npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/iac/zm-k8s-cwe200-verbosity-high.yaml ADDED Viewed

@@ -0,0 +1,80 @@
+rules:
+  - id: zm-k8s-cwe200-verbosity-high
+    metadata:
+      cwe: ["CWE-200: Exposure of Sensitive Information", "CWE-532: Insertion of Sensitive Information into Log File"]
+      confidence: MEDIUM
+      likelihood: LOW
+      impact: MEDIUM
+      owasp: ["A09:2021 - Security Logging and Monitoring Failures"]
+      cve: ["CVE-2019-11250"]
+      references:
+        - "https://kubernetes.io/docs/concepts/cluster-administration/logging/"
+    message: |
+      Pod日志级别设置为debug或trace。高详细日志可能泄露令牌、凭证等敏感信息。
+      修复：生产环境使用 --v=2 或更低的日志级别。
+    languages: [yaml, json]
+    severity: WARNING
+    patterns:
+      - pattern-inside: |
+          args: [...]
+      - pattern-regex: (-{1,2}v[=\s]?[5-9]|-{1,2}v[=\s]?1[0-9])
+  - id: zm-k8s-cwe250-host-network
+    metadata:
+      cwe: ["CWE-250: Execution with Unnecessary Privileges", "CWE-668: Exposure of Resource to Wrong Sphere"]
+      confidence: HIGH
+      likelihood: LOW
+      impact: HIGH
+      owasp: ["A05:2021 - Security Misconfiguration"]
+      cve: ["CVE-2021-25741"]
+      references:
+        - "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+    message: |
+      Pod使用hostNetwork:true直接共享节点网络命名空间。攻击者可通过网络绑定
+      窃听同节点流量、绕过NetworkPolicy、访问节点级网络接口。
+      修复：移除hostNetwork:true，使用Service/Ingress暴露应用端口。
+    languages: [yaml, json]
+    severity: ERROR
+    patterns:
+      - pattern: |
+          hostNetwork: true
+  - id: zm-k8s-cwe269-host-pid-ns
+    metadata:
+      cwe: ["CWE-269: Improper Privilege Management", "CWE-653: Insufficient Isolation"]
+      confidence: HIGH
+      likelihood: LOW
+      impact: HIGH
+      owasp: ["A05:2021 - Security Misconfiguration"]
+      cve: ["CVE-2022-23648"]
+      references:
+        - "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+    message: |
+      Pod共享宿主机PID命名空间(hostPID:true)。这允许容器内进程
+      查看甚至向宿主机或同节点其他容器发送信号，实现跨容器攻击。
+      修复：移除hostPID:true，严格使用容器隔离。
+    languages: [yaml, json]
+    severity: ERROR
+    patterns:
+      - pattern: |
+          hostPID: true
+  - id: zm-k8s-cwe502-sys-admin-cap
+    metadata:
+      cwe: ["CWE-502: Deserialization of Untrusted Data", "CWE-250: Execution with Unnecessary Privileges"]
+      confidence: HIGH
+      likelihood: LOW
+      impact: HIGH
+      owasp: ["A05:2021 - Security Misconfiguration"]
+      cve: ["CVE-2019-11253"]
+      references:
+        - "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
+    message: |
+      Pod添加了SYS_ADMIN特权能力。这实际上赋予容器几乎完整的root权限，
+      可执行挂载文件系统、加载内核模块、修改eBPF等危险操作。
+      修复：移除SYS_ADMIN capability，逐项添加所需的最小能力集。
+    languages: [yaml, json]
+    severity: ERROR
+    patterns:
+      - pattern-inside: |
+          securityContext:
+            capabilities:
+              add: [...]
+      - pattern: SYS_ADMIN

