npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 - Mend

@zhuma4/cli 4.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (288) hide show

package/README.md +42 -0
package/dist/commands/config.d.ts +3 -0
package/dist/commands/config.d.ts.map +1 -0
package/dist/commands/config.js +18 -0
package/dist/commands/config.js.map +1 -0
package/dist/commands/init.d.ts +3 -0
package/dist/commands/init.d.ts.map +1 -0
package/dist/commands/init.js +11 -0
package/dist/commands/init.js.map +1 -0
package/dist/commands/scan.d.ts +3 -0
package/dist/commands/scan.d.ts.map +1 -0
package/dist/commands/scan.js +96 -0
package/dist/commands/scan.js.map +1 -0
package/dist/commands/scan_appid.d.ts +20 -0
package/dist/commands/scan_appid.d.ts.map +1 -0
package/dist/commands/scan_appid.js +301 -0
package/dist/commands/scan_appid.js.map +1 -0
package/dist/commands/scan_manifest.d.ts +13 -0
package/dist/commands/scan_manifest.d.ts.map +1 -0
package/dist/commands/scan_manifest.js +103 -0
package/dist/commands/scan_manifest.js.map +1 -0
package/dist/engine/api-submit.d.ts +16 -0
package/dist/engine/api-submit.d.ts.map +1 -0
package/dist/engine/api-submit.js +66 -0
package/dist/engine/api-submit.js.map +1 -0
package/dist/engine/batch_scan.d.ts +36 -0
package/dist/engine/batch_scan.d.ts.map +1 -0
package/dist/engine/batch_scan.js +192 -0
package/dist/engine/batch_scan.js.map +1 -0
package/dist/engine/config.d.ts +12 -0
package/dist/engine/config.d.ts.map +1 -0
package/dist/engine/config.js +27 -0
package/dist/engine/config.js.map +1 -0
package/dist/engine/errors.d.ts +36 -0
package/dist/engine/errors.d.ts.map +1 -0
package/dist/engine/errors.js +99 -0
package/dist/engine/errors.js.map +1 -0
package/dist/engine/filter.d.ts +13 -0
package/dist/engine/filter.d.ts.map +1 -0
package/dist/engine/filter.js +64 -0
package/dist/engine/filter.js.map +1 -0
package/dist/engine/finding_classifier.d.ts +108 -0
package/dist/engine/finding_classifier.d.ts.map +1 -0
package/dist/engine/finding_classifier.js +440 -0
package/dist/engine/finding_classifier.js.map +1 -0
package/dist/engine/incremental/engine.d.ts +25 -0
package/dist/engine/incremental/engine.d.ts.map +1 -0
package/dist/engine/incremental/engine.js +337 -0
package/dist/engine/incremental/engine.js.map +1 -0
package/dist/engine/incremental/git-diff.d.ts +19 -0
package/dist/engine/incremental/git-diff.d.ts.map +1 -0
package/dist/engine/incremental/git-diff.js +175 -0
package/dist/engine/incremental/git-diff.js.map +1 -0
package/dist/engine/incremental/types.d.ts +33 -0
package/dist/engine/incremental/types.d.ts.map +1 -0
package/dist/engine/incremental/types.js +11 -0
package/dist/engine/incremental/types.js.map +1 -0
package/dist/engine/manifest_scanner.d.ts +48 -0
package/dist/engine/manifest_scanner.d.ts.map +1 -0
package/dist/engine/manifest_scanner.js +599 -0
package/dist/engine/manifest_scanner.js.map +1 -0
package/dist/engine/project.d.ts +22 -0
package/dist/engine/project.d.ts.map +1 -0
package/dist/engine/project.js +279 -0
package/dist/engine/project.js.map +1 -0
package/dist/engine/sarif.d.ts +13 -0
package/dist/engine/sarif.d.ts.map +1 -0
package/dist/engine/sarif.js +44 -0
package/dist/engine/sarif.js.map +1 -0
package/dist/engine/sca-integration.d.ts +36 -0
