@sulthonzh/mcp-audit 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +134 -0
- package/dist/cli.d.ts +3 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +165 -0
- package/dist/cli.js.map +1 -0
- package/dist/config/config-loader.d.ts +17 -0
- package/dist/config/config-loader.d.ts.map +1 -0
- package/dist/config/config-loader.js +72 -0
- package/dist/config/config-loader.js.map +1 -0
- package/dist/index.d.ts +8 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +22 -0
- package/dist/index.js.map +1 -0
- package/dist/reporter/report-generator.d.ts +7 -0
- package/dist/reporter/report-generator.d.ts.map +1 -0
- package/dist/reporter/report-generator.js +240 -0
- package/dist/reporter/report-generator.js.map +1 -0
- package/dist/reporters/sarif-reporter.d.ts +18 -0
- package/dist/reporters/sarif-reporter.d.ts.map +1 -0
- package/dist/reporters/sarif-reporter.js +148 -0
- package/dist/reporters/sarif-reporter.js.map +1 -0
- package/dist/scanners/config-scanner.d.ts +11 -0
- package/dist/scanners/config-scanner.d.ts.map +1 -0
- package/dist/scanners/config-scanner.js +399 -0
- package/dist/scanners/config-scanner.js.map +1 -0
- package/dist/scanners/docker-scanner.d.ts +13 -0
- package/dist/scanners/docker-scanner.d.ts.map +1 -0
- package/dist/scanners/docker-scanner.js +384 -0
- package/dist/scanners/docker-scanner.js.map +1 -0
- package/dist/scanners/helm-scanner.d.ts +16 -0
- package/dist/scanners/helm-scanner.d.ts.map +1 -0
- package/dist/scanners/helm-scanner.js +385 -0
- package/dist/scanners/helm-scanner.js.map +1 -0
- package/dist/scanners/k8s-scanner.d.ts +14 -0
- package/dist/scanners/k8s-scanner.d.ts.map +1 -0
- package/dist/scanners/k8s-scanner.js +315 -0
- package/dist/scanners/k8s-scanner.js.map +1 -0
- package/dist/scanners/server-scanner.d.ts +13 -0
- package/dist/scanners/server-scanner.d.ts.map +1 -0
- package/dist/scanners/server-scanner.js +346 -0
- package/dist/scanners/server-scanner.js.map +1 -0
- package/dist/types/security-result.d.ts +35 -0
- package/dist/types/security-result.d.ts.map +1 -0
- package/dist/types/security-result.js +3 -0
- package/dist/types/security-result.js.map +1 -0
- package/dist/utils/logger.d.ts +19 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +71 -0
- package/dist/utils/logger.js.map +1 -0
- package/package.json +77 -0
|
@@ -0,0 +1,385 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.scanHelm = scanHelm;
|
|
7
|
+
const fs_extra_1 = __importDefault(require("fs-extra"));
|
|
8
|
+
const path_1 = __importDefault(require("path"));
|
|
9
|
+
const js_yaml_1 = __importDefault(require("js-yaml"));
|
|
10
|
+
const logger_1 = require("../utils/logger");
|
|
11
|
+
// ---- Go template stripping ----
|
|
12
|
+
const TEMPLATE_PATTERNS = [
|
|
13
|
+
/\{\{-?\s*\/\*[\s\S]*?\*\/\s*-?\}\}/g, // {{/* comment */}}
|
|
14
|
+
/\{\{-?\s*if\s+[\s\S]*?-?\}\}/g, // {{ if ... }}
|
|
15
|
+
/\{\{-?\s*else\s*-?\}\}/g, // {{ else }}
|
|
16
|
+
/\{\{-?\s*end\s*-?\}\}/g, // {{ end }}
|
|
17
|
+
/\{\{-?\s*range\s+[\s\S]*?-?\}\}/g, // {{ range ... }}
|
|
18
|
+
/\{\{-?\s*with\s+[\s\S]*?-?\}\}/g, // {{ with ... }}
|
|
19
|
+
/\{\{-?\s*block\s+[\s\S]*?-?\}\}/g, // {{ block ... }}
|
|
20
|
+
/\{\{-?\s*define\s+[\s\S]*?-?\}\}/g, // {{ define ... }}
|
|
21
|
+
/\{\{-?\s*tpl\s+[\s\S]*?-?\}\}/g, // {{ tpl ... }}
|
|
22
|
+
/\{\{-?\s*include\s+[\s\S]*?-?\}\}/g, // {{ include ... }}
|
|
23
|
+
/\{\{-?\s*toYaml\s+[\s\S]*?-?\}\}/g, // {{ toYaml ... }}
|
|
24
|
+
/\{\{-?\s*toJson\s+[\s\S]*?-?\}\}/g, // {{ toJson ... }}
|
|
25
|
+
/\{\{-?\s*\.[\w.]+\s*\|?\s*[\w\s]*-?\}\}/g, // {{ .Values.xxx }}
|
|
26
|
+
/\{\{-?\s*\$[\w.]+\s*-?\}\}/g, // {{ $var }}
|
|
27
|
+
/\{\{-?\s*default\s+[\s\S]*?-?\}\}/g, // {{ default ... }}
|
|
28
|
+
/\{\{-?\s*printf\s+[\s\S]*?-?\}\}/g, // {{ printf ... }}
|
|
29
|
+
/\{\{-?\s*required\s+[\s\S]*?-?\}\}/g, // {{ required ... }}
|
|
30
|
+
/\{\{-?\s*lookup\s+[\s\S]*?-?\}\}/g, // {{ lookup ... }}
|
|
31
|
+
/\{\{-?\s*\w+\s+[\s\S]*?-?\}\}/g, // {{ function args }}
|
|
32
|
+
/\{\{-?\s*[\s\S]*?-?\}\}/g, // catch-all remaining
|
|
33
|
+
];
|
|
34
|
+