package/rules/iac/zm-k8s-cwe250-capabilities.yaml ADDED Viewed

@@ -0,0 +1,84 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes Capabilities 安全检测
+# V4.3 Sprint — CWE-250: Execution with Unnecessary Privileges
+rules:
+  # ZM-K8S-CWE250-CAP-001: SYS_ADMIN capability
+  - id: zm-k8s-cwe250-cap-sysadmin-001
+    severity: CRITICAL
+    message: |
+      容器添加了 `SYS_ADMIN` Linux Capability — 这是功能最强大的能力之一，包括挂载文件系统、
+      加载内核模块、修改内核参数、设置域名等数百种系统管理操作。
+      攻击者可利用 SYS_ADMIN 轻易完成容器逃逸。
+      修复: 移除 SYS_ADMIN capability，仅添加必要的细粒度 capability。
+      ```yaml
+      securityContext:
+        capabilities:
+          add: ["NET_BIND_SERVICE"]
+      ```
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          capabilities:
+            add:
+              - SYS_ADMIN
+      - pattern: |
+          capabilities:
+            add: [..., SYS_ADMIN, ...]
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, capabilities, sys-admin, container-escape]
+  # ZM-K8S-CWE250-CAP-002: NET_ADMIN capability
+  - id: zm-k8s-cwe250-cap-netadmin-001
+    severity: HIGH
+    message: |
+      容器添加了 `NET_ADMIN` Linux Capability — 可修改网络接口、路由表、iptables 规则和网络命名空间。
+      攻击者可以利用 NET_ADMIN 操纵网络以进行中间人攻击或绕过网络策略。
+      修复: 移除 NET_ADMIN capability，除非容器确实是网络管理组件（如 CNI 插件）。
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          capabilities:
+            add:
+              - NET_ADMIN
+      - pattern: |
+          capabilities:
+            add: [..., NET_ADMIN, ...]
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, capabilities, net-admin, network-manipulation]
+  # ZM-K8S-CWE250-CAP-003: NET_RAW capability
+  - id: zm-k8s-cwe250-cap-netraw-001
+    severity: MEDIUM
+    message: |
+      容器添加了 `NET_RAW` Linux Capability — 允许使用原始套接字和任意协议数据包构造。
+      攻击者可利用 NET_RAW 进行网络欺骗、ARP 欺骗或数据包嗅探。
+      修复: 移除 NET_RAW capability，大多数应用不需要原始套接字访问。
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          capabilities:
+            add:
+              - NET_RAW
+      - pattern: |
+          capabilities:
+            add: [..., NET_RAW, ...]
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, capabilities, net-raw, raw-sockets]

package/rules/iac/zm-k8s-cwe250-hostpath.yaml ADDED Viewed

@@ -0,0 +1,66 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes hostPath 卷安全检测
+# V4.3 Sprint — CWE-250: Execution with Unnecessary Privileges
+rules:
+  # ZM-K8S-CWE250-HP-001: hostPath 挂载宿主机敏感目录
+  - id: zm-k8s-cwe250-hostpath-001
+    severity: CRITICAL
+    message: |
+      容器挂载了宿主机敏感目录 via `hostPath` — 容器可读写宿主机文件系统。
+      常见危险挂载路径: `/var/run/docker.sock`（Docker套接字）、`/proc`（进程信息）、
+      `/sys`（内核参数）、`/etc`（系统配置）、`/root`（root主目录）。
+      修复:
+      1. 移除不必要的 hostPath 卷挂载
+      2. 如必须使用，设置 `readOnly: true` 且限定为最小子目录
+      3. 使用 emptyDir/PVC 替代 hostPath 进行数据持久化
+      4. 结合 PodSecurityPolicy/PSA 限制 hostPath 使用
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          hostPath:
+            path: /var/run/docker.sock
+      - pattern: |
+          hostPath:
+            path: /proc
+      - pattern: |
+          hostPath:
+            path: /sys
+      - pattern: |
+          hostPath:
+            path: /etc
+      - pattern: |
+          hostPath:
+            path: /root
+      - pattern: |
+          hostPath:
+            path: /var/log
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, hostpath, container-escape, filesystem-access]
+  # ZM-K8S-CWE250-HP-002: hostPath 挂载路径过于宽泛
+  - id: zm-k8s-cwe250-hostpath-002
+    severity: HIGH
+    message: |
+      hostPath 卷挂载了 `/` (根目录) 或 `/var` 等过宽路径 — 容器可访问大量宿主机文件。
+      应将 hostPath 路径限制在必要的最小范围内，例如 `/var/lib/myapp` 而非 `/var`。
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          hostPath:
+            path: /
+      - pattern: |
+          hostPath:
+            path: /var
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, hostpath, filesystem-access, broad-mount]