package/dist/engine/sca-integration.d.ts.map +1 -0
package/dist/engine/sca-integration.js +91 -0
package/dist/engine/sca-integration.js.map +1 -0
package/dist/engine/scanner.d.ts +18 -0
package/dist/engine/scanner.d.ts.map +1 -0
package/dist/engine/scanner.js +138 -0
package/dist/engine/scanner.js.map +1 -0
package/dist/index.d.ts +13 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +41 -0
package/dist/index.js.map +1 -0
package/dist/report/render.d.ts +23 -0
package/dist/report/render.d.ts.map +1 -0
package/dist/report/render.js +335 -0
package/dist/report/render.js.map +1 -0
package/package.json +41 -0
package/rules/android/mobile-cleartext-traffic.yaml +46 -0
package/rules/android/mobile-component-security.yaml +107 -0
package/rules/android/mobile-crypto-weakness.yaml +139 -0
package/rules/android/mobile-cwe-1021-tapjacking.yaml +81 -0
package/rules/android/mobile-cwe-114-dynamic-dex-loading.yaml +41 -0
package/rules/android/mobile-cwe-200-clipboard-data-leak.yaml +66 -0
package/rules/android/mobile-cwe-200-debug-builds.yaml +111 -0
package/rules/android/mobile-cwe-200-log-sensitive-data.yaml +61 -0
package/rules/android/mobile-cwe-200-webview-debugging.yaml +56 -0
package/rules/android/mobile-cwe-200-webview-universal-access.yaml +30 -0
package/rules/android/mobile-cwe-200-window-flags.yaml +96 -0
package/rules/android/mobile-cwe-22-content-provider-openfile.yaml +73 -0
package/rules/android/mobile-cwe-22-path-traversal.yaml +86 -0
package/rules/android/mobile-cwe-287-biometric-weakness.yaml +102 -0
package/rules/android/mobile-cwe-295-cert-pinning-missing.yaml +78 -0
package/rules/android/mobile-cwe-295-webview-ssl-bypass.yaml +104 -0
package/rules/android/mobile-cwe-312-cleartext-storage.yaml +109 -0
package/rules/android/mobile-cwe-319-cleartext-communication.yaml +84 -0
package/rules/android/mobile-cwe-321-hardcoded-crypto-keys.yaml +132 -0
package/rules/android/mobile-cwe-326-short-rsa.yaml +108 -0
package/rules/android/mobile-cwe-327-rc4-3des.yaml +107 -0
package/rules/android/mobile-cwe-329-cbc-padding-oracle.yaml +76 -0
package/rules/android/mobile-cwe-470-reflection-injection.yaml +39 -0
package/rules/android/mobile-cwe-489-root-detection-weak.yaml +125 -0
package/rules/android/mobile-cwe-489-stetho-debug.yaml +107 -0
package/rules/android/mobile-cwe-502-insecure-deserialization.yaml +76 -0
package/rules/android/mobile-cwe-552-world-readable-files.yaml +63 -0
package/rules/android/mobile-cwe-749-webview-java-objects.yaml +78 -0
package/rules/android/mobile-cwe-749-webview-jsbridge.yaml +57 -0
package/rules/android/mobile-cwe-749-webview-loadurl-injection.yaml +80 -0
package/rules/android/mobile-cwe-78-command-injection.yaml +77 -0
package/rules/android/mobile-cwe-780-rsa-no-oaep.yaml +80 -0
package/rules/android/mobile-cwe-79-webview-setdata.yaml +78 -0
package/rules/android/mobile-cwe-79-webview-xss.yaml +65 -0
package/rules/android/mobile-cwe-798-hardcoded-credentials.yaml +108 -0
package/rules/android/mobile-cwe-89-sql-injection.yaml +100 -0
package/rules/android/mobile-cwe-927-implicit-intent.yaml +121 -0
package/rules/android/mobile-cwe-927-ipc-file-provider.yaml +102 -0
package/rules/android/mobile-cwe-939-deeplink-validation.yaml +76 -0
