npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/iac/ansible/zm-ansible-cwe798-mysql-lineinfile.yaml ADDED Viewed

@@ -0,0 +1,86 @@
+# 逐码 ZhuMa IaC 规则 — Ansible Playbook 数据库凭证和文件行注入检测
+# V4.3 Sprint — CWE-798: Hardcoded Credentials / 敏感数据暴露
+rules:
+  # ZM-ANSIBLE-CWE798-004: mysql_user password 明文
+  - id: zm-ansible-cwe798-mysql-password-001
+    severity: CRITICAL
+    message: |
+      Ansible `mysql_user` 模块中 `password` 参数包含明文密码 — 该值会出现在 Ansible 日志
+      和 playbook 文件中。攻击者获取 playbook 后可直接连接数据库。
+      修复:
+      1. 使用 `ansible-vault` 加密密码变量:
+      ```bash
+      ansible-vault encrypt_string 'MySecretPassword' --name 'db_password'
+      ```
+      ```yaml
+      - mysql_user:
+          name: app_user
+          password: "{{ db_password }}"
+          priv: "app_db.*:ALL"
+      ```
+      2. 使用 `login_password` 配合 vault 变量:
+      ```yaml
+      - mysql_user:
+          login_user: root
+          login_password: "{{ vault_mysql_root_password }}"
+          name: app_user
+          password: "{{ vault_app_password }}"
+      ```
+    languages:
+      - generic
+    pattern-either:
+      - pattern: |
+          mysql_user:
+            ...
+            password: "$VAL"
+      - pattern: |
+          mysql_user:
+            ...
+            login_password: "$VAL"
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-ansible
+      precision: medium
+      confidence: high
+      tags: [ansible, mysql, hardcoded-credentials, database]
+  # ZM-ANSIBLE-CWE798-005: lineinfile 含密码插入
+  - id: zm-ansible-cwe798-lineinfile-password-001
+    severity: MEDIUM
+    message: |
+      Ansible `lineinfile` 模块可能用于向配置文件写入硬编码密码 —
+      这会将密码明文写入目标主机的配置文件中。
+      修复:
+      1. 将密码存储在 vault 加密变量中:
+      ```yaml
+      - lineinfile:
+          path: /etc/app/config.properties
+          regexp: '^db.password='
+          line: "db.password={{ vault_db_password }}"
+      ```
+      2. 使用 template 模块生成整个配置文件
+      3. 使用 no_log: true 防止密码值在 Ansible 输出中显示
+    languages:
+      - generic
+    pattern-either:
+      - pattern: |
+          lineinfile:
+            ...
+            line: "...password=..."
+      - pattern: |
+          lineinfile:
+            ...
+            line: "...passwd=..."
+      - pattern: |
+          lineinfile:
+            ...
+            line: "...secret=..."
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-ansible
+      precision: medium
+      confidence: medium
+      tags: [ansible, lineinfile, hardcoded-credentials, config-files]