package/rules/iac/zm-k8s-cwe285-rbac.yaml ADDED Viewed

@@ -0,0 +1,130 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes RBAC 安全检测
+# V4.3 Sprint — CWE-285: Improper Authorization / 过度授权
+rules:
+  # ZM-K8S-CWE285-RBAC-001: ClusterRoleBinding to cluster-admin
+  - id: zm-k8s-cwe285-rbac-clusteradmin-001
+    severity: CRITICAL
+    message: |
+      ClusterRoleBinding 将 `cluster-admin` ClusterRole 绑定到非系统 ServiceAccount —
+      这是一个拥有集群所有资源完全控制权的超级用户角色。
+      攻击者获得该 ServiceAccount 的 token 后即可完全控制集群:
+      读取所有 Secret、创建 Pod、删除资源、甚至创建新的管理员账号。
+      修复:
+      1. 删除不必要的 cluster-admin ClusterRoleBinding
+      2. 为应用创建最小权限的 ClusterRole，仅包含必需的 verbs 和 resources
+      3. 使用命名空间级 RoleBinding 替代 ClusterRoleBinding
+      4. 使用 Kubernetes 审计日志监控 cluster-admin 使用情况
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          roleRef:
+            kind: ClusterRole
+            name: cluster-admin
+      - pattern: |
+          roleRef: {kind: ClusterRole, name: cluster-admin}
+    metadata:
+      cwe: "CWE-285: Improper Authorization"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, rbac, cluster-admin, privilege-escalation, cluster-takeover]
+  # ZM-K8S-CWE285-RBAC-002: RoleBinding to system:anonymous
+  - id: zm-k8s-cwe285-rbac-anonymous-001
+    severity: CRITICAL
+    message: |
+      RoleBinding/ClusterRoleBinding 将权限授予 `system:anonymous` 用户 —
+      任何未经认证的用户都可以执行绑定的操作。
+      这意味着攻击者无需任何凭证即可访问 Kubernetes API 并执行授权的操作。
+      可能造成 Secret 泄露、Pod 创建/删除、或集群范围的破坏。
+      修复:
+      1. 删除该 RoleBinding/ClusterRoleBinding
+      2. 如必须允许匿名访问特定 API，使用 `--anonymous-auth=false` 全局禁用
+      3. 确认为匿名用户授予的权限是绝对最小且无害的（如仅 healthz 端点）
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          subjects:
+          - kind: User
+            name: system:anonymous
+      - pattern: |
+          subjects:
+            - kind: User
+              name: system:anonymous
+      - pattern: |
+          subjects: [{kind: User, name: system:anonymous}]
+    metadata:
+      cwe: "CWE-285: Improper Authorization"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, rbac, anonymous, privilege-escalation, unauthorized-access]
+  # ZM-K8S-CWE285-RBAC-003: verbs=["*"] 过度授权
+  - id: zm-k8s-cwe285-rbac-wildcard-001
+    severity: HIGH
+    message: |
+      Role/ClusterRole 中 `verbs: ["*"]` — 授予了所有操作权限（包括 create/delete/update/patch/exec）。
+      且 `resources: ["*"]` — 授予了对所有资源的访问权限。
+      此角色等同于该作用域内的 admin 权限，违反最小权限原则。
+      修复:
+      1. 将 verbs 限制为实际需要的操作，如 `["get", "list", "watch"]`
+      2. 将 resources 限制为具体的资源类型，如 `["pods", "deployments"]`
+      3. 考虑使用 resourceNames 进一步限制可操作的具体资源名称
+      4. 添加 apiGroups 限制避免影响核心 API 组
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          rules:
+          - verbs: ["*"]
+      - pattern: |
+          rules:
+            - verbs: ["*"]
+      - pattern: |
+          rules: [{verbs: ["*"]}]
+    metadata:
+      cwe: "CWE-285: Improper Authorization"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, rbac, wildcard, over-privileged, least-privilege]
+  # ZM-K8S-CWE285-RBAC-004: resources=["*"] 过度授权
+  - id: zm-k8s-cwe285-rbac-resources-wildcard-001
+    severity: HIGH
+    message: |
+      Role/ClusterRole 中 `resources: ["*"]` — 授予了对所有资源类型的访问权限。
+      结合 verbs=["*"] 将形成该作用域内的完全控制权限。
+      修复:
+      1. 将 resources 限制为实际需要的资源类型，如 `["deployments", "services"]`
+      2. 使用 apiGroups 限制资源所属的 API 组
+      3. 使用 resourceNames 进一步限制可操作的具体资源名称
+      4. 考虑将读权限 (get/list/watch) 和写权限 (create/update/delete) 分别声明
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          rules:
+          - resources: ["*"]
+      - pattern: |
+          rules:
+            - resources: ["*"]
+      - pattern: |
+          rules: [{resources: ["*"]}]
+    metadata:
+      cwe: "CWE-285: Improper Authorization"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, rbac, wildcard, over-privileged, least-privilege]

