codeslick-cli 1.4.0 → 1.4.2

package/dist/src/lib/analyzers/kubernetes/types.d.ts

@@ -0,0 +1,266 @@
+/**
+ * Kubernetes Resource Type Definitions
+ *
+ * WR3 Week 6: Kubernetes YAML Security Scanner
+ * Type definitions for K8s resources, pod specs, RBAC, and security contexts
+ *
+ * Created: February 5, 2026
+ */
+export type KubernetesKind = 'Pod' | 'Deployment' | 'StatefulSet' | 'DaemonSet' | 'ReplicaSet' | 'Job' | 'CronJob' | 'Service' | 'ConfigMap' | 'Secret' | 'Role' | 'ClusterRole' | 'RoleBinding' | 'ClusterRoleBinding' | 'ServiceAccount' | 'NetworkPolicy' | 'Ingress' | 'PersistentVolume' | 'PersistentVolumeClaim';
+export interface KubernetesResource {
+    apiVersion: string;
+    kind: KubernetesKind | string;
+    metadata: Metadata;
+    spec?: any;
+    data?: Record<string, string>;
+    stringData?: Record<string, string>;
+    rules?: RBACRule[];
+    roleRef?: RoleRef;
+    subjects?: Subject[];
+    line?: number;
+}
+export interface Metadata {
+    name: string;
+    namespace?: string;
+    labels?: Record<string, string>;
+    annotations?: Record<string, string>;
+    uid?: string;
+}
+export interface PodSpec {
+    containers: Container[];
+    initContainers?: Container[];
+    volumes?: Volume[];
+    hostNetwork?: boolean;
+    hostPID?: boolean;
+    hostIPC?: boolean;
+    serviceAccountName?: string;
+    automountServiceAccountToken?: boolean;
+    securityContext?: PodSecurityContext;
+    nodeSelector?: Record<string, string>;
+    affinity?: any;
+    tolerations?: any[];
+}
+export interface Container {
+    name: string;
+    image: string;
+    command?: string[];
+    args?: string[];
+    securityContext?: SecurityContext;
+    resources?: Resources;
+    env?: EnvVar[];
+    envFrom?: EnvFromSource[];
+    volumeMounts?: VolumeMount[];
+    ports?: ContainerPort[];
+    livenessProbe?: Probe;
+    readinessProbe?: Probe;
+    startupProbe?: Probe;
+}
+export interface SecurityContext {
+    privileged?: boolean;
+    runAsNonRoot?: boolean;
+    runAsUser?: number;
+    runAsGroup?: number;
+    readOnlyRootFilesystem?: boolean;
+    allowPrivilegeEscalation?: boolean;
+    capabilities?: {
+        add?: string[];
+        drop?: string[];
+    };
+    seccompProfile?: {
+        type: string;
+        localhostProfile?: string;
+    };
+    seLinuxOptions?: any;
+}
+export interface PodSecurityContext {
+    runAsNonRoot?: boolean;
+    runAsUser?: number;
+    runAsGroup?: number;
+    fsGroup?: number;
+    supplementalGroups?: number[];
+    seccompProfile?: {
+        type: string;
+        localhostProfile?: string;
+    };
+    seLinuxOptions?: any;
+}
+export interface Resources {
+    limits?: {
+        cpu?: string;
+        memory?: string;
+        [key: string]: string | undefined;
+    };
+    requests?: {
+        cpu?: string;
+        memory?: string;
+        [key: string]: string | undefined;
+    };
+}
+export interface EnvVar {
+    name: string;
+    value?: string;
+    valueFrom?: {
+        secretKeyRef?: {
+            name: string;
+            key: string;
+        };
+        configMapKeyRef?: {
+            name: string;
+            key: string;
+        };
+        fieldRef?: {
+            fieldPath: string;
+        };
+        resourceFieldRef?: {
+            resource: string;
+        };
+    };
+}
+export interface EnvFromSource {
+    configMapRef?: {
+        name: string;
+        optional?: boolean;
+    };
+    secretRef?: {
+        name: string;
+        optional?: boolean;
+    };
+}
+export interface VolumeMount {
+    name: string;
+    mountPath: string;
+    readOnly?: boolean;
+    subPath?: string;
+}
+export interface Volume {
+    name: string;
+    hostPath?: {
+        path: string;
+        type?: string;
+    };
+    emptyDir?: {
+        medium?: string;
+        sizeLimit?: string;