package/rules/iac/terraform/zm-tf-cwe284-gcp-firewall-eks.yaml ADDED Viewed

@@ -0,0 +1,78 @@
+# 逐码 ZhuMa IaC 规则 — Terraform GCP/阿里云防火墙和EKS安全检测
+# V4.3 Sprint — 多云IaC安全
+rules:
+  # ZM-TF-CWE284-GCP-001: GCP Compute Firewall 0.0.0.0/0
+  - id: zm-tf-cwe284-gcp-firewall-world-001
+    severity: CRITICAL
+    message: |
+      GCP Compute Firewall 允许 `0.0.0.0/0` 来源访问 — 服务端口暴露给整个互联网。
+      与 AWS Security Group 类似，GCP Firewall source_ranges 设为 0.0.0.0/0
+      允许全球任意 IP 访问该规则覆盖的实例。
+      修复:
+      1. 将 source_ranges 限制为特定 IP 范围:
+      ```hcl
+      resource "google_compute_firewall" "web" {
+        name    = "allow-web-internal"
+        network = google_compute_network.vpc.name
+        allow {
+          protocol = "tcp"
+          ports    = ["443"]
+        }
+        source_ranges = ["10.0.0.0/8"]
+      }
+      ```
+      2. 使用 Identity-Aware Proxy (IAP) 进行身份验证的 HTTPS 访问
+      3. 数据库端口仅对应用子网开放，不应有公网防火墙规则
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          source_ranges = ["0.0.0.0/0"]
+      - pattern: |
+          source_ranges = ["0.0.0.0/0", ...]
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, gcp, firewall, public-access, network-exposure]
+  # ZM-TF-CWE200-EKS-001: EKS Public Endpoint
+  - id: zm-tf-cwe200-eks-public-endpoint-001
+    severity: HIGH
+    message: |
+      AWS EKS Cluster 启用了公共 API 端点 — `endpoint_public_access = true`。
+      Kubernetes API Server 暴露在公网上，即使有 IAM 认证也存在被暴力破解或漏洞利用的风险。
+      修复:
+      1. 禁用公共端点，仅使用私有端点:
+      ```hcl
+      resource "aws_eks_cluster" "cluster" {
+        name = "my-cluster"
+        vpc_config {
+          endpoint_public_access  = false
+          endpoint_private_access = true
+        }
+      }
+      ```
+      2. 如必须保留公共端点，配置 `public_access_cidrs` 限制来源 IP:
+      ```hcl
+      vpc_config {
+        endpoint_public_access  = true
+        endpoint_private_access = true
+        public_access_cidrs     = ["203.0.113.0/24"]
+      }
+      ```
+    languages:
+      - terraform
+    pattern: |
+      endpoint_public_access = true
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, aws, eks, kubernetes-api, public-access]

package/rules/iac/terraform/zm-tf-cwe284-sg-world-ingress.yaml ADDED Viewed

@@ -0,0 +1,70 @@
+# 逐码 ZhuMa IaC 规则 — Terraform AWS Security Group 安全检测
+# V4.3 Sprint — CWE-284: Improper Access Control / 公网暴露
+rules:
+  # ZM-TF-CWE284-SG-001: Security Group ingress 0.0.0.0/0
+  - id: zm-tf-cwe284-sg-ingress-world-001
+    severity: CRITICAL
+    message: |
+      AWS Security Group 入站规则允许 `0.0.0.0/0`（整个互联网）访问 —
+      服务端口直接暴露给公网，易被扫描和攻击。
+      常见高危端口暴露:
+      - 22 (SSH): 暴力破解攻击
+      - 3389 (RDP): 勒索软件入口
+      - 3306 (MySQL)/5432 (PostgreSQL): 数据库直接暴露
+      - 6379 (Redis): 未认证访问攻击
+      修复:
+      1. 将 cidr_blocks 限制为特定 IP 或办公网络 CIDR:
+      ```hcl
+      ingress {
+        from_port   = 22
+        to_port     = 22
+        protocol    = "tcp"
+        cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12"]
+      }
+      ```
+      2. 使用 SSM Session Manager 替代 SSH 端口暴露
+      3. 数据库仅允许来自应用安全组的流量
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          cidr_blocks = ["0.0.0.0/0"]
+      - pattern: |
+          cidr_blocks = ["0.0.0.0/0", ...]
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, aws, security-group, public-access, network-exposure]
+  # ZM-TF-CWE284-SG-002: Security Group 过于宽松 egress
+  - id: zm-tf-cwe284-sg-egress-world-001
+    severity: MEDIUM
+    message: |
+      AWS Security Group 出站规则允许 `0.0.0.0/0` 访问所有端口 —
+      这允许被入侵的实例自由连接外部 C2 服务器或进行数据外泄。
+      修复:
+      1. 限制出站目标为特定的服务 CIDR:
+      ```hcl
+      egress {
+        from_port   = 443
+        to_port     = 443
+        protocol    = "tcp"
+        cidr_blocks = ["${var.api_endpoint_ip}/32"]
+      }
+      ```
+      2. 使用 VPC Endpoint 访问 AWS 服务，避免通过公网
+      3. 出站流量通过 NAT Gateway + 防火墙检查
+    languages:
+      - terraform
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      category: iac-terraform
+      precision: low
+      confidence: medium
+      tags: [terraform, aws, security-group, egress, data-exfiltration]