package/rules/iac/zm-k8s-cwe312-secret.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes Secret 安全检测
+# V4.3 Sprint — CWE-312: Cleartext Storage of Sensitive Information
+rules:
+  # ZM-K8S-CWE312-SEC-001: Secret data 仅 base64 编码未加密
+  - id: zm-k8s-cwe312-secret-base64-001
+    severity: HIGH
+    message: |
+      Kubernetes Secret 的 `data` 字段仅使用 base64 编码，这**不是加密**。
+      base64 可以被任何人轻易解码。Secret 在 etcd 中也默认以明文存储。
+      修复:
+      1. 启用 etcd 静态加密 (encryption at rest) 保护 Secret
+      ```yaml
+      apiVersion: apiserver.config.k8s.io/v1
+      kind: EncryptionConfiguration
+      resources:
+        - resources:
+          - secrets
+          providers:
+          - aesgcm:
+              keys:
+              - name: key1
+                secret: <base64-encoded-32-byte-key>
+          - identity: {}
+      ```
+      2. 使用 External Secrets Operator (ESO) 从外部密钥管理服务获取密钥
+      3. 使用 Sealed Secrets (Bitnami) 加密 Secret 后再提交到 Git
+      4. 配合 RBAC 严格限制对 Secret 的访问权限
+    languages:
+      - yaml
+    pattern: |
+      kind: Secret
+    metadata:
+      cwe: "CWE-312: Cleartext Storage of Sensitive Information"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, secret, base64, encryption, etcd]
+  # ZM-K8S-CWE312-SEC-002: Secret 包含硬编码凭证关键字
+  - id: zm-k8s-cwe312-secret-credentials-002
+    severity: HIGH
+    message: |
+      Kubernetes Secret 中检测到硬编码的凭证信息 — 虽然 Secret 比 ConfigMap 更安全，
+      但 base64 编码不提供真正的加密保护，且 Secret 在提交到 Git 仓库时仍会暴露。
+      修复:
+      1. 不要在 Git 中提交包含真实凭证的 Secret YAML
+      2. 使用 External Secrets Operator 或 Vault Sidecar Injector
+      3. 使用 Sealed Secrets 加密后提交
+      4. 在 CI/CD 中通过密钥管理服务动态注入凭证
+    languages:
+      - yaml
+    metadata:
+      cwe: "CWE-312: Cleartext Storage of Sensitive Information"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, secret, credentials, hardcoded]