function stripGoTemplate(content) {
|
|
35
|
+
let cleaned = content;
|
|
36
|
+
// Remove comments first
|
|
37
|
+
cleaned = cleaned.replace(/\{\{-?\s*\/\*[\s\S]*?\*\/\s*-?\}\}/g, '');
|
|
38
|
+
// Replace remaining template expressions with placeholder or empty
|
|
39
|
+
cleaned = cleaned.replace(/\{\{[\s\S]*?\}\}/g, '');
|
|
40
|
+
return cleaned;
|
|
41
|
+
}
|
|
42
|
+
// ---- values.yaml checks ----
|
|
43
|
+
function checkValues(values, relPath) {
|
|
44
|
+
const issues = [];
|
|
45
|
+
if (!values || typeof values !== 'object')
|
|
46
|
+
return issues;
|
|
47
|
+
function walk(obj, path) {
|
|
48
|
+
if (!obj || typeof obj !== 'object')
|
|
49
|
+
return;
|
|
50
|
+
for (const [key, val] of Object.entries(obj)) {
|
|
51
|
+
const currentPath = path ? `${path}.${key}` : key;
|
|
52
|
+
const keyLower = key.toLowerCase();
|
|
53
|
+
// Hardcoded secrets
|
|
54
|
+
if ((keyLower.includes('password') || keyLower.includes('secret') ||
|
|
55
|
+
keyLower.includes('token') || keyLower.includes('apikey') ||
|
|
56
|
+
keyLower.includes('api_key') || keyLower.includes('accesskey') ||
|
|
57
|
+
keyLower.includes('access_key') || keyLower.includes('privatekey') ||
|
|
58
|
+
keyLower.includes('private_key')) &&
|
|
59
|
+
typeof val === 'string' && val.length > 0) {
|
|
60
|
+
// Skip obvious placeholders
|
|
61
|
+
const placeholders = ['changeme', 'replace', 'xxx', 'placeholder', '${', '%(', 'your-', 'REPLACE'];
|
|
62
|
+
const isPlaceholder = placeholders.some(p => val.toLowerCase().includes(p.toLowerCase()));
|
|
63
|
+
if (!isPlaceholder) {
|
|
64
|
+
issues.push({
|
|
65
|
+
type: 'high',
|
|
66
|
+
category: 'config',
|
|
67
|
+
title: 'Hardcoded secret in values.yaml',
|
|
68
|
+
description: `Found "${currentPath}" with what appears to be a real value in values.yaml`,
|
|
69
|
+
recommendation: 'Use .Values.secrets or external secret management (Sealed Secrets, External Secrets Operator)',
|
|
70
|
+
evidence: `${relPath} → ${currentPath}`,
|
|
71
|
+
});
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
// Privileged container flags in values
|
|
75
|
+
if (keyLower === 'privileged' && val === true) {
|
|
76
|
+
issues.push({
|
|
77
|
+
type: 'high',
|
|
78
|
+
category: 'permissions',
|
|
79
|
+
title: 'Privileged container in values',
|
|
80
|
+
description: `values.yaml sets privileged: true at ${currentPath}`,
|
|
81
|
+
recommendation: 'Avoid running containers in privileged mode. Use fine-grained capabilities instead.',
|
|
82
|
+
evidence: `${relPath} → ${currentPath}`,
|
|
83
|
+
});
|
|
84
|
+
}
|
|
85
|
+
if (keyLower === 'runasroot' && val === true) {
|
|
86
|
+
issues.push({
|
|
87
|
+
type: 'medium',
|
|
88
|
+
category: 'permissions',
|
|
89
|
+
title: 'runAsRoot enabled in values',
|
|
90
|
+
description: `values.yaml sets runAsRoot: true at ${currentPath}`,
|
|
91
|
+
recommendation: 'Set runAsNonRoot: true and runAsUser > 0',
|
|
92
|
+
evidence: `${relPath} → ${currentPath}`,
|
|
93
|
+
});
|
|
94
|
+
}
|
|
95
|
+
// hostNetwork in values
|
|
96
|
+
if (keyLower === 'hostnetwork' && val === true) {
|
|
97
|
+
issues.push({
|
|
98
|
+
type: 'high',
|
|
99
|
+
category: 'network',
|
|
100
|
+
title: 'hostNetwork in values',
|
|
101
|
+
description: `values.yaml enables hostNetwork at ${currentPath}`,
|
|
102
|
+
recommendation: 'Avoid hostNetwork unless absolutely necessary',
|
|
103
|
+
evidence: `${relPath} → ${currentPath}`,
|
|
104
|
+
});
|
|
105
|
+
}
|
|
106
|
+
// Recurse into nested objects
|
|
107
|
+
if (typeof val === 'object' && val !== null) {
|
|
108
|
+
walk(val, currentPath);
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
}
|
|
112
|
+
walk(values, '');
|
|
113
|
+
return issues;
|
|
114
|
+
}
|
|
115
|
+
// ---- Chart.yaml checks ----
|
|
116
|
+
function checkChartYaml(chart, relPath) {
|
|
117
|
+
const issues = [];
|
|
118
|
+
if (!chart || typeof chart !== 'object')
|
|
119
|
+
return issues;
|
|
120
|
+
// Missing appVersion
|
|
121
|
+
if (!chart.appVersion) {
|
|
122
|
+
issues.push({
|
|
123
|
+
type: 'low',
|
|
124
|
+
category: 'config',
|
|
125
|
+