package/rules/iac/terraform/zm-tf-cwe285-iam-wildcard.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+# 逐码 ZhuMa IaC 规则 — Terraform AWS IAM 过度授权检测
+# V4.3 Sprint — CWE-285: Improper Authorization
+rules:
+  # ZM-TF-CWE285-IAM-001: IAM Policy Action="*" Resource="*"
+  - id: zm-tf-cwe285-iam-wildcard-002
+    severity: CRITICAL
+    message: |
+      AWS IAM Policy 同时使用 `Action = "*"` 和 `Resource = "*"` —
+      授予了对所有 AWS 服务和资源的完全控制权限，相当于 AdministratorAccess 托管策略。
+      这违反了最小权限原则。攻击者获得这些凭证后可以:
+      - 读取所有 S3 Bucket 数据
+      - 创建/删除 EC2 实例
+      - 修改 IAM 策略实现权限提升
+      - 在 CloudTrail 中关闭审计日志
+      修复:
+      1. 将 Action 限制为实际需要的 API 操作:
+      ```hcl
+      Action = [
+        "s3:GetObject",
+        "s3:PutObject"
+      ]
+      ```
+      2. 将 Resource 限制为特定资源 ARN:
+      ```hcl
+      Resource = "arn:aws:s3:::my-bucket/*"
+      ```
+      3. 添加 Condition 子句限制访问条件（来源IP、MFA状态等）
+      4. 使用 AWS 托管策略而非内联策略时，优先选择细粒度策略
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          actions = ["*"]
+      - pattern: |
+          Action   = ["*"]
+      - pattern: |
+          Action = ["*"]
+    metadata:
+      cwe: "CWE-285: Improper Authorization"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, aws, iam, wildcard, over-privileged, least-privilege]

package/rules/iac/terraform/zm-tf-cwe312-state-secrets.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+# 逐码 ZhuMa IaC 规则 — Terraform State 安全检测
+# V4.3 Sprint — CWE-312: Cleartext Storage of Sensitive Information
+rules:
+  # ZM-TF-CWE312-STATE-001: Terraform State 含敏感信息风险标记
+  - id: zm-tf-cwe312-state-secrets-001
+    severity: CRITICAL
+    message: |
+      检测到 Terraform 配置引用了可能包含敏感信息的本地 state 文件 —
+      Terraform state 文件以明文存储所有资源属性，包括数据库密码、API 密钥等。
+      terraform.tfstate 包含完整的资源状态，攻击者获取此文件后可:
+      - 读取所有资源的敏感属性 (密码、密钥、证书)
+      - 了解完整的云基础设施拓扑
+      - 修改 state 文件进行供应链攻击
+      修复:
+      1. 使用远程 Backend 并启用加密:
+      ```hcl
+      terraform {
+        backend "s3" {
+          bucket         = "terraform-state-bucket"
+          key            = "prod/terraform.tfstate"
+          region         = "us-east-1"
+          encrypt        = true
+          kms_key_id     = "alias/terraform-state-key"
+          dynamodb_table = "terraform-lock"
+        }
+      }
+      ```
+      2. 不要将 .tfstate 文件提交到 Git
+      3. 使用 terraform_remote_state 时限制数据源暴露面
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          backend "local" {
+          }
+      - pattern: |
+          backend "local"
+    metadata:
+      cwe: "CWE-312: Cleartext Storage of Sensitive Information"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, state, secrets, encryption, backend]

