npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/iac/zm-docker-cwe1104-package-cache.yaml ADDED Viewed

@@ -0,0 +1,72 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile 包管理器安全检查
+# V4.3 Sprint — CWE-1104: Use of Unmaintained Third Party Components / 镜像膨胀
+rules:
+  # ZM-IAC-DOCKER-009: RUN apk/apt/yum 无缓存清理
+  - id: zm-iac-docker-no-cache-001
+    severity: LOW
+    message: |
+      `RUN apk add`、`apt-get install` 或 `yum install` 未清理包管理器缓存 —
+      缓存文件会永久保留在镜像层中，增加镜像体积。
+      修复:
+      ```dockerfile
+      # Alpine (apk)
+      RUN apk add --no-cache python3
+      # Debian/Ubuntu (apt)
+      RUN apt-get update && apt-get install -y --no-install-recommends python3 \
+          && rm -rf /var/lib/apt/lists/*
+      # RHEL/CentOS (yum/dnf)
+      RUN yum install -y python3 && yum clean all
+      ```
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: |
+          RUN apk add $PACKAGES
+      - pattern: |
+          RUN apt-get install $PACKAGES
+      - pattern: |
+          RUN yum install $PACKAGES
+    metadata:
+      cwe: "CWE-1104: Use of Unmaintained Third Party Components"
+      category: iac-docker
+      precision: low
+      confidence: medium
+      tags: [docker, package-manager, cache, image-size]
+  # ZM-IAC-DOCKER-010: RUN pip/npm install 无缓存目录清理
+  - id: zm-iac-docker-pip-npm-cache-001
+    severity: LOW
+    message: |
+      `pip install` 或 `npm install` 未清理缓存 — 包管理器的缓存文件保留在镜像中，
+      增加镜像体积且可能包含敏感信息（如私有包的认证 token）。
+      修复:
+      ```dockerfile
+      # pip
+      RUN pip install --no-cache-dir -r requirements.txt
+      # npm
+      RUN npm install --production && npm cache clean --force
+      # yarn
+      RUN yarn install --production && yarn cache clean
+      ```
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: |
+          RUN pip install $PACKAGES
+      - pattern: |
+          RUN pip3 install $PACKAGES
+      - pattern: |
+          RUN npm install $PACKAGES
+    metadata:
+      cwe: "CWE-1104: Use of Unmaintained Third Party Components"
+      category: iac-docker
+      precision: low
+      confidence: medium
+      tags: [docker, pip, npm, cache, image-size]

package/rules/iac/zm-docker-cwe250-docker-sock.yaml ADDED Viewed

@@ -0,0 +1,31 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile VOLUME 安全检测
+# V4.3 Sprint — 检测 Docker Socket 挂载和危险卷声明
+rules:
+  # ZM-IAC-DOCKER-014: VOLUME /var/run/docker.sock
+  - id: zm-iac-docker-docker-sock-001
+    severity: CRITICAL
+    message: |
+      Dockerfile 声明了 `VOLUME /var/run/docker.sock` — 或将 Docker Socket 挂载到容器中。
+      这允许容器内的进程控制宿主机的 Docker 守护进程，实际上等于获得了宿主机的 root 权限。
+      通过挂载 Docker Socket，容器可以:
+      - 创建特权容器 (`docker run --privileged`)
+      - 挂载宿主机文件系统 (`docker run -v /:/host`)
+      - 执行任意命令 (`docker exec`)
+      - 启动任意容器
+      修复:
+      1. 移除 VOLUME /var/run/docker.sock 声明
+      2. 如需构建容器镜像，使用 Kaniko、Buildah 或 img 等无守护进程工具
+      3. 如需管理容器，通过 Kubernetes API 进行受控操作
+    languages:
+      - dockerfile
+    pattern: |
+      VOLUME /var/run/docker.sock
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-docker
+      precision: very-high
+      confidence: high
+      tags: [docker, docker-socket, container-escape, privilege-escalation]