package/rules/iac/zm-k8s-cwe319-ingress-tls.yaml ADDED Viewed

@@ -0,0 +1,75 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes Ingress TLS 安全检测
+# V4.3 Sprint — CWE-319: Cleartext Transmission of Sensitive Information
+rules:
+  # ZM-K8S-CWE319-ING-001: Ingress 无 TLS 配置
+  - id: zm-k8s-cwe319-ingress-tls-001
+    severity: HIGH
+    message: |
+      Ingress 资源未配置 TLS — 流量以明文 HTTP 传输，可被中间人窃听和篡改。
+      应在 Ingress 的 `spec.tls` 中配置 TLS 证书。
+      修复:
+      ```yaml
+      spec:
+        tls:
+        - hosts:
+          - example.com
+          secretName: example-tls
+      ```
+      使用 cert-manager 自动管理 Let's Encrypt 证书:
+      ```yaml
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+      ```
+    languages:
+      - yaml
+    patterns:
+      - pattern-inside: |
+          kind: Ingress
+      - pattern: |
+          metadata:
+            name: $NAME
+      - pattern-not-inside: |
+          spec:
+            ...
+            tls:
+              ...
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      category: iac-kubernetes
+      precision: medium
+      confidence: high
+      tags: [kubernetes, ingress, tls, https, cleartext]
+  # ZM-K8S-CWE319-ING-002: Ingress tls secretName 为空或占位符
+  - id: zm-k8s-cwe319-ingress-tls-002
+    severity: MEDIUM
+    message: |
+      Ingress TLS 配置中 `secretName` 使用了一个占位符或为空 — TLS 证书未正确配置。
+      确保 secretName 指向有效的 Kubernetes TLS Secret。
+      使用 cert-manager 自动管理证书:
+      ```yaml
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+      spec:
+        tls:
+        - hosts:
+          - example.com
+          secretName: example-tls-cert
+      ```
+    languages:
+      - yaml
+    pattern: |
+      tls:
+      - hosts:
+        - $HOST
+        secretName: ""
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, ingress, tls, misconfiguration]

package/rules/iac/zm-k8s-cwe400-replicas.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes Deployment 可用性安全检测
+# V4.3 Sprint — CWE-400: Uncontrolled Resource Consumption / 单点故障
+rules:
+  # ZM-K8S-CWE400-DEP-001: replicas=1 单点故障
+  - id: zm-k8s-cwe400-replicas-one-001
+    severity: MEDIUM
+    message: |
+      Deployment 仅设置 `replicas: 1` — 单实例运行，任何 Pod 故障都会导致服务中断。
+      单节点故障/升级/调度器驱逐 Pod 后将出现服务不可用。
+      修复:
+      1. 生产环境最少设置 `replicas: 2` 或更多
+      2. 配合 PodAntiAffinity 确保副本分散在不同节点上:
+      ```yaml
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app: my-app
+            topologyKey: kubernetes.io/hostname
+      ```
+      3. 配置 PodDisruptionBudget 保护服务在自愿中断期间的可用性
+      4. 对无状态服务，确保有足够的副本处理故障和滚动更新
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          replicas: 1
+      - pattern: |
+          replicas: 1
+    metadata:
+      cwe: "CWE-400: Uncontrolled Resource Consumption"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, deployment, replica, single-point-failure, availability]

package/rules/iac/zm-k8s-psp-missing.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes PodSecurityPolicy 安全检测
+# V4.3 Sprint — 检测 PodSecurityPolicy/PodSecurityAdmission 缺失
+rules:
+  # ZM-K8S-PSP-001: PodSecurityPolicy 缺失检测
+  - id: zm-k8s-psp-missing-001
+    severity: HIGH
+    message: |
+      未检测到 PodSecurityPolicy (PSP) 或 Pod Security Admission (PSA) 配置 —
+      集群可能允许特权容器运行。
+      在 Kubernetes v1.25+ 中，PSP 已被 Pod Security Admission (PSA) 替代。
+      修复:
+      1. 为命名空间设置 PSA 标签:
+      ```yaml
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: my-namespace
+        labels:
+          pod-security.kubernetes.io/enforce: restricted
+          pod-security.kubernetes.io/audit: restricted
+          pod-security.kubernetes.io/warn: restricted
+      ```
+      2. `privileged`: 无限制（不推荐生产使用）
+      3. `baseline`: 最小限制，阻止已知的越权行为
+      4. `restricted`: 最严格，遵循 Pod 安全加固最佳实践（推荐）
+      5. 使用 OPA/Kyverno 等准入控制器实现更细粒度的安全策略
+    languages:
+      - yaml
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-kubernetes
+      precision: medium
+      confidence: medium
+      tags: [kubernetes, psp, psa, pod-security, hardening]
+  # ZM-K8S-PSP-002: privileged PodSecurityPolicy 过于宽松
+  - id: zm-k8s-psp-privileged-001
+    severity: CRITICAL
+    message: |
+      PodSecurityPolicy 设置了 `privileged: true` — 允许 Pod 运行特权容器。
+      这实际上禁用了 PSP 的所有安全限制。
+      修复:
+      1. 将 `privileged: false` 设为 false
+      2. 只允许显式声明 hostPort、hostPath、hostNetwork 等特权操作
+      3. 迁移到 PSA (Pod Security Admission)，使用 `restricted` 级别
+    languages:
+      - yaml
+    pattern: |
+      privileged: true
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, psp, privileged, security-policy]