package/rules/iac/terraform/zm-tf-cwe319-azure-storage-mysql.yaml ADDED Viewed

@@ -0,0 +1,69 @@
+# 逐码 ZhuMa IaC 规则 — Terraform Azure 存储和数据库安全检测
+# V4.3 Sprint — CWE-319: Cleartext Transmission / SSL禁用
+rules:
+  # ZM-TF-CWE319-AZURE-001: Azure Storage Account HTTPS 未强制
+  - id: zm-tf-cwe319-azure-storage-https-001
+    severity: HIGH
+    message: |
+      Azure Storage Account 未启用 HTTPS 强制 — `enable_https_traffic_only` 默认为 true，
+      但某些配置中可能被设为 false，允许非加密 HTTP 流量访问存储账户。
+      修复:
+      ```hcl
+      resource "azurerm_storage_account" "sa" {
+        name                     = "mystorageaccount"
+        resource_group_name      = azurerm_resource_group.rg.name
+        location                 = azurerm_resource_group.rg.location
+        account_tier             = "Standard"
+        account_replication_type = "LRS"
+        enable_https_traffic_only = true
+        min_tls_version           = "TLS1_2"
+      }
+      ```
+      同时建议:
+      1. 设置 `min_tls_version = "TLS1_2"` 禁用旧版本 TLS
+      2. 启用 `shared_access_key_enabled = false` 使用 Azure AD 认证
+      3. 启用存储防火墙限制网络来源
+    languages:
+      - terraform
+    pattern: |
+      enable_https_traffic_only = false
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, azure, storage, https, cleartext]
+  # ZM-TF-CWE319-AZURE-002: Azure MySQL SSL 强制禁用
+  - id: zm-tf-cwe319-azure-mysql-ssl-001
+    severity: HIGH
+    message: |
+      Azure MySQL Server 禁用了 SSL 强制 — `ssl_enforcement_enabled = false` 或 `ssl_enforcement = "Disabled"`。
+      数据库与客户端之间的通信以明文传输，密码和查询数据可被窃听。
+      修复:
+      ```hcl
+      resource "azurerm_mysql_server" "mysql" {
+        name                = "mysql-server"
+        ssl_enforcement_enabled = true
+        ssl_minimal_tls_version_enforced = "TLS1_2"
+      }
+      ```
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          ssl_enforcement_enabled = false
+      - pattern: |
+          ssl_enforcement = "Disabled"
+      - pattern: |
+          ssl_enforcement = Disabled
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, azure, mysql, ssl, cleartext]

package/rules/iac/terraform/zm-tf-cwe798-ecs-lambda-secrets.yaml ADDED Viewed

@@ -0,0 +1,85 @@
+# 逐码 ZhuMa IaC 规则 — Terraform AWS ECS / Lambda 环境变量凭证检测
+# V4.3 Sprint — CWE-798: Use of Hard-coded Credentials
+rules:
+  # ZM-TF-CWE798-ECS-001: ECS Task Definition 环境变量含密码
+  - id: zm-tf-cwe798-ecs-env-secrets-001
+    severity: HIGH
+    message: |
+      AWS ECS Task Definition 的 `environment` 块可能包含硬编码敏感信息 —
+      这些值在 AWS 控制台、CloudWatch Logs 和 DescribeTaskDefinition API 中可见。
+      修复:
+      1. 使用 AWS Secrets Manager 存储凭证:
+      ```hcl
+      secrets = [
+        {
+          name      = "DB_PASSWORD"
+          valueFrom = aws_secretsmanager_secret_version.db.arn
+        }
+      ]
+      ```
+      2. 使用 SSM Parameter Store (SecureString):
+      ```hcl
+      secrets = [
+        {
+          name      = "API_KEY"
+          valueFrom = aws_ssm_parameter.api_key.arn
+        }
+      ]
+      ```
+    languages:
+      - terraform
+    pattern: |
+      resource "aws_ecs_task_definition" $NAME {
+        ...
+        environment {
+          name  = $ENV_NAME
+          value = $ENV_VALUE
+        }
+        ...
+      }
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-terraform
+      precision: medium
+      confidence: medium
+      tags: [terraform, aws, ecs, secrets, hardcoded-credentials]
+  # ZM-TF-CWE798-LAMBDA-001: Lambda 环境变量含密钥
+  - id: zm-tf-cwe798-lambda-env-secrets-001
+    severity: HIGH
+    message: |
+      AWS Lambda 的 `environment.variables` 中包含密钥 —
+      Lambda 环境变量在 AWS 控制台、CloudWatch Logs 和函数配置中可见。
+      修复:
+      1. 使用 AWS Secrets Manager + Lambda Extension 动态获取密钥
+      2. 使用 SSM Parameter Store SecureString:
+      ```hcl
+      environment {
+        variables = {
+          DB_PASSWORD_PARAM = aws_ssm_parameter.db_password.name
+        }
+      }
+      ```
+      3. 使用 Lambda 环境变量加密助手 (KMS 加密)
+      4. 在 Lambda 代码中运行时从 Secrets Manager 获取凭据
+    languages:
+      - terraform
+    pattern: |
+      resource "aws_lambda_function" $NAME {
+        ...
+        environment {
+          variables = {
+            $KEY = $VALUE
+          }
+        }
+        ...
+      }
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-terraform
+      precision: medium
+      confidence: medium
+      tags: [terraform, aws, lambda, secrets, hardcoded-credentials]