package/rules/iac/zm-docker-cwe250-suid.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile ENTRYPOINT SUID 检测
+# V4.3 Sprint — CWE-250: Execution with Unnecessary Privileges
+rules:
+  # ZM-IAC-DOCKER-016: ENTRYPOINT 含 SUID 二进制
+  - id: zm-iac-docker-entrypoint-suid-001
+    severity: HIGH
+    message: |
+      `ENTRYPOINT` 或 `CMD` 中包含 `chmod u+s` (设置 SUID bit) — 赋予二进制文件以文件所有者
+      权限执行的能力。在容器中以 root 运行的 SUID 二进制可能被利用进行权限提升。
+      风险:
+      - SUID 二进制可能存在缓冲区溢出等漏洞被利用
+      - 攻击者可以利用 SUID 二进制从受限用户提升到 root 权限
+      - 在镜像构建时设置的 SUID bit 在运行时仍然生效
+      修复:
+      1. 避免在容器中设置 SUID bit
+      2. 使用 `--cap-drop=ALL` 减少可利用的 capability
+      3. 考虑使用 `securityContext.allowPrivilegeEscalation: false`
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: |
+          RUN chmod u+s $FILE
+      - pattern: |
+          RUN chmod 4$MODE $FILE
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-docker
+      precision: medium
+      confidence: high
+      tags: [docker, suid, entrypoint, privilege-escalation]

package/rules/iac/zm-docker-cwe311-secrets-in-build-arg.yaml ADDED Viewed

@@ -0,0 +1,64 @@
+rules:
+  - id: zm-docker-cwe311-secrets-in-build-arg
+    metadata:
+      cwe: ["CWE-311: Missing Encryption of Sensitive Data", "CWE-798: Use of Hard-coded Credentials"]
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: ["A02:2021 - Cryptographic Failures"]
+      cve: ["CVE-2014-0160"]
+    message: >-
+      Dockerfile中使用ARG传递构建时密钥(TOKEN/API_KEY/PASSWORD)。
+      ARG值被写入镜像层历史，docker history即可提取。
+      修复：使用BuildKit --mount=type=secret。
+    languages: [dockerfile]
+    severity: ERROR
+    patterns:
+      - pattern-regex: 'ARG\s+(TOKEN|SECRET|API_KEY|PASSWORD|PASSWD|CRED|PRIVATE_KEY)'
+  - id: zm-docker-cwe250-suid-binaries
+    metadata:
+      cwe: ["CWE-250: Execution with Unnecessary Privileges", "CWE-269: Improper Privilege Management"]
+      confidence: LOW
+      likelihood: LOW
+      impact: MEDIUM
+      owasp: ["A05:2021 - Security Misconfiguration"]
+      cve: ["CVE-2019-5021"]
+    message: >-
+      Dockefile中使用chmod +s设置SUID位。SUID二进制文件可被利用进行本地提权。
+      修复：移除chmod +s/u+s/g+s行。
+    languages: [dockerfile]
+    severity: WARNING
+    patterns:
+      - pattern-regex: 'chmod\s+[ug]?\+s'
+  - id: zm-docker-cwe434-untrusted-base-image
+    metadata:
+      cwe: ["CWE-1104: Use of Unmaintained Third-Party Components"]
+      confidence: MEDIUM
+      likelihood: LOW
+      impact: MEDIUM
+      owasp: ["A06:2021 - Vulnerable and Outdated Components"]
+      cve: ["CVE-2020-15093"]
+    message: >-
+      使用latest/edge/nightly标签的基础镜像可能导致供应链风险。
+      修复：锁定具体版本标签，使用digest锁定。
+    languages: [dockerfile]
+    severity: WARNING
+    patterns:
+      - pattern-regex: 'FROM\s+\S+:\s*(latest|nightly|edge)\b'
+  - id: zm-docker-cwe400-no-healthcheck
+    metadata:
+      cwe: ["CWE-400: Uncontrolled Resource Consumption"]
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: LOW
+      owasp: ["A06:2021 - Vulnerable and Outdated Components"]
+      cve: ["CVE-2016-7799"]
+    message: >-
+      Dockerfile缺少HEALTHCHECK指令。应用崩溃后不会被编排系统自动重启。
+      修复：添加HEALTHCHECK --interval=30s CMD ... || exit 1。
+    languages: [dockerfile]
+    severity: INFO
+    match: patterns
+    patterns:
+      - pattern: "FROM ..."
+      - pattern-not: "HEALTHCHECK ..."