title: 'Missing appVersion in Chart.yaml',
|
|
126
|
+
description: 'Chart.yaml does not specify appVersion',
|
|
127
|
+
recommendation: 'Add appVersion to track which app version the chart deploys',
|
|
128
|
+
evidence: relPath,
|
|
129
|
+
});
|
|
130
|
+
}
|
|
131
|
+
// Deprecated chart
|
|
132
|
+
if (chart.deprecated) {
|
|
133
|
+
issues.push({
|
|
134
|
+
type: 'medium',
|
|
135
|
+
category: 'config',
|
|
136
|
+
title: 'Deprecated Helm chart',
|
|
137
|
+
description: `Chart "${chart.name ?? 'unnamed'}" is marked as deprecated`,
|
|
138
|
+
recommendation: 'Migrate to a maintained chart or fork and maintain your own',
|
|
139
|
+
evidence: relPath,
|
|
140
|
+
});
|
|
141
|
+
}
|
|
142
|
+
return issues;
|
|
143
|
+
}
|
|
144
|
+
function extractPodSpec(manifest) {
|
|
145
|
+
const kind = manifest.kind?.toLowerCase() ?? '';
|
|
146
|
+
if (kind === 'pod')
|
|
147
|
+
return manifest.spec;
|
|
148
|
+
if (['deployment', 'statefulset', 'daemonset', 'replicaset', 'job'].includes(kind)) {
|
|
149
|
+
return manifest.spec?.template?.spec ?? null;
|
|
150
|
+
}
|
|
151
|
+
return null;
|
|
152
|
+
}
|
|
153
|
+
function scanTemplateManifest(doc, relPath) {
|
|
154
|
+
const issues = [];
|
|
155
|
+
if (!doc || typeof doc !== 'object' || !doc.kind)
|
|
156
|
+
return issues;
|
|
157
|
+
const manifestName = doc.metadata?.name ?? 'unnamed';
|
|
158
|
+
const podSpec = extractPodSpec(doc);
|
|
159
|
+
if (podSpec) {
|
|
160
|
+
const containers = [...(podSpec.containers ?? []), ...(podSpec.initContainers ?? [])];
|
|
161
|
+
for (const ctr of containers) {
|
|
162
|
+
const cname = ctr.name ?? 'unnamed';
|
|
163
|
+
// Privileged
|
|
164
|
+
if (ctr.securityContext?.privileged) {
|
|
165
|
+
issues.push({
|
|
166
|
+
type: 'high', category: 'permissions',
|
|
167
|
+
title: 'Privileged container in Helm template',
|
|
168
|
+
description: `Container "${cname}" in ${manifestName} runs privileged (template: ${relPath})`,
|
|
169
|
+
recommendation: 'Remove securityContext.privileged or set to false',
|
|
170
|
+
evidence: relPath,
|
|
171
|
+
});
|
|
172
|
+
}
|
|
173
|
+
// No resource limits
|
|
174
|
+
if (!ctr.resources?.limits) {
|
|
175
|
+
issues.push({
|
|
176
|
+
type: 'medium', category: 'config',
|
|
177
|
+
title: 'No resource limits in Helm template',
|
|
178
|
+
description: `Container "${cname}" in ${manifestName} has no resource limits (template: ${relPath})`,
|
|
179
|
+
recommendation: 'Set resources.limits.cpu and resources.limits.memory',
|
|
180
|
+
evidence: relPath,
|
|
181
|
+
});
|
|
182
|
+
}
|
|
183
|
+
// :latest tag (only warn if hardcoded, template vars are fine)
|
|
184
|
+
const image = ctr.image ?? '';
|
|
185
|
+
if (typeof image === 'string' && (image.includes(':latest') || (image.includes('/') && !image.includes(':') && !image.includes('.')))) {
|
|
186
|
+
issues.push({
|
|
187
|
+
type: 'medium', category: 'supply-chain',
|
|
188
|
+
title: 'Latest tag in Helm template',
|
|
189
|
+
description: `Container "${cname}" uses untagged or :latest image: ${image}`,
|
|
190
|
+
recommendation: 'Pin image tags to specific versions',
|
|
191
|
+
evidence: relPath,
|
|
192
|
+
});
|
|
193
|
+
}
|
|
194
|
+
// Hardcoded env secrets
|
|
195
|
+
if (Array.isArray(ctr.env)) {
|
|
196
|
+
for (const env of ctr.env) {
|
|
197
|
+
const n = (env.name ?? '').toLowerCase();
|
|
198
|
+
if ((n.includes('password') || n.includes('secret') || n.includes('token')) && env.value && !env.valueFrom) {
|
|
199
|
+
issues.push({
|
|
200
|
+
type: 'high', category: 'config',
|
|
201
|
+
title: 'Hardcoded secret in Helm template env',
|
|
202
|
+
description: `Container "${cname}" has "${env.name}" as plaintext in template`,
|
|
203
|
+
recommendation: 'Reference Kubernetes Secrets instead of hardcoding values',
|
|
204
|
+
evidence: `${relPath} → env.${env.name}`,
|
|
205
|
+
});
|
|
206
|
+
}
|
|
207
|
+
}
|
|
208
|
+
}
|
|
209
|
+
}
|
|
210
|
+
// hostPath volumes
|
|
211
|
+
if (Array.isArray(podSpec.volumes)) {
|
|
212
|
+
for (const vol of podSpec.volumes) {
|
|
213
|
+
if (vol.hostPath) {
|
|
214
|