package/rules/iac/zm-docker-cwe1104-add-instead-of-copy.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile ADD 指令安全检查
+# V4.3 Sprint — CWE-1104: Use of Unmaintained Third Party Components
+rules:
+  # ZM-IAC-DOCKER-008: ADD 而非 COPY
+  - id: zm-iac-docker-add-vs-copy-001
+    severity: MEDIUM
+    message: |
+      使用 `ADD` 指令而非 `COPY` — ADD 支持从 URL 获取文件和自动解压 tar 包，
+      这引入了不可控的外部依赖和潜在的安全风险。
+      ADD 的风险:
+      1. ADD <url> — 构建时从互联网下载文件，无签名校验，可能被中间人攻击篡改
+      2. ADD <tar> — 自动解压 tar 包可能覆盖已有文件或导致路径穿越
+      3. ADD 行为不透明，审查困难
+      修复: 使用 COPY 替代 ADD:
+      ```dockerfile
+      COPY package.json /app/
+      ```
+      如需从 URL 下载，显式使用 curl/wget 并校验哈希:
+      ```dockerfile
+      RUN curl -fsSL -o /tmp/file.tar.gz https://example.com/file.tar.gz \
+          && echo "expected_sha256 /tmp/file.tar.gz" | sha256sum -c \
+          && tar -xzf /tmp/file.tar.gz -C /app/ \
+          && rm /tmp/file.tar.gz
+      ```
+    languages:
+      - dockerfile
+    pattern: |
+      ADD $SRC $DEST
+    metadata:
+      cwe: "CWE-1104: Use of Unmaintained Third Party Components"
+      category: iac-docker
+      precision: low
+      confidence: high
+      tags: [docker, add, supply-chain, best-practice]

package/rules/iac/zm-docker-cwe1104-base-image.yaml ADDED Viewed

@@ -0,0 +1,61 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile FROM 基础镜像安全检查
+# V4.3 Sprint — CWE-1104: Use of Unmaintained Third Party Components
+rules:
+  # ZM-IAC-DOCKER-006: FROM 无具体版本 tag
+  - id: zm-iac-docker-from-no-tag-001
+    severity: MEDIUM
+    message: |
+      FROM 指令未指定镜像 tag — Docker 将默认使用 `latest` tag。
+      这意味着每次构建可能拉取不同的基础镜像，导致构建不可重现，并可能引入未知的漏洞。
+      修复: 始终指定精确的镜像版本 tag:
+      ```dockerfile
+      FROM node:20.11-alpine3.19
+      FROM python:3.12-slim-bookworm
+      FROM golang:1.22-alpine
+      ```
+      使用 digest 进一步锁定镜像内容:
+      ```dockerfile
+      FROM node:20.11-alpine3.19@sha256:abc123...
+      ```
+    languages:
+      - dockerfile
+    patterns:
+      - pattern: FROM $IMAGE
+      - pattern-not: FROM $IMAGE:$TAG
+      - pattern-not: FROM --platform=$PLATFORM $IMAGE:$TAG
+    metadata:
+      cwe: "CWE-1104: Use of Unmaintained Third Party Components"
+      category: iac-docker
+      precision: medium
+      confidence: high
+      tags: [docker, supply-chain, reproducibility, from]
+  # ZM-IAC-DOCKER-007: debian:latest 或 ubuntu:latest
+  - id: zm-iac-docker-unstable-base-001
+    severity: LOW
+    message: |
+      使用 `debian:latest` 或 `ubuntu:latest` 作为基础镜像 — latest tag 缺乏版本锁定。
+      更好的选择是使用指定版本的 slim 镜像:
+      ```dockerfile
+      FROM debian:12-slim
+      FROM ubuntu:24.04
+      ```
+      或使用 Alpine 获得更小的镜像体积:
+      ```dockerfile
+      FROM alpine:3.19
+      ```
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: FROM debian:latest
+      - pattern: FROM ubuntu:latest
+      - pattern: FROM debian
+      - pattern: FROM ubuntu
+    metadata:
+      cwe: "CWE-1104: Use of Unmaintained Third Party Components"
+      category: iac-docker
+      precision: very-high
+      confidence: high
+      tags: [docker, base-image, latest, reproducibility]

