@zhuma4/cli 4.0.0-alpha.1

package/rules/iac/ansible/zm-ansible-cwe798-hardcoded-creds.yaml

@@ -0,0 +1,93 @@
+# 逐码 ZhuMa IaC 规则 — Ansible Playbook 硬编码密码检测
+# V4.1 Sprint — CWE-798: Use of Hard-coded Credentials
+
+rules:
+  # ZM-ANSIBLE-CWE798-001: vars 中明文密码/secret/token
+  - id: zm-ansible-cwe798-creds-001
+    severity: CRITICAL
+    message: |
+      Ansible Playbook 的 `vars` 块中包含明文密码、Secret 或 Token。
+      应使用 `ansible-vault encrypt_string` 加密敏感值，或通过环境变量 lookup 注入:
+      ```yaml
+      vars:
+        db_password: "{{ lookup('env', 'DB_PASSWORD') }}"
+      ```
+    languages:
+      - generic
+    pattern-either:
+      - pattern: |
+          vars:
+            ...
+            password: "$VAL"
+            ...
+      - pattern: |
+          vars:
+            ...
+            secret: "$VAL"
+            ...
+      - pattern: |
+          vars:
+            ...
+            token: "$VAL"
+            ...
+      - pattern: |
+          vars:
+            ...
+            api_key: "$VAL"
+            ...
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-ansible
+      precision: medium
+      confidence: high
+      tags: [ansible, hardcoded-credentials, secrets, vars]
+
+  # ZM-ANSIBLE-CWE798-002: module 中 login_password 明文
+  - id: zm-ansible-cwe798-creds-002
+    severity: CRITICAL
+    message: |
+      Ansible module 参数中直接硬编码 `login_password`、`password` 或 `secret` 的明文值。
+      应改用 `ansible-vault` 加密变量或环境变量 lookup 传入:
+      ```yaml
+      login_password: "{{ vault_db_password }}"
+      ```
+    languages:
+      - generic
+    pattern-either:
+      - pattern: |
+          login_password: "$VAL"
+      - pattern: |
+          password: "$VAL"
+      - pattern: |
+          login_secret: "$VAL"
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-ansible
+      precision: medium
+      confidence: high
+      tags: [ansible, hardcoded-credentials, secrets, module]
+
+  # ZM-ANSIBLE-CWE798-003: set_fact 中硬编码凭证
+  - id: zm-ansible-cwe798-creds-003
+    severity: HIGH
+    message: |
+      Ansible `set_fact` 中直接赋值明文密码/密钥 — 该值会出现在 Ansible 日志和执行输出中。
+      应使用 `ansible-vault` 加密后引用，或通过 lookup 插件从外部密钥管理服务获取。
+    languages:
+      - generic
+    pattern-either:
+      - pattern: |
+          set_fact:
+            password: "$VAL"
+      - pattern: |
+          set_fact:
+            secret: "$VAL"
+      - pattern: |
+          set_fact:
+            token: "$VAL"
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-ansible
+      precision: medium
+      confidence: high
+      tags: [ansible, hardcoded-credentials, secrets, set_fact]