+
issues.push({
|
|
215
|
+
type: 'high', category: 'filesystem',
|
|
216
|
+
title: 'hostPath volume in Helm template',
|
|
217
|
+
description: `Template ${relPath} uses hostPath "${vol.name}" → ${vol.hostPath.path}`,
|
|
218
|
+
recommendation: 'Use PVCs or emptyDir instead of hostPath',
|
|
219
|
+
evidence: relPath,
|
|
220
|
+
});
|
|
221
|
+
}
|
|
222
|
+
}
|
|
223
|
+
}
|
|
224
|
+
// hostNetwork
|
|
225
|
+
if (podSpec.hostNetwork) {
|
|
226
|
+
issues.push({
|
|
227
|
+
type: 'high', category: 'network',
|
|
228
|
+
title: 'hostNetwork in Helm template',
|
|
229
|
+
description: `Template ${relPath} enables hostNetwork`,
|
|
230
|
+
recommendation: 'Only use hostNetwork when absolutely necessary',
|
|
231
|
+
evidence: relPath,
|
|
232
|
+
});
|
|
233
|
+
}
|
|
234
|
+
}
|
|
235
|
+
// Service type checks
|
|
236
|
+
if ((doc.kind ?? '').toLowerCase() === 'service' && doc.spec?.type === 'LoadBalancer') {
|
|
237
|
+
issues.push({
|
|
238
|
+
type: 'medium', category: 'network',
|
|
239
|
+
title: 'LoadBalancer service in Helm template',
|
|
240
|
+
description: `Service "${doc.metadata?.name ?? 'unnamed'}" in ${relPath} is LoadBalancer`,
|
|
241
|
+
recommendation: 'Use ClusterIP + Ingress for internal services',
|
|
242
|
+
evidence: relPath,
|
|
243
|
+
});
|
|
244
|
+
}
|
|
245
|
+
return issues;
|
|
246
|
+
}
|
|
247
|
+
// ---- Chart discovery ----
|
|
248
|
+
async function findHelmCharts(targetPath) {
|
|
249
|
+
const charts = [];
|
|
250
|
+
if (!(await fs_extra_1.default.pathExists(targetPath)))
|
|
251
|
+
return charts;
|
|
252
|
+
const stat = await fs_extra_1.default.stat(targetPath);
|
|
253
|
+
if (stat.isFile())
|
|
254
|
+
return charts; // Charts are directories
|
|
255
|
+
async function walk(dir, depth) {
|
|
256
|
+
if (depth > 10)
|
|
257
|
+
return; // safety limit
|
|
258
|
+
const chartFile = path_1.default.join(dir, 'Chart.yaml');
|
|
259
|
+
if (await fs_extra_1.default.pathExists(chartFile)) {
|
|
260
|
+
charts.push(dir);
|
|
261
|
+
return; // don't recurse into subcharts of found charts
|
|
262
|
+
}
|
|
263
|
+
const entries = await fs_extra_1.default.readdir(dir, { withFileTypes: true }).catch(() => []);
|
|
264
|
+
for (const entry of entries) {
|
|
265
|
+
if (entry.name.startsWith('.') || entry.name === 'node_modules' || entry.name === 'charts')
|
|
266
|
+
continue;
|
|
267
|
+
if (entry.isDirectory()) {
|
|
268
|
+
await walk(path_1.default.join(dir, entry.name), depth + 1);
|
|
269
|
+
}
|
|
270
|
+
}
|
|
271
|
+
}
|
|
272
|
+
await walk(targetPath, 0);
|
|
273
|
+
return charts;
|
|
274
|
+
}
|
|
275
|
+
async function findTemplateFiles(chartDir) {
|
|
276
|
+
const templatesDir = path_1.default.join(chartDir, 'templates');
|
|
277
|
+
if (!(await fs_extra_1.default.pathExists(templatesDir)))
|
|
278
|
+
return [];
|
|
279
|
+
const files = [];
|
|
280
|
+
async function walk(dir) {
|
|
281
|
+
const entries = await fs_extra_1.default.readdir(dir, { withFileTypes: true });
|
|
282
|
+
for (const entry of entries) {
|
|
283
|
+
const full = path_1.default.join(dir, entry.name);
|
|
284
|
+
if (entry.isDirectory()) {
|
|
285
|
+
await walk(full);
|
|
286
|
+
}
|
|
287
|
+
else {
|
|
288
|
+
const ext = path_1.default.extname(entry.name).toLowerCase();
|
|
289
|
+
if (['.yaml', '.yml'].includes(ext)) {
|
|
290
|
+
files.push(full);
|
|
291
|
+
}
|
|
292
|
+
}
|
|
293
|
+
}
|
|
294
|
+
}
|
|
295
|
+
await walk(templatesDir);
|
|
296
|
+
return files;
|
|
297
|
+
}
|
|
298
|
+
// ---- Public API ----
|
|
299
|
+
async function scanHelm(targetPath, options = {}) {
|
|
300
|
+
const issues = [];
|
|
301
|
+
let chartsScanned = 0;
|
|
302
|
+
let templatesScanned = 0;
|
|
303
|
+
try {
|
|
304
|
+
const charts = await findHelmCharts(targetPath);
|
|
305
|
+
if (charts.length === 0) {
|
|
306
|
+
return {
|
|
307
|
+
scanType: 'server',
|
|
308
|
+
timestamp: new Date().toISOString(),
|
|
309
|
+
target: targetPath,
|
|
310
|
+
issues: [],
|
|
311
|
+
score: 100,
|
|
312
|
+
summary: { configFilesFound: 0, highRiskIssues: 0, mediumRiskIssues: 0, lowRiskIssues: 0 },
|
|