package/rules/iac/zm-docker-cwe400-resource-limit.yaml CHANGED Viewed

@@ -17,9 +17,15 @@ rules:
       4. K8s: `resources.limits.cpu: "1"`
     languages:
       - generic
-    pattern-either:
-      - pattern: docker run ... $IMAGE
-      - pattern: docker run $OPTS $IMAGE
+    patterns:
+      - pattern-either:
+          - pattern: docker run ... $IMAGE
+          - pattern: docker run $OPTS $IMAGE
+      - pattern-not: docker run ... --cpus ...
+      - pattern-not: docker run ... --cpuset-cpus ...
+      - metavariable-regex:
+          metavariable: $IMAGE
+          regex: '^[a-zA-Z0-9][a-zA-Z0-9./_-]+(:[a-zA-Z0-9._-]+)?$'
     metadata:
       cwe: "CWE-400: Uncontrolled Resource Consumption"
       category: iac-docker
@@ -42,9 +48,15 @@ rules:
       5. memory-swap 应与 memory 等值以避免使用磁盘swap
     languages:
       - generic
-    pattern-either:
-      - pattern: docker run ... $IMAGE
-      - pattern: docker run $OPTS $IMAGE
+    patterns:
+      - pattern-either:
+          - pattern: docker run ... $IMAGE
+          - pattern: docker run $OPTS $IMAGE
+      - pattern-not: docker run ... --memory ...
+      - pattern-not: docker run ... -m ...
+      - metavariable-regex:
+          metavariable: $IMAGE
+          regex: '^[a-zA-Z0-9][a-zA-Z0-9./_-]+(:[a-zA-Z0-9._-]+)?$'
     metadata:
       cwe: "CWE-400: Uncontrolled Resource Consumption"
       category: iac-docker

package/rules/iac/zm-docker-cwe668-workdir.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile WORKDIR 安全检查
+# V4.3 Sprint — CWE-668: Exposure of Resource to Wrong Sphere
+rules:
+  # ZM-IAC-DOCKER-013: WORKDIR /root 或 /tmp
+  - id: zm-iac-docker-workdir-unsafe-001
+    severity: LOW
+    message: |
+      `WORKDIR` 设置为 `/root` 或 `/tmp` — 使用不安全的目录作为工作目录。
+      风险:
+      - `/root`: root 用户的主目录，可能包含敏感文件
+      - `/tmp`: 全局可写的临时目录，可能被其他进程注入恶意文件
+      修复:
+      1. 使用应用专用目录:
+      ```dockerfile
+      WORKDIR /app
+      ```
+      2. 创建专用非 root 用户:
+      ```dockerfile
+      RUN addgroup -S appgroup && adduser -S appuser -G appgroup
+      USER appuser
+      WORKDIR /home/appuser/app
+      ```
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: WORKDIR /root
+      - pattern: WORKDIR /tmp
+    metadata:
+      cwe: "CWE-668: Exposure of Resource to Wrong Sphere"
+      category: iac-docker
+      precision: very-high
+      confidence: high
+      tags: [docker, workdir, file-permission, security]