package/rules/iac/terraform/zm-tf-cwe200-s3-bucket-public.yaml

@@ -0,0 +1,100 @@
+# 逐码 ZhuMa IaC 规则 — Terraform S3/OSS Bucket 公开访问检测
+# V4.1 Sprint — CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
+
+rules:
+  # ZM-TF-CWE200-001: AWS S3 Bucket ACL 公开读
+  - id: zm-tf-cwe200-s3-public-001
+    severity: CRITICAL
+    message: |
+      AWS S3 Bucket ACL 设置为 `public-read` 或 `public-read-write` — 存储桶数据可被任意匿名用户读取。
+      检查是否可以改用预签名 URL 或 CloudFront OAC 替代直接公开访问，
+      或将 ACL 改为 `private` 并使用 IAM 策略精细化授权。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_s3_bucket_acl" $NAME {
+            ...
+            acl = "public-read"
+            ...
+          }
+      - pattern: |
+          resource "aws_s3_bucket_acl" $NAME {
+            ...
+            acl = "public-read-write"
+            ...
+          }
+      - pattern: |
+          resource "aws_s3_bucket" $NAME {
+            ...
+            acl = "public-read"
+            ...
+          }
+      - pattern: |
+          resource "aws_s3_bucket" $NAME {
+            ...
+            acl = "public-read-write"
+            ...
+          }
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, aws, s3, public-access, data-leak]
+
+  # ZM-TF-CWE200-002: S3 Bucket Policy 允许公开访问
+  - id: zm-tf-cwe200-s3-public-002
+    severity: CRITICAL
+    message: |
+      S3 Bucket Policy 中 Principal 设为 `"*"` 且 Effect 为 `Allow` — 任意主体可访问存储桶。
+      将 Principal 限制为特定 AWS 账户或 IAM 角色 ARN，或将 Action 限制为仅 `s3:GetObject` 等必要操作。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_s3_bucket_policy" $NAME {
+            ...
+            policy = "...\"Principal\":\"*\"..."
+            ...
+          }
+      - pattern: |
+          resource "aws_s3_bucket_policy" $NAME {
+            ...
+            policy = "...\"Principal\": { \"AWS\": \"*\" }..."
+            ...
+          }
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, aws, s3, policy, public-access]
+
+  # ZM-TF-CWE200-003: Aliyun OSS Bucket ACL 公开读
+  - id: zm-tf-cwe200-s3-public-003
+    severity: CRITICAL
+    message: |
+      阿里云 OSS Bucket ACL 设置为 `public-read` 或 `public-read-write` — 存储桶数据可被任意匿名用户访问。
+      将 acl 改为 `private` 并使用 RAM 策略或 STS 临时令牌进行精细化访问控制。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "alicloud_oss_bucket" $NAME {
+            ...
+            acl = "public-read"
+            ...
+          }
+      - pattern: |
+          resource "alicloud_oss_bucket" $NAME {
+            ...
+            acl = "public-read-write"
+            ...
+          }
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, alicloud, oss, public-access, data-leak]

package/rules/iac/terraform/zm-tf-cwe284-sg-wide-open.yaml

@@ -0,0 +1,88 @@
+# 逐码 ZhuMa IaC 规则 — Terraform 安全组全网段开放检测
+# V4.1 Sprint — CWE-284: Improper Access Control
+
+rules:
+  # ZM-TF-CWE284-001: AWS 安全组 ingress 0.0.0.0/0
+  - id: zm-tf-cwe284-sg-open-001
+    severity: CRITICAL
+    message: |
+      AWS 安全组规则 cidr_blocks 包含 `0.0.0.0/0` — 入站流量对全网开放。
+      将 cidr_blocks 限制为业务所需的最小 IP 段 (如办公网出口 IP、VPC CIDR)，
+      避免数据库端口 (3306/5432/6379/27017)、SSH (22)、RDP (3389) 等管理端口对公网暴露。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_security_group_rule" $NAME {
+            ...
+            cidr_blocks = ["0.0.0.0/0"]
+            ...
+          }
+      - pattern: |
+          resource "aws_security_group_rule" $NAME {
+            ...
+            cidr_blocks = ["0.0.0.0/0", ...]
+            ...
+          }
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, aws, security-group, 0.0.0.0/0, network-exposure]
+
+  # ZM-TF-CWE284-002: AWS 安全组 ipv6_cidr_blocks ::/0
+  - id: zm-tf-cwe284-sg-open-002
+    severity: CRITICAL
+    message: |
+      AWS 安全组规则 ipv6_cidr_blocks 包含 `::/0` — IPv6 全网段开放入站流量。
+      与 0.0.0.0/0 同理，应将 ipv6_cidr_blocks 限制为最小必要范围。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_security_group_rule" $NAME {
+            ...
+            ipv6_cidr_blocks = ["::/0"]
+            ...
+          }
+      - pattern: |
+          resource "aws_security_group_rule" $NAME {
+            ...
+            ipv6_cidr_blocks = ["::/0", ...]
+            ...
+          }
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, aws, security-group, ipv6, network-exposure]
+
+  # ZM-TF-CWE284-003: 阿里云安全组 0.0.0.0/0
+  - id: zm-tf-cwe284-sg-open-003
+    severity: CRITICAL
+    message: |
+      阿里云安全组规则 cidr_ip 为 `0.0.0.0/0` — 入站流量对全网开放。
+      将 cidr_ip 限制为业务所需的最小 IP 段，管理端口（22/3389/3306 等）严禁对 0.0.0.0/0 开放。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "alicloud_security_group_rule" $NAME {
+            ...
+            cidr_ip = "0.0.0.0/0"
+            ...
+          }
+      - pattern: |
+          resource "alicloud_security_group_rule" $NAME {
+            ...
+            source_cidr_ip = "0.0.0.0/0"
+            ...
+          }
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, alicloud, security-group, 0.0.0.0/0, network-exposure]