package/rules/android/mobile-sdk-google-firebase-open.yaml +117 -0
package/rules/android/mobile-sdk-tencent-tpns-config-leak.yaml +131 -0
package/rules/android/mobile-secrets-storage.yaml +136 -0
package/rules/android/mobile-webview-security.yaml +88 -0
package/rules/common/cwe-200-sensitive-data-exposure.yaml +61 -0
package/rules/common/cwe-22-path-traversal.yaml +47 -0
package/rules/common/cwe-295-ssl-bypass.yaml +217 -0
package/rules/common/cwe-295-ssl-verification-disabled.yaml +64 -0
package/rules/common/cwe-306-missing-authentication.yaml +44 -0
package/rules/common/cwe-326-weak-key-size.yaml +107 -0
package/rules/common/cwe-327-weak-crypto.yaml +177 -0
package/rules/common/cwe-328-weak-hash.yaml +96 -0
package/rules/common/cwe-329-cbc-mode.yaml +26 -0
package/rules/common/cwe-352-csrf.yaml +23 -0
package/rules/common/cwe-434-unrestricted-file-upload.yaml +41 -0
package/rules/common/cwe-502-insecure-deserialization.yaml +44 -0
package/rules/common/cwe-601-url-redirect.yaml +110 -0
package/rules/common/cwe-611-xxe.yaml +70 -0
package/rules/common/cwe-732-incorrect-permission.yaml +49 -0
package/rules/common/cwe-770-resource-exhaustion.yaml +44 -0
package/rules/common/cwe-78-os-command-injection.yaml +43 -0
package/rules/common/cwe-787-out-of-bounds-write.yaml +37 -0
package/rules/common/cwe-79-xss.yaml +51 -0
package/rules/common/cwe-862-missing-authorization.yaml +40 -0
package/rules/common/cwe-89-sqli.yaml +89 -0
package/rules/common/cwe-918-ssrf.yaml +45 -0
package/rules/common/cwe-94-code-injection.yaml +59 -0
package/rules/common/zm-go-cwe22-path-traversal-fs.yaml +117 -0
package/rules/common/zm-go-cwe22-path-traversal.yaml +103 -0
package/rules/common/zm-go-cwe307-brute-force.yaml +129 -0
package/rules/common/zm-go-cwe326-weak-crypto.yaml +124 -0
package/rules/common/zm-go-cwe327-weak-cipher.yaml +152 -0
package/rules/common/zm-go-cwe384-session-fixation.yaml +128 -0
package/rules/common/zm-go-cwe502-deserialization.yaml +120 -0
package/rules/common/zm-go-cwe78-command-injection.yaml +95 -0
package/rules/common/zm-go-cwe79-xss.yaml +104 -0
package/rules/common/zm-go-cwe798-hardcoded-creds.yaml +153 -0
package/rules/common/zm-go-cwe89-sqli.yaml +89 -0
package/rules/common/zm-go-cwe918-ssrf.yaml +117 -0
package/rules/common/zm-java-cwe117-log-injection.yaml +83 -0
package/rules/common/zm-java-cwe117-logforging.yaml +153 -0
package/rules/common/zm-java-cwe200-actuator-exposure.yaml +8 -0
package/rules/common/zm-java-cwe200-info-disclosure.yaml +91 -0
package/rules/common/zm-java-cwe22-file-depth.yaml +135 -0
package/rules/common/zm-java-cwe22-path-traversal-spring.yaml +81 -0
package/rules/common/zm-java-cwe284-missing-auth-spring.yaml +131 -0
package/rules/common/zm-java-cwe295-webview-ssl.yaml +123 -0
package/rules/common/zm-java-cwe327-weakcrypto.yaml +197 -0
package/rules/common/zm-java-cwe347-jwt.yaml +30 -0
package/rules/common/zm-java-cwe352-csrf-depth.yaml +107 -0
package/rules/common/zm-java-cwe352-csrf-disabled.yaml +15 -0
package/rules/common/zm-java-cwe501-trust-boundary.yaml +124 -0
package/rules/common/zm-java-cwe502-deserial-depth.yaml +128 -0
package/rules/common/zm-java-cwe502-fastjson.yaml +137 -0
package/rules/common/zm-java-cwe502-gadget.yaml +158 -0