package/rules/iac/zm-docker-cwe754-healthcheck.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile HEALTHCHECK 安全检测
+# V4.3 Sprint — CWE-754: Improper Check for Unusual or Exceptional Conditions
+rules:
+  # ZM-IAC-DOCKER-012: HEALTHCHECK 缺失
+  - id: zm-iac-docker-healthcheck-missing-001
+    severity: LOW
+    message: |
+      Dockerfile 中未定义 `HEALTHCHECK` 指令 — 容器运行后 Docker/Kubernetes 无法判断
+      应用是否健康。当应用挂死但不退出时，编排系统无法自动重启容器。
+      修复: 添加 HEALTHCHECK 指令:
+      ```dockerfile
+      # Web 应用
+      HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
+        CMD curl -f http://localhost:8080/health || exit 1
+      # 非 Web 应用 - 检查进程
+      HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
+        CMD pgrep myapp || exit 1
+      ```
+      注意:
+      1. HEALTHCHECK 会增加容器 CPU 开销，选择合适的检查间隔
+      2. 对于无固定端口的批处理/Worker 容器，可使用进程检查
+      3. Kubernetes 中可使用 liveness/readiness probe 替代
+    languages:
+      - dockerfile
+    pattern-not: |
+      ...
+      HEALTHCHECK ...
+      ...
+    metadata:
+      cwe: "CWE-754: Improper Check for Unusual or Exceptional Conditions"
+      category: iac-docker
+      precision: medium
+      confidence: low
+      tags: [docker, healthcheck, monitoring, reliability]

package/rules/iac/zm-docker-cwe78-curl-pipe.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile 不安全管道和SUID检测
+# V4.3 Sprint — CWE-78: OS Command Injection / SUID二进制滥用
+rules:
+  # ZM-IAC-DOCKER-015: RUN curl | bash (不安全管道)
+  - id: zm-iac-docker-curl-pipe-bash-001
+    severity: HIGH
+    message: |
+      `curl ... | bash` 或 `wget ... | sh` — 从网络下载脚本并直接通过管道传递给 shell 执行。
+      这是极其危险的操作:
+      - 中间人攻击可篡改下载内容
+      - 源服务器被入侵后可分发恶意脚本
+      - 网络中断可能导致执行不完整的脚本
+      - 无法审计实际执行的代码
+      修复:
+      1. 下载后校验哈希再执行:
+      ```dockerfile
+      RUN curl -fsSL -o /tmp/install.sh https://example.com/install.sh \
+          && echo "expected_sha256 /tmp/install.sh" | sha256sum -c \
+          && bash /tmp/install.sh \
+          && rm /tmp/install.sh
+      ```
+      2. 使用官方包管理器安装（apk/apt/yum）
+      3. 在 Dockerfile 中直接 COPY 安装脚本本地执行
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: |
+          RUN curl $URL | bash
+      - pattern: |
+          RUN curl $URL | sh
+      - pattern: |
+          RUN wget $URL -O - | bash
+      - pattern: |
+          RUN wget $URL -O - | sh
+    metadata:
+      cwe: "CWE-78: OS Command Injection"
+      category: iac-docker
+      precision: medium
+      confidence: high
+      tags: [docker, curl-pipe-bash, supply-chain, command-injection]

package/rules/iac/zm-docker-cwe798-arg-defaults.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile ARG 默认密码检测
+# V4.3 Sprint — CWE-798: Use of Hard-coded Credentials
+rules:
+  # ZM-IAC-DOCKER-018: ARG 含默认密码
+  - id: zm-iac-docker-arg-default-password-001
+    severity: HIGH
+    message: |
+      Dockerfile `ARG` 指令设置了包含密码的默认值 — 虽然 ARG 不在最终镜像中持久化，
+      但会在 `docker history` 中显示，并且如果传递给 ENV 也会保留在镜像中。
+      ARG 值在构建历史中可见:
+      ```
+      docker history --no-trunc <image>
+      ```
+      修复:
+      1. 不要为敏感 ARG 设置默认值:
+      ```dockerfile
+      ARG DB_PASSWORD  # 构建时必须传入
+      ```
+      2. 使用 BuildKit secrets:
+      ```dockerfile
+      RUN --mount=type=secret,id=db_password \
+          export DB_PASSWORD=$(cat /run/secrets/db_password)
+      ```
+      ```bash
+      docker build --secret id=db_password,src=./password.txt .
+      ```
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: ARG PASSWORD=$VAL
+      - pattern: ARG PASSWD=$VAL
+      - pattern: ARG SECRET=$VAL
+      - pattern: ARG TOKEN=$VAL
+      - pattern: ARG API_KEY=$VAL
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-docker
+      precision: medium
+      confidence: high
+      tags: [docker, arg, hardcoded-credentials, build-secrets]