313
|
+
};
|
|
314
|
+
}
|
|
315
|
+
for (const chartDir of charts) {
|
|
316
|
+
const chartRel = path_1.default.relative(targetPath, chartDir) || path_1.default.basename(chartDir);
|
|
317
|
+
chartsScanned++;
|
|
318
|
+
// Scan Chart.yaml
|
|
319
|
+
const chartFile = path_1.default.join(chartDir, 'Chart.yaml');
|
|
320
|
+
if (await fs_extra_1.default.pathExists(chartFile)) {
|
|
321
|
+
const chartContent = await fs_extra_1.default.readFile(chartFile, 'utf8');
|
|
322
|
+
const chart = js_yaml_1.default.load(chartContent);
|
|
323
|
+
issues.push(...checkChartYaml(chart, path_1.default.join(chartRel, 'Chart.yaml')));
|
|
324
|
+
}
|
|
325
|
+
// Scan values.yaml
|
|
326
|
+
const valuesFile = path_1.default.join(chartDir, 'values.yaml');
|
|
327
|
+
if (await fs_extra_1.default.pathExists(valuesFile)) {
|
|
328
|
+
const valuesContent = await fs_extra_1.default.readFile(valuesFile, 'utf8');
|
|
329
|
+
const values = js_yaml_1.default.load(valuesContent);
|
|
330
|
+
issues.push(...checkValues(values, path_1.default.join(chartRel, 'values.yaml')));
|
|
331
|
+
}
|
|
332
|
+
// Scan templates
|
|
333
|
+
const templateFiles = await findTemplateFiles(chartDir);
|
|
334
|
+
for (const tf of templateFiles) {
|
|
335
|
+
const content = await fs_extra_1.default.readFile(tf, 'utf8');
|
|
336
|
+
const cleaned = stripGoTemplate(content);
|
|
337
|
+
const tfRel = path_1.default.relative(targetPath, tf);
|
|
338
|
+
try {
|
|
339
|
+
const docs = js_yaml_1.default.loadAll(cleaned);
|
|
340
|
+
let hadManifest = false;
|
|
341
|
+
for (const doc of docs) {
|
|
342
|
+
if (!doc || typeof doc !== 'object' || !doc.kind)
|
|
343
|
+
continue;
|
|
344
|
+
hadManifest = true;
|
|
345
|
+
issues.push(...scanTemplateManifest(doc, tfRel));
|
|
346
|
+
}
|
|
347
|
+
if (hadManifest)
|
|
348
|
+
templatesScanned++;
|
|
349
|
+
}
|
|
350
|
+
catch {
|
|
351
|
+
// Template with too much Go syntax may not parse — that's expected
|
|
352
|
+
logger_1.logger.debug(`Could not parse template ${tfRel} after stripping Go syntax`);
|
|
353
|
+
}
|
|
354
|
+
}
|
|
355
|
+
}
|
|
356
|
+
}
|
|
357
|
+
catch (err) {
|
|
358
|
+
logger_1.logger.warn('Helm scan error:', err);
|
|
359
|
+
issues.push({
|
|
360
|
+
type: 'medium',
|
|
361
|
+
category: 'config',
|
|
362
|
+
title: 'Helm Scan Error',
|
|
363
|
+
description: `Could not complete Helm scan: ${err instanceof Error ? err.message : String(err)}`,
|
|
364
|
+
recommendation: 'Ensure chart directories are accessible and YAML is valid',
|
|
365
|
+
});
|
|
366
|
+
}
|
|
367
|
+
const high = issues.filter(i => i.type === 'high').length;
|
|
368
|
+
const medium = issues.filter(i => i.type === 'medium').length;
|
|
369
|
+
const low = issues.filter(i => i.type === 'low').length;
|
|
370
|
+
const score = Math.max(0, 100 - high * 25 - medium * 10 - low * 3);
|
|
371
|
+
return {
|
|
372
|
+
scanType: 'server',
|
|
373
|
+
timestamp: new Date().toISOString(),
|
|
374
|
+
target: targetPath,
|
|
375
|
+
issues,
|
|
376
|
+
score,
|
|
377
|
+
summary: {
|
|
378
|
+
configFilesFound: chartsScanned + templatesScanned,
|
|
379
|
+
highRiskIssues: high,
|
|
380
|
+
mediumRiskIssues: medium,
|
|
381
|
+
lowRiskIssues: low,
|
|
382
|
+
},
|
|
383
|
+
};
|
|
384
|
+
}
|
|
385
|
+
//# sourceMappingURL=helm-scanner.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"helm-scanner.js","sourceRoot":"","sources":["../../src/scanners/helm-scanner.ts"],"names":[],"mappings":";;;;;AA4VA,4BA0FC;AAtbD,wDAA0B;AAC1B,gDAAwB;AACxB,sDAA2B;AAC3B,4CAAyC;AAiBzC,kCAAkC;AAElC,MAAM,iBAAiB,GAAG;IACxB,qCAAqC,EAAS,oBAAoB;IAClE,+BAA+B,EAAiB,eAAe;IAC/D,yBAAyB,EAAwB,aAAa;IAC9D,wBAAwB,EAAyB,YAAY;IAC7D,kCAAkC,EAAe,kBAAkB;IACnE,iCAAiC,EAAgB,iBAAiB;IAClE,kCAAkC,EAAe,kBAAkB;IACnE,mCAAmC,EAAc,mBAAmB;IACpE,gCAAgC,EAAiB,gBAAgB;IACjE,oCAAoC,EAAa,oBAAoB;IACrE,mCAAmC,EAAc,mBAAmB;IACpE,mCAAmC,EAAc,mBAAmB;IACpE,0CAA0C,EAAM,oBAAoB;IACpE,6BAA6B,EAAoB,aAAa;IAC9D,oCAAoC,EAAa,oBAAoB;IACrE,mCAAmC,EAAc,mBAAmB;IACpE,qCAAqC,EAAY,qBAAqB;IACtE,mCAAmC,EAAc,mBAAmB;IACpE,gCAAgC,EAAiB,sBAAsB;IACvE,0BAA0B,EAAwB,sBAAsB;CACzE,CAAC;AAEF,SAAS,eAAe,CAAC,OAAe;