package/rules/iac/terraform/zm-tf-cwe311-iam-wildcard.yaml

@@ -0,0 +1,83 @@
+# 逐码 ZhuMa IaC 规则 — Terraform IAM 策略通配符检测
+# V4.1 Sprint — CWE-311: Missing Encryption of Sensitive Data / Overprivileged Policy
+
+rules:
+  # ZM-TF-CWE311-001: IAM Policy Action 通配符 "*"
+  - id: zm-tf-cwe311-iam-wildcard-001
+    severity: HIGH
+    message: |
+      IAM 策略中 `Action` 包含通配符 `"*"` 且 `Effect` 为 `"Allow"` — 该策略授予了对所有服务的完全访问权限。
+      将 Action 明确限定为所需的具体操作，如 `["s3:GetObject", "s3:PutObject"]`。
+      生产环境严禁使用 `Action = "*"` 的 Allow 策略。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_iam_policy" $NAME {
+            ...
+            policy = "...\"Action\":\"*\"..."
+            ...
+          }
+      - pattern: |
+          resource "aws_iam_policy" $NAME {
+            ...
+            policy = "...\"Action\": [\"*\"..."
+            ...
+          }
+    metadata:
+      cwe: "CWE-311: Missing Encryption of Sensitive Data"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, aws, iam, wildcard, overprivileged]
+
+  # ZM-TF-CWE311-002: IAM Policy Resource 通配符 "*"
+  - id: zm-tf-cwe311-iam-wildcard-002
+    severity: HIGH
+    message: |
+      IAM 策略中 `Resource` 包含通配符 `"*"` 且 `Effect` 为 `"Allow"` — 该策略可操作账户下所有资源。
+      将 Resource 限定为具体 ARN，如 `"arn:aws:s3:::my-bucket/*"`。
+      除非是管理员角色，否则应遵循最小权限原则。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_iam_policy" $NAME {
+            ...
+            policy = "...\"Resource\":\"*\"..."
+            ...
+          }
+      - pattern: |
+          resource "aws_iam_policy" $NAME {
+            ...
+            policy = "...\"Resource\": [\"*\"..."
+            ...
+          }
+    metadata:
+      cwe: "CWE-311: Missing Encryption of Sensitive Data"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, aws, iam, wildcard, overprivileged]
+
+  # ZM-TF-CWE311-003: IAM Policy 同时 Action="*" + Resource="*"
+  - id: zm-tf-cwe311-iam-wildcard-003
+    severity: CRITICAL
+    message: |
+      IAM 策略中同时使用 `Action = "*"` 和 `Resource = "*"` — 这是最危险的策略配置，
+      授予了对所有 AWS 服务的所有资源的完全访问权限（等效于 AdministratorAccess）。
+      必须立即将该策略替换为细粒度权限，仅授予完成任务所需的最小操作和资源。
+    languages:
+      - terraform
+    pattern: |
+      resource "aws_iam_policy" $NAME {
+        ...
+        policy = "...\"Action\": \"*\"...\"Resource\": \"*\"..."
+        ...
+      }
+    metadata:
+      cwe: "CWE-311: Missing Encryption of Sensitive Data"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, aws, iam, wildcard, admin, overprivileged]