package/rules/common/zm-java-cwe502-jndi-injection.yaml +91 -0
package/rules/common/zm-java-cwe502-shiro.yaml +108 -0
package/rules/common/zm-java-cwe601-url-redirect-spring.yaml +85 -0
package/rules/common/zm-java-cwe611-xxe-enhanced.yaml +80 -0
package/rules/common/zm-java-cwe611-xxe-transformer.yaml +85 -0
package/rules/common/zm-java-cwe639-idor.yaml +123 -0
package/rules/common/zm-java-cwe79-xss-depth.yaml +98 -0
package/rules/common/zm-java-cwe862-authz-depth.yaml +127 -0
package/rules/common/zm-java-cwe915-mass-assignment.yaml +16 -0
package/rules/common/zm-java-cwe917-expression-injection.yaml +120 -0
package/rules/common/zm-java-cwe918-resttemplate.yaml +67 -0
package/rules/common/zm-java-cwe918-ssrf-depth.yaml +103 -0
package/rules/common/zm-java-cwe918-ssrf-resttemplate.yaml +77 -0
package/rules/common/zm-java-cwe918-webclient.yaml +44 -0
package/rules/common/zm-java-cwe94-ognl.yaml +66 -0
package/rules/common/zm-java-cwe94-spel-injection.yaml +85 -0
package/rules/common/zm-java-cwe94-spel.yaml +112 -0
package/rules/common/zm-java-cwe94-ssti.yaml +22 -0
package/rules/common/zm-java-cwe942-cors.yaml +15 -0
package/rules/common/zm-js-cwe1321-prototype-pollution.yaml +61 -0
package/rules/common/zm-js-cwe200-info-disclosure.yaml +95 -0
package/rules/common/zm-js-cwe22-path-traversal-fs.yaml +113 -0
package/rules/common/zm-js-cwe22-pathtraversal.yaml +111 -0
package/rules/common/zm-js-cwe307-brute-force.yaml +136 -0
package/rules/common/zm-js-cwe345-postmessage.yaml +75 -0
package/rules/common/zm-js-cwe347-jwt-weak.yaml +95 -0
package/rules/common/zm-js-cwe352-csrf.yaml +52 -0
package/rules/common/zm-js-cwe384-session-fixation.yaml +132 -0
package/rules/common/zm-js-cwe502-deserialization.yaml +119 -0
package/rules/common/zm-js-cwe611-xxe.yaml +108 -0
package/rules/common/zm-js-cwe639-idor.yaml +122 -0
package/rules/common/zm-js-cwe693-helmet-missing.yaml +46 -0
package/rules/common/zm-js-cwe78-exec.yaml +37 -0
package/rules/common/zm-js-cwe78-spawn.yaml +37 -0
package/rules/common/zm-js-cwe79-domxss.yaml +84 -0
package/rules/common/zm-js-cwe79-react-xss.yaml +18 -0
package/rules/common/zm-js-cwe79-xss-ejs.yaml +70 -0
package/rules/common/zm-js-cwe89-sqli.yaml +153 -0
package/rules/common/zm-js-cwe915-mass-assignment.yaml +111 -0
package/rules/common/zm-js-cwe918-ssrf-fetch.yaml +134 -0
package/rules/common/zm-js-cwe918-ssrf.yaml +132 -0
package/rules/common/zm-js-cwe94-template-injection.yaml +130 -0
package/rules/common/zm-js-cwe942-cors.yaml +49 -0
package/rules/common/zm-js-cwe943-nosql-injection.yaml +52 -0
package/rules/common/zm-js-cwe95-eval.yaml +59 -0
package/rules/common/zm-js-cwe95-function-ctor.yaml +31 -0
package/rules/common/zm-py-cwe22-path-traversal.yaml +86 -0
package/rules/common/zm-py-cwe327-weak-crypto.yaml +103 -0
package/rules/common/zm-py-cwe502-pickle.yaml +92 -0
package/rules/common/zm-py-cwe611-xxe.yaml +100 -0
package/rules/common/zm-py-cwe78-command-injection.yaml +121 -0
package/rules/common/zm-py-cwe79-xss.yaml +123 -0
package/rules/common/zm-py-cwe798-hardcoded-creds.yaml +86 -0
package/rules/common/zm-py-cwe89-sqli.yaml +59 -0
package/rules/common/zm-py-cwe918-ssrf.yaml +123 -0
package/rules/common/zm-py-cwe94-ssti.yaml +87 -0
