WAAW,CAAC,CAAC,CAAC,4BAA4B;gBACtF,cAAc,EAAE,yEAAyE;gBACzF,QAAQ,EAAE,GAAG,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE;aACvC,CAAC,CAAC;QACL,CAAC;QAED,kCAAkC;QAClC,IAAI,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACxC,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,cAAc;gBACxB,KAAK,EAAE,qBAAqB;gBAC5B,WAAW,EAAE,QAAQ,MAAM,CAAC,GAAG,CAAC,wDAAwD;gBACxF,cAAc,EAAE,+EAA+E;gBAC/F,QAAQ,EAAE,GAAG,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE;aACvC,CAAC,CAAC;QACL,CAAC;QAED,cAAc;QACd,IAAI,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACvC,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,cAAc;gBACxB,KAAK,EAAE,8BAA8B;gBACrC,WAAW,EAAE,QAAQ,MAAM,CAAC,GAAG,CAAC,+CAA+C;gBAC/E,cAAc,EAAE,mDAAmD;gBACnE,QAAQ,EAAE,GAAG,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE;aACvC,CAAC,CAAC;QACL,CAAC;QAED,oBAAoB;QACpB,IAAI,qDAAqD,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACpG,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,gCAAgC;gBACvC,WAAW,EAAE,QAAQ,MAAM,CAAC,GAAG,CAAC,gCAAgC;gBAChE,cAAc,EAAE,0DAA0D;gBAC1E,QAAQ,EAAE,GAAG,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE;aACvC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,wEAAwE;IACxE,MAAM,gBAAgB,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACrE,IAAI,CAAC,gBAAgB,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;QACrE,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,aAAa;YACvB,KAAK,EAAE,mBAAmB;YAC1B,WAAW,EAAE,mEAAmE;YAChF,cAAc,EAAE,yCAAyC;YACzD,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;IACL,CAAC;IAED,wBAAwB;IACxB,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACzE,IAAI,CAAC,cAAc,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;QACnE,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,KAAK;YACX,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,wBAAwB;YAC/B,WAAW,EAAE,4EAA4E;YACzF,cAAc,EAAE,2CAA2C;YAC3D,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,kCAAkC;AAElC,SAAS,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IACzD,MAAM,MAAM,GAAoB,EAAE,CAAC;IAEnC,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,iBAAI,CAAC,IAAI,CAAC,OAAO,CAAQ,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,KAAK;YACX,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,cAAc;YACrB,WAAW,EAAE,mBAAmB,QAAQ,EAAE;YAC1C,cAAc,EAAE,wBAAwB;SACzC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;IACrC,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnD,MAAM,CAAC,GAAG,GAAU,CAAC;QAErB,mBAAmB;QACnB,IAAI,CAAC,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,aAAa;gBACvB,KAAK,EAAE,sBAAsB;gBAC7B,WAAW,EAAE,YAAY,IAAI,8CAA8C;gBAC3E,cAAc,EAAE,+DAA+D;gBAC/E,QAAQ,EAAE,GAAG,QAAQ,eAAe,IAAI,aAAa;aACtD,CAAC,CAAC;QACL,CAAC;QAED,eAAe;QACf,IAAI,CAAC,CAAC,YAAY,KAAK,MAAM,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,mBAAmB;gBAC1B,WAAW,EAAE,YAAY,IAAI,uDAAuD;gBACpF,cAAc,EAAE,yCAAyC;gBACzD,QAAQ,EAAE,GAAG,QAAQ,eAAe,IAAI,eAAe;aACxD,CAAC,CAAC;QACL,CAAC;QAED,qCAAqC;QACrC,MAAM,OAAO,GAAa,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC;QAC1C,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;YAClB,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAE,CAAS,EAAE,MAAM,CAAC;YAC9E,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACjC,MAAM,cAAc,GAAG,CAAC,sBAAsB,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;gBACvF,MAAM,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,KAAK,CAAC,IAAI,QAAQ,KAAK,sBAAsB,CAAC,CAAC;gBAC9F,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,CAAC;wBACV,IAAI,EAAE,MAAM;wBACZ,QAAQ,EAAE,YAAY;wBACtB,KAAK,EAAE,sBAAsB;wBAC7B,WAAW,EAAE,YAAY,IAAI,YAAY,QAAQ,YAAY;wBAC7D,cAAc,EAAE,qDAAqD;wBACrE,QAAQ,EAAE,GAAG,QAAQ,eAAe,IAAI,aAAa,CAAC,EAAE;qBACzD,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,sBAAsB;QACtB,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE;YACxC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC;YAChE,OAAO,GAAG,KAAK,sBAAsB,CAAC;QACxC,CAAC,CAAC,CAAC;QACH,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,aAAa;gBACvB,KAAK,EAAE,uBAAuB;gBAC9B,WAAW,EAAE,YAAY,IAAI,4DAA4D;gBACzF,cAAc,EAAE,kEAAkE;gBAClF,QAAQ,EAAE,GAAG,QAAQ,eAAe,IAAI,EAAE;aAC3C,CAAC,CAAC;QACL,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,+BAA+B;gBACtC,WAAW,EAAE,YAAY,IAAI,gCAAgC;gBAC7D,cAAc,EAAE,sDAAsD;gBACtE,QAAQ,EAAE,GAAG,QAAQ,eAAe,IAAI,EAAE;aAC3C,CAAC,CAAC;QACL,CAAC;QAED,qBAAqB;QACrB,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC3F,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,cAAc;gBACxB,KAAK,EAAE,+BAA+B;gBACtC,WAAW,EAAE,YAAY,IAAI,UAAU,CAAC,CAAC,KAAK,qBAAqB;gBACnE,cAAc,EAAE,8CAA8C;gBAC9D,QAAQ,EAAE,GAAG,QAAQ,eAAe,IAAI,QAAQ;aACjD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,6BAA6B;AAE7B,SAAS,YAAY,CAAC,OAAe,EAAE,QAAgB;IACrD,MAAM,MAAM,GAAoB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAEhD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;QAClD,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;QAC7B,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QAEnD,yBAAyB;QACzB,MAAM,UAAU,GAAG,wEAAwE,CAAC;QAC5F,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;YACjG,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,qBAAqB;gBAC5B,WAAW,EAAE,GAAG,GAAG,oCAAoC;gBACvD,cAAc,EAAE,0EAA0E;gBAC1F,QAAQ,EAAE,GAAG,QAAQ,IAAI,GAAG,GAAG,CAAC,KAAK,GAAG,OAAO;aAChD,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,uCAAuC;IACvC,MAAM,CAAC,IAAI,CAAC;QACV,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,mBAAmB;QAC1B,WAAW,EAAE,GAAG,QAAQ,yEAAyE;QACjG,cAAc,EAAE,4EAA4E;QAC5F,QAAQ,EAAE,QAAQ;KACnB,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,oBAAoB;AAEpB,KAAK,UAAU,SAAS,CAAC,IAAY,EAAE,QAAkB;IACvD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,UAAU,IAAI,CAAC,GAAW,EAAE,KAAa;QAC5C,IAAI,KAAK,GAAG,CAAC;YAAE,OAAO,CAAC,oBAAoB;QAC3C,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,kBAAE,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM;gBAAE,SAAS;YAClE,MAAM,IAAI,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,yCAAyC;gBACzC,IAAI,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAC5F,MAAM,IAAI,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YAC9B,CAAC;iBAAM,CAAC;gBACN,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;oBACzB,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;wBACpB,4BAA4B;wBAC5B,MAAM,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;wBACvC,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;4BAC9D,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBACnB,CAAC;oBACH,CAAC;yBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;wBAC5B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACnB,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACpB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,SAAS,CAAC,IAAY,EAAE,OAAe;IAC9C,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC;IACtF,OAAO,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACvB,CAAC"}

package/dist/scanners/helm-scanner.d.ts

@@ -0,0 +1,16 @@
+import { SecurityResult } from '../types/security-result';
+/**
+ * Helm chart security scanner for MCP servers.
+ *
+ * Detects Helm chart directories (Chart.yaml present), then:
+ * - Scans values.yaml for hardcoded secrets, privileged settings, and misconfigs
+ * - Strips Go template syntax from templates/ and runs K8s manifest checks
+ * - Checks for deprecated API versions in templates
+ * - Validates Chart.yaml metadata (appVersion pinned, etc.)
+ */
+interface HelmScanOptions {
+    strict?: boolean;
+}
+export declare function scanHelm(targetPath: string, options?: HelmScanOptions): Promise<SecurityResult>;
+export {};
+//# sourceMappingURL=helm-scanner.d.ts.map

package/dist/scanners/helm-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helm-scanner.d.ts","sourceRoot":"","sources":["../../src/scanners/helm-scanner.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,cAAc,EAAiB,MAAM,0BAA0B,CAAC;AAEzE;;;;;;;;GAQG;AAEH,UAAU,eAAe;IACvB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AA0UD,wBAAsB,QAAQ,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,cAAc,CAAC,CA0FzG"}