package/rules/iac/terraform/zm-tf-cwe319-rds-public.yaml

@@ -0,0 +1,72 @@
+# 逐码 ZhuMa IaC 规则 — Terraform RDS/数据库公网暴露检测
+# V4.1 Sprint — CWE-319: Cleartext Transmission of Sensitive Information
+
+rules:
+  # ZM-TF-CWE319-001: AWS RDS publicly_accessible = true
+  - id: zm-tf-cwe319-rds-public-001
+    severity: HIGH
+    message: |
+      AWS RDS 实例 `publicly_accessible` 设为 `true` — 数据库直接暴露在公网，极易被扫描和暴力破解。
+      将 `publicly_accessible` 改为 `false`，数据库仅通过 VPC 内部访问。
+      如需外部管理，使用堡垒机或 SSM Session Manager 转发。
+    languages:
+      - terraform
+    pattern: |
+      resource "aws_db_instance" $NAME {
+        ...
+        publicly_accessible = true
+        ...
+      }
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, aws, rds, public-access, database-exposure]
+
+  # ZM-TF-CWE319-002: AWS RDS publicly_accessible 未显式设 false
+  - id: zm-tf-cwe319-rds-public-002
+    severity: MEDIUM
+    message: |
+      AWS RDS 实例未显式设置 `publicly_accessible = false` — 默认值取决于子网是否为公有子网。
+      应在 resource 中显式声明 `publicly_accessible = false` 以确保数据库不对外暴露。
+    languages:
+      - terraform
+    pattern: |
+      resource "aws_db_instance" $NAME {
+        ...
+      }
+    pattern-not: |
+      resource "aws_db_instance" $NAME {
+        ...
+        publicly_accessible = ...
+        ...
+      }
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      category: iac-terraform
+      precision: medium
+      confidence: medium
+      tags: [terraform, aws, rds, public-access, missing-config]
+
+  # ZM-TF-CWE319-003: 阿里云 RDS address_type "Internet"
+  - id: zm-tf-cwe319-rds-public-003
+    severity: HIGH
+    message: |
+      阿里云 RDS 实例分配了公网连接地址 (`address_type = "Internet"`) — 数据库暴露在公网。
+      移除 `alicloud_db_connection` 中的公网地址配置，仅保留 `Intranet` 类型地址，
+      或通过 DMS 等管控平台进行安全访问。
+    languages:
+      - terraform
+    pattern: |
+      resource "alicloud_db_connection" $NAME {
+        ...
+        address_type = "Internet"
+        ...
+      }
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, alicloud, rds, public-access, database-exposure]