package/rules/common/zm-py-cwe943-nosql-injection.yaml +123 -0
package/rules/iac/ansible/zm-ansible-cwe269-privilege-escalation.yaml +63 -0
package/rules/iac/ansible/zm-ansible-cwe78-command-injection.yaml +67 -0
package/rules/iac/ansible/zm-ansible-cwe798-hardcoded-creds.yaml +93 -0
package/rules/iac/terraform/zm-tf-cwe200-s3-bucket-public.yaml +100 -0
package/rules/iac/terraform/zm-tf-cwe284-sg-wide-open.yaml +88 -0
package/rules/iac/terraform/zm-tf-cwe311-iam-wildcard.yaml +83 -0
package/rules/iac/terraform/zm-tf-cwe319-rds-public.yaml +72 -0
package/rules/iac/terraform/zm-tf-cwe798-hardcoded-creds.yaml +102 -0
package/rules/iac/zm-docker-cwe250-root-user.yaml +50 -0
package/rules/iac/zm-docker-cwe400-resource-limit.yaml +92 -0
package/rules/iac/zm-docker-security.yaml +104 -0
package/rules/iac/zm-k8s-cwe200-service-account.yaml +83 -0
package/rules/iac/zm-k8s-cwe250-privileged.yaml +56 -0
package/rules/iac/zm-k8s-security.yaml +79 -0
package/rules/rules_index.yaml.off +477 -0
package/rules/semgrep-registry/anonymous-ldap-bind.yaml +34 -0
package/rules/semgrep-registry/bad-hexa-conversion.yaml +32 -0
package/rules/semgrep-registry/blowfish-insufficient-key-size.yaml +39 -0
package/rules/semgrep-registry/cbc-padding-oracle.yaml +38 -0
package/rules/semgrep-registry/command-injection-formatted-runtime-call.yaml +90 -0
package/rules/semgrep-registry/command-injection-process-builder.yaml +148 -0
package/rules/semgrep-registry/cookie-missing-httponly.yaml +38 -0
package/rules/semgrep-registry/cookie-missing-secure-flag.yaml +38 -0
package/rules/semgrep-registry/crlf-injection-logs.yaml +86 -0
package/rules/semgrep-registry/dangerous-groovy-shell.yaml +46 -0
package/rules/semgrep-registry/el-injection.yaml +137 -0
package/rules/semgrep-registry/formatted-sql-string.yaml +95 -0
package/rules/semgrep-registry/http-response-splitting.yaml +44 -0
package/rules/semgrep-registry/index.txt +1 -0
package/rules/semgrep-registry/insecure-smtp-connection.yaml +34 -0
package/rules/semgrep-registry/java-reverse-shell.yaml +43 -0
package/rules/semgrep-registry/jdbc-sql-formatted-string.yaml +120 -0
package/rules/semgrep-registry/ldap-entry-poisoning.yaml +41 -0
package/rules/semgrep-registry/ldap-injection.yaml +82 -0
package/rules/semgrep-registry/md5-used-as-password.yaml +44 -0
package/rules/semgrep-registry/object-deserialization.yaml +34 -0
package/rules/semgrep-registry/ognl-injection.yaml +839 -0
package/rules/semgrep-registry/overly-permissive-file-permission.yaml +49 -0
package/rules/semgrep-registry/permissive-cors.yaml +77 -0
package/rules/semgrep-registry/script-engine-injection.yaml +66 -0
package/rules/semgrep-registry/tainted-cmd-from-http-request.yaml +74 -0
package/rules/semgrep-registry/tainted-env-from-http-request.yaml +46 -0
package/rules/semgrep-registry/tainted-ldapi-from-http-request.yaml +42 -0
package/rules/semgrep-registry/tainted-session-from-http-request.yaml +70 -0
package/rules/semgrep-registry/tainted-xpath-from-http-request.yaml +38 -0
package/rules/semgrep-registry/unsafe-reflection.yaml +39 -0
package/rules/semgrep-registry/unvalidated-redirect.yaml +127 -0
package/rules/semgrep-registry/url-rewriting.yaml +82 -0