package/rules/iac/zm-docker-cwe798-env-secrets.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile 环境变量敏感信息检测
+# V4.3 Sprint — CWE-798: Use of Hard-coded Credentials
+rules:
+  # ZM-IAC-DOCKER-011: ENV 含密码/密钥/Token
+  - id: zm-iac-docker-env-secrets-001
+    severity: CRITICAL
+    message: |
+      Dockerfile 中 `ENV` 指令包含硬编码的密码、密钥或 Token。
+      ENV 值与镜像一起分发，任何有权限拉取镜像的人都可以通过 `docker inspect`
+      或 `docker history` 查看这些值。
+      修复:
+      1. 移除 ENV 中的硬编码凭证
+      2. 通过运行时注入环境变量或 Secret:
+      ```yaml
+      # Kubernetes
+      env:
+      - name: DB_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: db-secret
+            key: password
+      ```
+      3. 使用 Docker BuildKit secrets 在构建时传递:
+      ```dockerfile
+      RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
+      ```
+      ```bash
+      docker build --secret id=mysecret,src=./secret.txt .
+      ```
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: ENV PASSWORD=$VAL
+      - pattern: ENV SECRET=$VAL
+      - pattern: ENV TOKEN=$VAL
+      - pattern: ENV API_KEY=$VAL
+      - pattern: ENV ACCESS_KEY=$VAL
+      - pattern: ENV PRIVATE_KEY=$VAL
+      - pattern: ENV DATABASE_URL=$VAL
+      - pattern: ENV DB_PASSWORD=$VAL
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-docker
+      precision: medium
+      confidence: high
+      tags: [docker, env, hardcoded-credentials, secrets, token-exposure]

package/rules/iac/zm-k8s-cwe200-configmap-creds.yaml ADDED Viewed

@@ -0,0 +1,31 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes ConfigMap 凭证泄露检测
+# V4.3 Sprint — CWE-200: Exposure of Sensitive Information
+rules:
+  # ZM-K8S-CWE200-CM-001: ConfigMap 含 credentials/password/token 等敏感关键字
+  - id: zm-k8s-cwe200-configmap-creds-001
+    severity: HIGH
+    message: |
+      ConfigMap 中存储了可能包含敏感信息的数据 — ConfigMap 是明文存储的，
+      任何能访问命名空间的人都可以读取其内容。敏感数据应存储在 Secret 中，而非 ConfigMap。
+      检测到 ConfigMap data 中包含以下敏感关键字: credentials, password, token, secret,
+      api_key, private_key, access_key, auth
+      修复:
+      1. 将敏感数据从 ConfigMap 迁移到 Secret
+      2. 非敏感配置（如超时时间、日志级别）可保留在 ConfigMap 中
+      3. 实际的密码/token 应通过 External Secrets Operator 从外部密钥管理系统注入
+    languages:
+      - yaml
+    patterns:
+      - pattern-inside: |
+          kind: ConfigMap
+      - pattern: |
+          $KEY: $VALUE
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: medium
+      confidence: medium
+      tags: [kubernetes, configmap, credentials, secrets, information-disclosure]