+    };
+    configMap?: {
+        name: string;
+        items?: Array<{
+            key: string;
+            path: string;
+        }>;
+    };
+    secret?: {
+        secretName: string;
+        items?: Array<{
+            key: string;
+            path: string;
+        }>;
+    };
+    persistentVolumeClaim?: {
+        claimName: string;
+    };
+    nfs?: {
+        server: string;
+        path: string;
+    };
+}
+export interface ContainerPort {
+    containerPort: number;
+    protocol?: string;
+    name?: string;
+    hostPort?: number;
+}
+export interface Probe {
+    httpGet?: {
+        path: string;
+        port: number | string;
+        scheme?: string;
+    };
+    tcpSocket?: {
+        port: number | string;
+    };
+    exec?: {
+        command: string[];
+    };
+    initialDelaySeconds?: number;
+    timeoutSeconds?: number;
+    periodSeconds?: number;
+    successThreshold?: number;
+    failureThreshold?: number;
+}
+export interface RBACRule {
+    apiGroups?: string[];
+    resources?: string[];
+    verbs: string[];
+    resourceNames?: string[];
+}
+export interface RoleRef {
+    apiGroup: string;
+    kind: string;
+    name: string;
+}
+export interface Subject {
+    kind: string;
+    name: string;
+    namespace?: string;
+    apiGroup?: string;
+}
+export interface ServiceSpec {
+    type?: 'ClusterIP' | 'NodePort' | 'LoadBalancer' | 'ExternalName';
+    ports?: ServicePort[];
+    selector?: Record<string, string>;
+    clusterIP?: string;
+    externalIPs?: string[];
+    loadBalancerIP?: string;
+    loadBalancerSourceRanges?: string[];
+}
+export interface ServicePort {
+    name?: string;
+    protocol?: string;
+    port: number;
+    targetPort?: number | string;
+    nodePort?: number;
+}
+export interface NetworkPolicySpec {
+    podSelector: {
+        matchLabels?: Record<string, string>;
+        matchExpressions?: any[];
+    };
+    policyTypes?: string[];
+    ingress?: NetworkPolicyIngressRule[];
+    egress?: NetworkPolicyEgressRule[];
+}
+export interface NetworkPolicyIngressRule {
+    from?: NetworkPolicyPeer[];
+    ports?: NetworkPolicyPort[];
+}
+export interface NetworkPolicyEgressRule {
+    to?: NetworkPolicyPeer[];
+    ports?: NetworkPolicyPort[];
+}
+export interface NetworkPolicyPeer {
+    podSelector?: {
+        matchLabels?: Record<string, string>;
+    };
+    namespaceSelector?: {
+        matchLabels?: Record<string, string>;
+    };
+    ipBlock?: {
+        cidr: string;
+        except?: string[];
+    };
+}
+export interface NetworkPolicyPort {
+    protocol?: string;
+    port?: number | string;
+    endPort?: number;
+}
+export declare function isPodResource(resource: KubernetesResource): boolean;
+export declare function isRBACResource(resource: KubernetesResource): boolean;
+export declare function isSecretResource(resource: KubernetesResource): boolean;
+export declare function extractPodSpec(resource: KubernetesResource): PodSpec | null;
+export declare function getResourceIdentifier(resource: KubernetesResource): string;
+export declare const DANGEROUS_CAPABILITIES: string[];
+export declare const SENSITIVE_RESOURCES: string[];
+export declare const DANGEROUS_VERBS: string[];
+//# sourceMappingURL=types.d.ts.map