package/rules/semgrep-registry/weak-ssl-context.yaml +34 -0
package/rules/semgrep-registry/xml-decoder.yaml +53 -0
package/rules/semgrep-registry/xssrequestwrapper-is-insecure.yaml +40 -0

package/rules/iac/zm-docker-security.yaml ADDED Viewed

@@ -0,0 +1,104 @@
+# 逐码 ZhuMa IaC 规则 — Dockerfile 安全检测
+# V4.1 Sprint 3 起步 — 首批5条覆盖最常见的 Docker 镜像构建安全问题
+rules:
+  # ZM-IAC-DOCKER-001: FROM 使用 latest tag
+  - id: zm-iac-docker-latest-001
+    severity: LOW
+    message: |
+      FROM 使用 `latest` tag — 每次构建拉取不同镜像，不可重现。
+      使用语义化版本固定基础镜像标签，例如 `node:20-alpine` 而非 `node:latest`。
+    languages:
+      - dockerfile
+    pattern: |
+      FROM $IMAGE:latest
+    metadata:
+      cwe: "CWE-1104: Use of Unmaintained Third Party Components"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      precision: very-high
+      tags: [docker, supply-chain, reproducibility]
+  # ZM-IAC-DOCKER-002: RUN curl/wget 后未清理缓存
+  - id: zm-iac-docker-curl-cleanup-001
+    severity: LOW
+    message: |
+      `curl`/`wget` 拉取文件后未在同层 `RUN` 中删除临时文件 — 镜像膨胀且残留敏感信息。
+      合并为单条 `RUN curl ... && rm -f /tmp/... && apk del curl` 或使用 multi-stage 避免工具链残留。
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: |
+          RUN $CURL ...
+      - pattern: |
+          RUN $WGET ...
+    metadata:
+      cwe: "CWE-1104: Use of Unmaintained Third Party Components"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      precision: low
+      tags: [docker, image-size, supply-chain]
+  # ZM-IAC-DOCKER-003: USER root (未降权)
+  - id: zm-iac-docker-root-001
+    severity: MEDIUM
+    message: |
+      容器以 `root` 身份运行 — 容器逃逸后拥有宿主机 root 权限。
+      Dockerfile 末尾添加 `USER 1000` 切换到非 root 用户，
+      或 Kubernetes PodSecurityContext 设置 `runAsNonRoot: true`。
+    languages:
+      - dockerfile
+    pattern: |
+      USER root
+    pattern-not: |
+      USER $NONROOT
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: very-high
+      tags: [docker, privilege-escalation, root]
+  # ZM-IAC-DOCKER-004: COPY --chown 缺失（COPY 的文件以 root 拥有）
+  - id: zm-iac-docker-chown-001
+    severity: LOW
+    message: |
+      `COPY` 未使用 `--chown` — 文件默认为 `root:root` 拥有，非 root 用户无法读取。
+      使用 `COPY --chown=1000:1000 src/ dest/` 将文件所有权授予非 root 用户。
+    languages:
+      - dockerfile
+    pattern: |
+      COPY $SRC $DEST
+    pattern-not: |
+      COPY --chown=$OWNER $SRC $DEST
+    metadata:
+      cwe: "CWE-732: Incorrect Permission Assignment for Critical Resource"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: low
+      tags: [docker, file-permission]
+  # ZM-IAC-DOCKER-005: EXPOSE 敏感端口
+  - id: zm-iac-docker-sensitive-port-001
+    severity: HIGH
+    message: |
+      EXPOSE 暴露了数据库/管理/调试端口 — 端口 22(SSH)/2375(Docker)/3306(MySQL)/5432(PostgreSQL)/
+      6379(Redis)/27017(MongoDB)/9200(ES)/9090(Prometheus) 不应直接对外。
+      仅 EXPOSE 业务端口 (80/443/8080)，敏感端口由内部网络或 sidecar 代理访问。
+    languages:
+      - dockerfile
+    pattern-either:
+      - pattern: EXPOSE 22
+      - pattern: EXPOSE 2375
+      - pattern: EXPOSE 3306
+      - pattern: EXPOSE 5432
+      - pattern: EXPOSE 6379
+      - pattern: EXPOSE 27017
+      - pattern: EXPOSE 9200
+      - pattern: EXPOSE 9090
+      - pattern: EXPOSE 9093
+      - pattern: EXPOSE 3000
+      - pattern: EXPOSE 5000