package/rules/iac/terraform/zm-tf-cwe798-hardcoded-creds.yaml

@@ -0,0 +1,102 @@
+# 逐码 ZhuMa IaC 规则 — Terraform 硬编码凭证检测
+# V4.1 Sprint — CWE-798: Use of Hard-coded Credentials
+
+rules:
+  # ZM-TF-CWE798-001: variable 默认值含密码/密钥
+  - id: zm-tf-cwe798-creds-001
+    severity: CRITICAL
+    message: |
+      Terraform variable 的 default 值中包含疑似密码/密钥/Token 的硬编码明文。
+      应移除默认值，通过环境变量 `TF_VAR_xxx` 或 `.tfvars` 文件（不提交到 Git）传入敏感值，
+      或使用 Vault/AWS Secrets Manager 等密钥管理服务动态获取。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          variable "$VAR" {
+            ...
+            default = "$SECRET"
+            ...
+          }
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, hardcoded-credentials, secrets, variable]
+
+  # ZM-TF-CWE798-002: resource 中直接写 access_key / secret_key
+  - id: zm-tf-cwe798-creds-002
+    severity: CRITICAL
+    message: |
+      Terraform resource 中直接硬编码 `access_key` / `secret_key` / `password` 等凭证字段。
+      应改用 variable + 敏感标记 (`sensitive = true`)，并通过环境变量或密钥管理服务注入值。
+      示例:
+      ```hcl
+      variable "db_password" {
+        type      = string
+        sensitive = true
+      }
+      ```
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "$TYPE" "$NAME" {
+            ...
+            access_key = "$VAL"
+            ...
+          }
+      - pattern: |
+          resource "$TYPE" "$NAME" {
+            ...
+            secret_key = "$VAL"
+            ...
+          }
+      - pattern: |
+          resource "$TYPE" "$NAME" {
+            ...
+            password = "$VAL"
+            ...
+          }
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, hardcoded-credentials, secrets, resource]
+
+  # ZM-TF-CWE798-003: provider 块中硬编码凭证
+  - id: zm-tf-cwe798-creds-003
+    severity: CRITICAL
+    message: |
+      Terraform provider 块中硬编码 `access_key` / `secret_key` / `token` — 这些凭证会被写入 state 文件和执行日志。
+      应使用环境变量 (`AWS_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY`) 或 shared_credentials_file，
+      切勿在 provider 块中直接写入凭证。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          provider "$PROVIDER" {
+            ...
+            access_key = "$VAL"
+            ...
+          }
+      - pattern: |
+          provider "$PROVIDER" {
+            ...
+            secret_key = "$VAL"
+            ...
+          }
+      - pattern: |
+          provider "$PROVIDER" {
+            ...
+            token = "$VAL"
+            ...
+          }
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, hardcoded-credentials, secrets, provider]