IACtC,IAAI,OAAO,GAAG,OAAO,CAAC;IACtB,wBAAwB;IACxB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,qCAAqC,EAAE,EAAE,CAAC,CAAC;IACrE,mEAAmE;IACnE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC;IACnD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,+BAA+B;AAE/B,SAAS,WAAW,CAAC,MAAW,EAAE,OAAe;IAC/C,MAAM,MAAM,GAAoB,EAAE,CAAC;IACnC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC;IAEzD,SAAS,IAAI,CAAC,GAAQ,EAAE,IAAY;QAClC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO;QAE5C,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;YAClD,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAEnC,oBAAoB;YACpB,IACE,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC5D,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACzD,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC9D,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC;gBAClE,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;gBAClC,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EACzC,CAAC;gBACD,4BAA4B;gBAC5B,MAAM,YAAY,GAAG,CAAC,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;gBACnG,MAAM,aAAa,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;gBAC1F,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,MAAM,CAAC,IAAI,CAAC;wBACV,IAAI,EAAE,MAAM;wBACZ,QAAQ,EAAE,QAAQ;wBAClB,KAAK,EAAE,iCAAiC;wBACxC,WAAW,EAAE,UAAU,WAAW,uDAAuD;wBACzF,cAAc,EAAE,+FAA+F;wBAC/G,QAAQ,EAAE,GAAG,OAAO,MAAM,WAAW,EAAE;qBACxC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,uCAAuC;YACvC,IAAI,QAAQ,KAAK,YAAY,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;gBAC9C,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,MAAM;oBACZ,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,gCAAgC;oBACvC,WAAW,EAAE,wCAAwC,WAAW,EAAE;oBAClE,cAAc,EAAE,qFAAqF;oBACrG,QAAQ,EAAE,GAAG,OAAO,MAAM,WAAW,EAAE;iBACxC,CAAC,CAAC;YACL,CAAC;YAED,IAAI,QAAQ,KAAK,WAAW,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;gBAC7C,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,QAAQ;oBACd,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,6BAA6B;oBACpC,WAAW,EAAE,uCAAuC,WAAW,EAAE;oBACjE,cAAc,EAAE,0CAA0C;oBAC1D,QAAQ,EAAE,GAAG,OAAO,MAAM,WAAW,EAAE;iBACxC,CAAC,CAAC;YACL,CAAC;YAED,wBAAwB;YACxB,IAAI,QAAQ,KAAK,aAAa,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;gBAC/C,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,MAAM;oBACZ,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,uBAAuB;oBAC9B,WAAW,EAAE,sCAAsC,WAAW,EAAE;oBAChE,cAAc,EAAE,+CAA+C;oBAC/D,QAAQ,EAAE,GAAG,OAAO,MAAM,WAAW,EAAE;iBACxC,CAAC,CAAC;YACL,CAAC;YAED,8BAA8B;YAC9B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;gBAC5C,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACjB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8BAA8B;AAE9B,SAAS,cAAc,CAAC,KAAU,EAAE,OAAe;IACjD,MAAM,MAAM,GAAoB,EAAE,CAAC;IACnC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC;IAEvD,qBAAqB;IACrB,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;QACtB,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,KAAK;YACX,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,kCAAkC;YACzC,WAAW,EAAE,wCAAwC;YACrD,cAAc,EAAE,6DAA6D;YAC7E,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC;IACL,CAAC;IAED,mBAAmB;IACnB,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,uBAAuB;YAC9B,WAAW,EAAE,UAAU,KAAK,CAAC,IAAI,IAAI,SAAS,2BAA2B;YACzE,cAAc,EAAE,6DAA6D;YAC7E,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAYD,SAAS,cAAc,CAAC,QAAqB;IAC3C,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IAChD,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,QAAQ,CAAC,IAAI,CAAC;IACzC,IAAI,CAAC,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnF,OAAO,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,IAAI,IAAI,CAAC;IAC/C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAQ,EAAE,OAAe;IACrD,MAAM,MAAM,GAAoB,EAAE,CAAC;IACnC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI;QAAE,OAAO,MAAM,CAAC;IAEhE,MAAM,YAAY,GAAG,GAAG,CAAC,QAAQ,EAAE,IAAI,IAAI,SAAS,CAAC;IACrD,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IAEpC,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,CAAC;QACtF,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