+      - pattern: EXPOSE 8000
+      - pattern: EXPOSE 8500
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: very-high
+      tags: [docker, network-exposure, sensitive-port]

package/rules/iac/zm-k8s-cwe200-service-account.yaml ADDED Viewed

@@ -0,0 +1,83 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes ServiceAccount 安全检测
+# V4.1 Sprint — CWE-200: Exposure of Sensitive Information
+# 检测: ServiceAccount未限制、automountServiceAccountToken未设false、cluster-admin绑定
+rules:
+  # ZM-K8S-CWE200-SA-001: ServiceAccount automountServiceAccountToken 未显式禁用
+  - id: zm-k8s-cwe200-sa-001
+    severity: MEDIUM
+    message: |
+      ServiceAccount 未设置 `automountServiceAccountToken: false` — 默认挂载API token到Pod中。
+      即使应用不需要访问K8s API，token仍然存在，权限逃逸后可调用API Server。
+      修复:
+      1. 在 ServiceAccount 或 Pod spec 中设置: `automountServiceAccountToken: false`
+      2. 仅向需要API访问的ServiceAccount授予最低权限
+      3. 使用Pod Security Admission限制 automountServiceAccountToken
+    languages:
+      - yaml
+    pattern: |
+      automountServiceAccountToken: true
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, service-account, token-exposure, security-misconfiguration]
+  # ZM-K8S-CWE200-SA-002: ClusterRoleBinding 绑定到默认 ServiceAccount
+  - id: zm-k8s-cwe200-sa-002
+    severity: CRITICAL
+    message: |
+      ClusterRoleBinding 将 `cluster-admin` 或高危 ClusterRole 绑定到 `default` ServiceAccount
+      或命名空间级别的 ServiceAccount。这授予了集群范围的管理权限。
+      检查 subjects 中的 name 是否为 `default` 或非专用的 ServiceAccount。
+      修复:
+      1. 将 cluster-admin 绑定限制为仅系统组件和管理员账户
+      2. 为应用创建专用 ServiceAccount 并绑定最小权限 Role
+      3. 使用 RoleBinding(命名空间级)替代 ClusterRoleBinding(集群级)
+      4. 定期审计 ClusterRoleBinding/subjects
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          subjects:
+          - kind: ServiceAccount
+            name: default
+      - pattern: |
+          subjects:
+            - kind: ServiceAccount
+              name: default
+      - pattern: |
+          subjects: [{kind: ServiceAccount, name: default}]
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, clusterrole-binding, privilege-escalation, cluster-admin]
+  # ZM-K8S-CWE200-SA-003: Pod spec 中 ServiceAccount 名称为 default
+  - id: zm-k8s-cwe200-sa-003
+    severity: LOW
+    message: |
+      Pod 使用 `serviceAccountName: default` — 每个命名空间中的默认 ServiceAccount。
+      default ServiceAccount 可能已被授予不必要的权限。
+      应为每个应用创建专用 ServiceAccount 并授予最小权限。
+      修复:
+      1. 创建应用专用 ServiceAccount: `serviceAccountName: my-app`
+      2. 绑定最小权限 Role(非 cluster-admin)
+      3. 设置 `automountServiceAccountToken: false` 如不需要K8s API访问
+    languages:
+      - yaml
+    pattern: |
+      serviceAccountName: default
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, service-account, best-practice, least-privilege]

package/rules/iac/zm-k8s-cwe250-privileged.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes 特权容器深度检测
+# V4.1 Sprint — CWE-250: Execution with Unnecessary Privileges
+rules:
+  # ZM-K8S-CWE250-001: hostNetwork: true
+  - id: zm-k8s-cwe250-priv-001
+    severity: HIGH
+    message: |
+      Pod 启用 `hostNetwork: true` — 容器共享宿主机网络命名空间，可监听宿主机端口、嗅探网络流量。
+      除非是 CNI 插件或网络监控组件，否则应移除 `hostNetwork: true` 并使用 ClusterIP/NodePort 暴露服务。