package/rules/iac/zm-docker-cwe250-root-user.yaml

@@ -0,0 +1,50 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile USER root / 未指定 USER 检测
+# V4.1 Sprint — CWE-250: Execution with Unnecessary Privileges
+
+rules:
+  # ZM-DOCKER-CWE250-001: USER root 或未指定 USER
+  - id: zm-docker-cwe250-root-001
+    severity: HIGH
+    message: |
+      Dockerfile 中 `USER root` 或未指定 `USER` 指令 — 容器默认以 root (UID 0) 运行。
+      攻击者一旦逃逸容器即可获得宿主机 root 权限。
+      在 Dockerfile 末尾添加 `USER 1000` 切换到非 root 用户，配合 Kubernetes SecurityContext:
+      ```yaml
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      ```
+    languages:
+      - dockerfile
+    pattern: |
+      USER root
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-dockerfile
+      precision: very-high
+      confidence: high
+      tags: [docker, root, privilege-escalation, securitycontext]
+
+  # ZM-DOCKER-CWE250-002: 未设置任何 USER 指令
+  - id: zm-docker-cwe250-root-002
+    severity: MEDIUM
+    message: |
+      Dockerfile 中未设置任何 `USER` 指令 — 容器默认以 root 身份运行。
+      在 Dockerfile 中创建专用非 root 用户并切换到该用户:
+      ```dockerfile
+      RUN addgroup -S appgroup && adduser -S appuser -G appgroup
+      USER appuser
+      ```
+      注意确保 `USER` 指令在 `COPY`/文件操作之后，避免权限问题。
+    languages:
+      - dockerfile
+    pattern: |
+      FROM $IMAGE
+    pattern-not: |
+      USER $USER
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-dockerfile
+      precision: low
+      confidence: medium
+      tags: [docker, root, missing-user, privilege-escalation]

package/rules/iac/zm-docker-cwe400-resource-limit.yaml

@@ -0,0 +1,92 @@
+# 逐码 ZhuMa IaC 规则 — Docker 资源限制缺失检测
+# V4.1 Sprint — CWE-400: Uncontrolled Resource Consumption
+# 检测: 无--cpus/--memory限制、HEALTHCHECK未配置
+
+rules:
+  # ZM-DOCKER-CWE400-RES-001: docker run / compose 缺少 CPU 限制
+  - id: zm-docker-cwe400-res-001
+    severity: MEDIUM
+    message: |
+      Docker 容器未设置 CPU 限制(`--cpus` 或 `cpus:` 或 `resources.limits.cpu`)。
+      无 CPU 限制的容器可消耗全部宿主 CPU 资源，导致 DoS 或资源争抢。
+
+      修复:
+      1. docker run: `--cpus=1.5` 限制 CPU 使用核心数
+      2. docker compose: `deploy.resources.limits.cpus: '1.5'`
+      3. docker compose v2: `cpus: 1.5` (deprecated but still common)
+      4. K8s: `resources.limits.cpu: "1"`
+    languages:
+      - generic
+    pattern-either:
+      - pattern: docker run ... $IMAGE
+      - pattern: docker run $OPTS $IMAGE
+    metadata:
+      cwe: "CWE-400: Uncontrolled Resource Consumption"
+      category: iac-docker
+      precision: low
+      confidence: low
+      tags: [docker, resource-exhaustion, dos, resource-limits]
+
+  # ZM-DOCKER-CWE400-RES-002: docker run / compose 缺少内存限制
+  - id: zm-docker-cwe400-res-002
+    severity: MEDIUM
+    message: |
+      Docker 容器未设置内存限制(`--memory` 或 `mem_limit:` 或 `resources.limits.memory`)。
+      无内存限制的容器可耗尽宿主内存，触发 OOM Killer 杀死关键进程。
+
+      修复:
+      1. docker run: `--memory=512m --memory-swap=512m` 限制内存
+      2. docker compose: `deploy.resources.limits.memory: 512M`
+      3. docker compose v2: `mem_limit: 512m`
+      4. K8s: `resources.limits.memory: "512Mi"`
+      5. memory-swap 应与 memory 等值以避免使用磁盘swap
+    languages:
+      - generic
+    pattern-either:
+      - pattern: docker run ... $IMAGE
+      - pattern: docker run $OPTS $IMAGE
+    metadata:
+      cwe: "CWE-400: Uncontrolled Resource Consumption"
+      category: iac-docker
+      precision: low
+      confidence: low
+      tags: [docker, resource-exhaustion, dos, resource-limits]
+
+  # ZM-DOCKER-CWE400-RES-003: Dockerfile 缺少 HEALTHCHECK 指令
+  - id: zm-docker-cwe400-res-003
+    severity: LOW
+    message: |
+      Dockerfile 未配置 `HEALTHCHECK` 指令 — 容器运行时Docker无法判断服务是否健康。
+      缺少健康检查导致:
+      1. 服务启动失败时无法自动重启(需配合 restart policy)
+      2. 滚动更新时无法判断新容器是否就绪
+      3. 编排系统(K8s/Swarm)无法做健康决策
+
+      修复:
+      添加 HEALTHCHECK 指令:
+        # HTTP服务:
+        HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
+          CMD curl -f http://localhost:8080/health || exit 1
+
+        # 进程检查:
+        HEALTHCHECK --interval=30s --timeout=3s \
+          CMD pgrep -x node || exit 1
+
+      常用参数:
+      - --interval=DURATION (默认30s) 检查间隔
+      - --timeout=DURATION (默认30s) 超时时间
+      - --start-period=DURATION (默认0s) 启动缓冲时间
+      - --retries=N (默认3) 失败重试次数
+    languages:
+      - dockerfile
+    patterns:
+      - pattern-not: |
+          HEALTHCHECK ...
+      - pattern: |
+          CMD ...
+    metadata:
+      cwe: "CWE-400: Uncontrolled Resource Consumption"
+      category: iac-docker
+      precision: low
+      confidence: medium
+      tags: [docker, healthcheck, reliability, best-practice]