package/rules/iac/zm-docker-cwe1104-cleanup-dockerignore.yaml ADDED Viewed

@@ -0,0 +1,67 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile 多层构建残留和 .dockerignore 检测
+# V4.3 Sprint — 构建安全最佳实践
+rules:
+  # ZM-IAC-DOCKER-019: RUN rm 后未合并清理 (多层镜像残留)
+  - id: zm-iac-docker-rm-cleanup-001
+    severity: LOW
+    message: |
+      `RUN rm` 删除文件但未在同一层 RUN 中合并下载和清理 — Docker 分层存储中，
+      前一层添加的文件即使在后续层删除，仍保留在镜像历史中 (可通过 `docker history` 访问)。
+      这增加了镜像体积，并可能导致敏感文件残留在镜像中。
+      修复: 将下载、使用、删除合并为单个 RUN 指令:
+      ```dockerfile
+      RUN curl -fsSL -o /tmp/file.tar.gz https://example.com/file.tar.gz \
+          && tar -xzf /tmp/file.tar.gz -C /app/ \
+          && rm -f /tmp/file.tar.gz
+      ```
+      而非:
+      ```dockerfile
+      RUN curl -fsSL -o /tmp/file.tar.gz https://example.com/file.tar.gz
+      RUN tar -xzf /tmp/file.tar.gz -C /app/
+      RUN rm -f /tmp/file.tar.gz
+      ```
+    languages:
+      - dockerfile
+    metadata:
+      cwe: "CWE-1104: Use of Unmaintained Third Party Components"
+      category: iac-docker
+      precision: low
+      confidence: low
+      tags: [docker, layers, image-size, cleanup]
+  # ZM-IAC-DOCKER-020: .dockerignore 缺失检测 (workspace级别)
+  - id: zm-iac-docker-dockerignore-missing-001
+    severity: LOW
+    message: |
+      项目中未找到 `.dockerignore` 文件 — 构建时 Docker 上下文会将所有文件发送给守护进程。
+      没有 .dockerignore 可能导致:
+      1. 敏感文件（.env、证书、密钥）被意外复制到镜像中
+      2. node_modules、.git 等大量文件拖慢构建速度
+      3. 构建缓存无效化（无关文件变更导致缓存 miss）
+      修复: 在项目根目录创建 .dockerignore:
+      ```
+      .git
+      .gitignore
+      .env
+      .env.*
+      node_modules
+      npm-debug.log
+      Dockerfile
+      docker-compose.yml
+      .dockerignore
+      *.md
+      .vscode
+      .idea
+      coverage
+      test
+      tests
+      ```
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-docker
+      precision: low
+      confidence: low
+      tags: [docker, dockerignore, build-context, information-disclosure]

package/rules/iac/zm-docker-cwe1104-multistage.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile 多阶段构建残留检测
+# V4.3 Sprint — CWE-1104: Use of Unmaintained Third Party Components
+rules:
+  # ZM-IAC-DOCKER-017: 多阶段构建中构建工具残留
+  - id: zm-iac-docker-multistage-residue-001
+    severity: LOW
+    message: |
+      多阶段构建中，最终镜像可能存在构建阶段残留 — 编译器、开发库、构建工具等被复制到
+      最终运行镜像中，增加了攻击面和镜像体积。
+      修复:
+      1. 使用 `COPY --from=builder` 仅复制构建产物:
+      ```dockerfile
+      FROM golang:1.22 AS builder
+      WORKDIR /app
+      COPY . .
+      RUN go build -o /app/server
+      FROM alpine:3.19
+      COPY --from=builder /app/server /server
+      CMD ["/server"]
+      ```
+      2. 不要将整个构建上下文 COPY 到最终镜像
+      3. 在同一 RUN 指令中安装、构建、清理，减少层数
+    languages:
+      - dockerfile
+    metadata:
+      cwe: "CWE-1104: Use of Unmaintained Third Party Components"
+      category: iac-docker
+      precision: low
+      confidence: low
+      tags: [docker, multi-stage, build-residue, image-size]