+    languages:
+      - yaml
+    pattern: |
+      hostNetwork: true
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, hostNetwork, privilege-escalation, network-isolation]
+  # ZM-K8S-CWE250-002: hostPID: true
+  - id: zm-k8s-cwe250-priv-002
+    severity: CRITICAL
+    message: |
+      Pod 启用 `hostPID: true` — 容器可查看和操作宿主机上的所有进程，可通过 `/proc` 直接与主机进程交互。
+      这是一种极度危险的配置，攻击者可以利用它向主机进程注入恶意代码。
+      除非绝对必要（如 node-exporter 等监控组件），否则应移除 `hostPID: true`。
+    languages:
+      - yaml
+    pattern: |
+      hostPID: true
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, hostPID, privilege-escalation, process-injection]
+  # ZM-K8S-CWE250-003: hostIPC: true
+  - id: zm-k8s-cwe250-priv-003
+    severity: HIGH
+    message: |
+      Pod 启用 `hostIPC: true` — 容器可访问宿主机进程间通信 (IPC) 命名空间，包括共享内存段和信号量。
+      这允许容器与宿主机上其他进程通过共享内存交互，可能被利用进行权限提升攻击。
+      除非是特定的系统组件，否则应移除 `hostIPC: true`。
+    languages:
+      - yaml
+    pattern: |
+      hostIPC: true
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, hostIPC, privilege-escalation, ipc-namespace]

package/rules/iac/zm-k8s-security.yaml ADDED Viewed

@@ -0,0 +1,79 @@
+# 逐码 ZhuMa IaC 规则 — Kubernetes 安全检测
+# V4.1 Sprint 3 — 首批3条 K8s 最常见安全配置问题
+rules:
+  # ZM-IAC-K8S-001: runAsNonRoot 未设置
+  - id: zm-iac-k8s-nonroot-001
+    severity: HIGH
+    message: |
+      Pod/容器未设置 `runAsNonRoot: true` — 容器可以以 root 身份运行。
+      在 Pod securityContext 或 Container securityContext 中添加:
+      ```yaml
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      ```
+    languages:
+      - yaml
+    pattern: |
+      containers:
+        - name: $NAME
+          image: $IMAGE
+    pattern-not: |
+      containers:
+        - name: $NAME
+          image: $IMAGE
+          securityContext:
+            ...
+            runAsNonRoot: $VAL
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: medium
+      tags: [kubernetes, privilege-escalation, securitycontext]
+  # ZM-IAC-K8S-002: privileged: true
+  - id: zm-iac-k8s-privileged-001
+    severity: CRITICAL
+    message: |
+      容器以 `privileged: true` 运行 — 该容器获得宿主机的所有 Linux Capabilities，
+      包括加载内核模块、访问所有设备。除非是系统级组件 (如 kube-proxy、CNI 插件)，
+      否则应移除 `privileged: true` 并使用细粒度 `capabilities` 声明。
+    languages:
+      - yaml
+    pattern: |
+      privileged: true
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: very-high
+      tags: [kubernetes, privileged-container, rce, escape]
+  # ZM-IAC-K8S-003: allowPrivilegeEscalation 未显式禁用
+  - id: zm-iac-k8s-allow-escalation-001
+    severity: MEDIUM
+    message: |
+      未显式设置 `allowPrivilegeEscalation: false` — 默认允许子进程获取比父进程更多的特权。
+      在容器 securityContext 中添加:
+      ```yaml
+      securityContext:
+        allowPrivilegeEscalation: false
+      ```
+    languages:
+      - yaml
+    pattern: |
+      containers:
+        - name: $NAME
+          image: $IMAGE
+    pattern-not: |
+      containers:
+        - name: $NAME
+          image: $IMAGE
+          securityContext:
+            ...
+            allowPrivilegeEscalation: $VAL
+    metadata:
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      owasp: "A05:2021 - Security Misconfiguration"
+      precision: medium
+      tags: [kubernetes, privilege-escalation, securitycontext]