,IAAI,SAAS,CAAC;YAEpC,aAAa;YACb,IAAI,GAAG,CAAC,eAAe,EAAE,UAAU,EAAE,CAAC;gBACpC,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa;oBACrC,KAAK,EAAE,uCAAuC;oBAC9C,WAAW,EAAE,cAAc,KAAK,QAAQ,YAAY,+BAA+B,OAAO,GAAG;oBAC7F,cAAc,EAAE,mDAAmD;oBACnE,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;YAED,qBAAqB;YACrB,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC;gBAC3B,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;oBAClC,KAAK,EAAE,qCAAqC;oBAC5C,WAAW,EAAE,cAAc,KAAK,QAAQ,YAAY,sCAAsC,OAAO,GAAG;oBACpG,cAAc,EAAE,sDAAsD;oBACtE,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;YAED,+DAA+D;YAC/D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtI,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,cAAc;oBACxC,KAAK,EAAE,6BAA6B;oBACpC,WAAW,EAAE,cAAc,KAAK,qCAAqC,KAAK,EAAE;oBAC5E,cAAc,EAAE,qCAAqC;oBACrD,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;YAED,wBAAwB;YACxB,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3B,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;oBAC1B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;oBACzC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;wBAC3G,MAAM,CAAC,IAAI,CAAC;4BACV,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ;4BAChC,KAAK,EAAE,uCAAuC;4BAC9C,WAAW,EAAE,cAAc,KAAK,UAAU,GAAG,CAAC,IAAI,4BAA4B;4BAC9E,cAAc,EAAE,2DAA2D;4BAC3E,QAAQ,EAAE,GAAG,OAAO,UAAU,GAAG,CAAC,IAAI,EAAE;yBACzC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACnC,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBAClC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;oBACjB,MAAM,CAAC,IAAI,CAAC;wBACV,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY;wBACpC,KAAK,EAAE,kCAAkC;wBACzC,WAAW,EAAE,YAAY,OAAO,mBAAmB,GAAG,CAAC,IAAI,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE;wBACrF,cAAc,EAAE,0CAA0C;wBAC1D,QAAQ,EAAE,OAAO;qBAClB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,cAAc;QACd,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS;gBACjC,KAAK,EAAE,8BAA8B;gBACrC,WAAW,EAAE,YAAY,OAAO,sBAAsB;gBACtD,cAAc,EAAE,gDAAgD;gBAChE,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,KAAK,SAAS,IAAI,GAAG,CAAC,IAAI,EAAE,IAAI,KAAK,cAAc,EAAE,CAAC;QACtF,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS;YACnC,KAAK,EAAE,uCAAuC;YAC9C,WAAW,EAAE,YAAY,GAAG,CAAC,QAAQ,EAAE,IAAI,IAAI,SAAS,QAAQ,OAAO,kBAAkB;YACzF,cAAc,EAAE,+CAA+C;YAC/D,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,4BAA4B;AAE5B,KAAK,UAAU,cAAc,CAAC,UAAkB;IAC9C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,CAAC,CAAC,MAAM,kBAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAAE,OAAO,MAAM,CAAC;IAEtD,MAAM,IAAI,GAAG,MAAM,kBAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvC,IAAI,IAAI,CAAC,MAAM,EAAE;QAAE,OAAO,MAAM,CAAC,CAAC,yBAAyB;IAE3D,KAAK,UAAU,IAAI,CAAC,GAAW,EAAE,KAAa;QAC5C,IAAI,KAAK,GAAG,EAAE;YAAE,OAAO,CAAC,eAAe;QACvC,MAAM,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QAC/C,IAAI,MAAM,kBAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjB,OAAO,CAAC,+CAA+C;QACzD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC/E,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ;gBAAE,SAAS;YACrG,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,MAAM,IAAI,CAAC,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;IAC1B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,QAAgB;IAC/C,MAAM,YAAY,GAAG,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IACtD,IAAI,CAAC,CAAC,MAAM,kBAAE,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IAEpD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,UAAU,IAAI,CAAC,GAAW;QAC7B,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;YACnB,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,GAAG,cAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBACnD,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACpC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,MAAM,IAAI,CAAC,YAAY,CAAC,CAAC;IACzB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,uBAAuB;AAEhB,KAAK,UAAU,QAAQ,CAAC,UAAkB,EAAE,UAA2B,EAAE;IAC9E,MAAM,MAAM,GAAoB,EAAE,CAAC;IACnC,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,gBAAgB,GAAG,CAAC,CAAC;IAEzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;QAEhD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO;gBACL,QAAQ,EAAE,QAAQ;gBAClB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,GAAG;gBACV,OAAO,EAAE,EAAE,gBAAgB,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,gBAAgB,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE;aAC3F,CAAC;QACJ,CAAC;QAED,KAAK,MAAM,QAAQ,IAAI,MAAM,EAAE,CAAC;YAC9B,MAAM,QAAQ,GAAG,cAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,cAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAChF,aAAa,EAAE,CAAC;YAEhB,kBAAkB;YAClB,MAAM,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YACpD,IAAI,MAAM,kBAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACnC,MAAM,YAAY,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;gBAC1D,MAAM,KAAK,GAAG,iBAAI,CAAC,IAAI,CAAC,YAAY,CAAQ,CAAC;gBAC7C,MAAM,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,KAAK,EAAE,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC;YAC3E,CAAC;YAED,mBAAmB;YACnB,MAAM,UAAU,GAAG,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;YACtD,IAAI,MAAM,kBAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACpC,MAAM,aAAa,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;gBAC5D,MAAM,MAAM,GAAG,iBAAI,CAAC,IAAI,CAAC,aAAa,CAAQ,CAAC;gBAC/C,MAAM,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;YAC1E,CAAC;YAED,iBAAiB;YACjB,MAAM,aAAa,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACxD,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;gBAC/B,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;gBAC9C,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;gBACzC,MAAM,KAAK,GAAG,cAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;gBAE5C,IAAI,CAAC;oBACH,MAAM,IAAI,GAAG,iBAAI,CAAC,OAAO,CAAC,OAAO,CAAU,CAAC;oBAC5C,IAAI,WAAW,GAAG,KAAK,CAAC;oBACxB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;wBACvB,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI;4BAAE,SAAS;wBAC3D,WAAW,GAAG,IAAI,CAAC;wBACnB,MAAM,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;oBACnD,CAAC;oBACD,IAAI,WAAW;wBAAE,gBAAgB,EAAE,CAAC;gBACtC,CAAC;gBAAC,MAAM,CAAC;oBACP,mEAAmE;oBACnE,eAAM,CAAC,KAAK,CAAC,4BAA4B,KAAK,4BAA4B,CAAC,CAAC;gBAC9E,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,eAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,iBAAiB;YACxB,WAAW,EAAE,iCAAiC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YAChG,cAAc,EAAE,2DAA2D;SAC5E,CAAC,CAAC;IACL,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAC1D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;IAC9D,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,MAAM,CAAC;IACxD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,IAAI,GAAG,EAAE,GAAG,MAAM,GAAG,EAAE,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC;IAEnE,OAAO;QACL,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,MAAM,EAAE,UAAU;QAClB,MAAM;QACN,KAAK;QACL,OAAO,EAAE;YACP,gBAAgB,EAAE,aAAa,GAAG,gBAAgB;YAClD,cAAc,EAAE,IAAI;YACpB,gBAAgB,EAAE,MAAM;YACxB,aAAa,EAAE,GAAG;SACnB;KACF,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
import { SecurityResult } from '../types/security-result';
|
|
2
|
+
/**
|
|
3
|
+
* Kubernetes manifest security scanner for MCP servers.
|
|
4
|
+
*
|
|
5
|
+
* Checks Deployments, Pods, Services, and other K8s resources for
|
|
6
|
+
* common security misconfigurations: privileged containers, missing
|
|
7
|
+
* resource limits, exposed secrets, hostPath mounts, etc.
|
|
8
|
+
*/
|
|
9
|
+
interface K8sScanOptions {
|
|
10
|
+
strict?: boolean;
|
|
11
|
+
}
|
|
12
|
+
export declare function scanK8s(targetPath: string, options?: K8sScanOptions): Promise<SecurityResult>;
|
|
13
|
+
export {};
|
|
14
|
+
//# sourceMappingURL=k8s-scanner.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"k8s-scanner.d.ts","sourceRoot":"","sources":["../../src/scanners/k8s-scanner.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,cAAc,EAAiB,MAAM,0BAA0B,CAAC;AAEzE;;;;;;GAMG;AAEH,UAAU,cAAc;IACtB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAmSD,wBAAsB,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,GAAE,cAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAqDvG"}
|