package/rules/iac/zm-k8s-cwe200-networkpolicy.yaml ADDED Viewed

@@ -0,0 +1,62 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes NetworkPolicy 安全检测
+# V4.3 Sprint — CWE-200: Exposure of Sensitive Information / 零信任网络策略
+rules:
+  # ZM-K8S-CWE200-NP-001: 命名空间无 NetworkPolicy
+  - id: zm-k8s-cwe200-netpol-001
+    severity: HIGH
+    message: |
+      命名空间中没有定义任何 NetworkPolicy — 默认允许所有 Pod 之间的流量。
+      这违反了零信任网络原则。攻击者在攻破一个 Pod 后可以横向移动到同一命名空间内
+      的所有其他 Pod，甚至整个集群（如果没有 namespace 隔离）。
+      修复:
+      1. 创建 deny-all 默认 NetworkPolicy 阻止所有入站/出站流量
+      ```yaml
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: default-deny-all
+      spec:
+        podSelector: {}
+        policyTypes:
+        - Ingress
+        - Egress
+      ```
+      2. 为每一组需要通信的 Pod 创建允许规则
+      3. 按最小权限原则，仅开放必要的端口和来源
+    languages:
+      - yaml
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: medium
+      confidence: medium
+      tags: [kubernetes, networkpolicy, zero-trust, lateral-movement]
+  # ZM-K8S-CWE200-NP-002: NetworkPolicy 规则过于宽松 (namespaceSelector: {})
+  - id: zm-k8s-cwe200-netpol-002
+    severity: MEDIUM
+    message: |
+      NetworkPolicy `namespaceSelector: {}` 匹配所有命名空间 — 策略允许所有命名空间的 Pod 访问此服务。
+      应将 namespaceSelector 限制为特定的命名空间标签，仅在必要时使用此通配选择器。
+      修复:
+      ```yaml
+      ingress:
+      - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: frontend
+      ```
+    languages:
+      - yaml
+    pattern: |
+      namespaceSelector: {}
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, networkpolicy, overly-permissive, lateral-movement]

package/rules/iac/zm-k8s-cwe200-sa-automount.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes ServiceAccount Token 安全检测
+# V4.3 Sprint — CWE-200: Exposure of Sensitive Information
+rules:
+  # ZM-K8S-CWE200-SA-004: ServiceAccount automountServiceAccountToken 未禁用
+  - id: zm-k8s-cwe200-sa-automount-001
+    severity: MEDIUM
+    message: |
+      ServiceAccount 未设置 `automountServiceAccountToken: false` —
+      默认会向使用该 SA 的 Pod 挂载 API 访问 token。
+      大多数应用不需要直接访问 Kubernetes API。挂载 token 增加了风险:
+      - 攻击者从 Pod 逃逸后可读取 token 访问 API Server
+      - token 可能被用于横向移动或信息收集
+      修复:
+      ```yaml
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: my-app
+      automountServiceAccountToken: false
+      ```
+      或在 Pod spec 中设置:
+      ```yaml
+      spec:
+        automountServiceAccountToken: false
+      ```
+    languages:
+      - yaml
+    pattern: |
+      automountServiceAccountToken: true
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, serviceaccount, service-account-token, automount]

package/rules/iac/zm-k8s-cwe200-service-exposure.yaml ADDED Viewed

@@ -0,0 +1,50 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes Service 暴露安全检测
+# V4.3 Sprint — CWE-200: Exposure of Sensitive Information
+rules:
+  # ZM-K8S-CWE200-SVC-001: LoadBalancer 暴露内部服务
+  - id: zm-k8s-cwe200-svc-lb-001
+    severity: HIGH
+    message: |
+      Service 使用 `type: LoadBalancer` 暴露非 Web 服务（数据库、缓存、消息队列）—
+      内部服务通过公网 LoadBalancer 暴露，易被扫描和攻击。
+      修复:
+      1. 将内部服务改为 `type: ClusterIP` 仅集群内访问
+      2. 如需跨集群/外部访问，使用 VPN 或内部 LoadBalancer
+      3. 仅对必要的 Web/API 服务使用 LoadBalancer
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          type: LoadBalancer
+      - pattern: |
+          type: LoadBalancer
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: medium
+      confidence: high
+      tags: [kubernetes, service, loadbalancer, public-exposure]
+  # ZM-K8S-CWE200-SVC-002: NodePort 暴露敏感端口
+  - id: zm-k8s-cwe200-svc-np-001
+    severity: MEDIUM
+    message: |
+      Service 使用 `type: NodePort` — 在所有节点上开放端口，绕过网络策略和防火墙规则。
+      每个节点 IP 的该端口均可直接访问此服务，增加了攻击面。
+      修复:
+      1. 评估是否需要 NodePort，优先使用 ClusterIP + Ingress
+      2. 如必须使用 NodePort，配合 NetworkPolicy 限制访问来源
+      3. 确认 nodePort 端口号未被其他服务冲突占用
+    languages:
+      - yaml
+    pattern: |
+      type: NodePort
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, nodeport, service-exposure, attack-surface]