package/dist/src/lib/analyzers/kubernetes/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/kubernetes/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,MAAM,cAAc,GACtB,KAAK,GACL,YAAY,GACZ,aAAa,GACb,WAAW,GACX,YAAY,GACZ,KAAK,GACL,SAAS,GACT,SAAS,GACT,WAAW,GACX,QAAQ,GACR,MAAM,GACN,aAAa,GACb,aAAa,GACb,oBAAoB,GACpB,gBAAgB,GAChB,eAAe,GACf,SAAS,GACT,kBAAkB,GAClB,uBAAuB,CAAC;AAE5B,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,cAAc,GAAG,MAAM,CAAC;IAC9B,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,CAAC,EAAE,GAAG,CAAC;IACX,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,OAAO;IACtB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,cAAc,CAAC,EAAE,SAAS,EAAE,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,eAAe,CAAC,EAAE,kBAAkB,CAAC;IACrC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,WAAW,CAAC,EAAE,GAAG,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,OAAO,CAAC,EAAE,aAAa,EAAE,CAAC;IAC1B,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,KAAK,CAAC,EAAE,aAAa,EAAE,CAAC;IACxB,aAAa,CAAC,EAAE,KAAK,CAAC;IACtB,cAAc,CAAC,EAAE,KAAK,CAAC;IACvB,YAAY,CAAC,EAAE,KAAK,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,YAAY,CAAC,EAAE;QACb,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;IACF,cAAc,CAAC,EAAE;QACf,IAAI,EAAE,MAAM,CAAC;QACb,gBAAgB,CAAC,EAAE,MAAM,CAAC;KAC3B,CAAC;IACF,cAAc,CAAC,EAAE,GAAG,CAAC;CACtB;AAED,MAAM,WAAW,kBAAkB;IACjC,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,cAAc,CAAC,EAAE;QACf,IAAI,EAAE,MAAM,CAAC;QACb,gBAAgB,CAAC,EAAE,MAAM,CAAC;KAC3B,CAAC;IACF,cAAc,CAAC,EAAE,GAAG,CAAC;CACtB;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,CAAC,EAAE;QACP,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;KACnC,CAAC;IACF,QAAQ,CAAC,EAAE;QACT,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;KACnC,CAAC;CACH;AAED,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE;QACV,YAAY,CAAC,EAAE;YACb,IAAI,EAAE,MAAM,CAAC;YACb,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;QACF,eAAe,CAAC,EAAE;YAChB,IAAI,EAAE,MAAM,CAAC;YACb,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;QACF,QAAQ,CAAC,EAAE;YACT,SAAS,EAAE,MAAM,CAAC;SACnB,CAAC;QACF,gBAAgB,CAAC,EAAE;YACjB,QAAQ,EAAE,MAAM,CAAC;SAClB,CAAC;KACH,CAAC;CACH;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,CAAC,EAAE;QACb,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC;IACF,SAAS,CAAC,EAAE;QACV,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE;QACT,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;IACF,QAAQ,CAAC,EAAE;QACT,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,SAAS,CAAC,EAAE;QACV,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,KAAK,CAAC;YACZ,GAAG,EAAE,MAAM,CAAC;YACZ,IAAI,EAAE,MAAM,CAAC;SACd,CAAC,CAAC;KACJ,CAAC;IACF,MAAM,CAAC,EAAE;QACP,UAAU,EAAE,MAAM,CAAC;QACnB,KAAK,CAAC,EAAE,KAAK,CAAC;YACZ,GAAG,EAAE,MAAM,CAAC;YACZ,IAAI,EAAE,MAAM,CAAC;SACd,CAAC,CAAC;KACJ,CAAC;IACF,qBAAqB,CAAC,EAAE;QACtB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,GAAG,CAAC,EAAE;QACJ,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,KAAK;IACpB,OAAO,CAAC,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;QACtB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,SAAS,CAAC,EAAE;QACV,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;KACvB,CAAC;IACF,IAAI,CAAC,EAAE;QACL,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAID,MAAM,WAAW,QAAQ;IACvB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,OAAO;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,EAAE,WAAW,GAAG,UAAU,GAAG,cAAc,GAAG,cAAc,CAAC;IAClE,KAAK,CAAC,EAAE,WAAW,EAAE,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;CACrC;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE;QACX,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,gBAAgB,CAAC,EAAE,GAAG,EAAE,CAAC;KAC1B,CAAC;IACF,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,CAAC,EAAE,wBAAwB,EAAE,CAAC;IACrC,MAAM,CAAC,EAAE,uBAAuB,EAAE,CAAC;CACpC;AAED,MAAM,WAAW,wBAAwB;IACvC,IAAI,CAAC,EAAE,iBAAiB,EAAE,CAAC;IAC3B,KAAK,CAAC,EAAE,iBAAiB,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,CAAC,EAAE,iBAAiB,EAAE,CAAC;IACzB,KAAK,CAAC,EAAE,iBAAiB,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,CAAC,EAAE;QACZ,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACtC,CAAC;IACF,iBAAiB,CAAC,EAAE;QAClB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACtC,CAAC;IACF,OAAO,CAAC,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;CACH;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID,wBAAgB,aAAa,CAAC,QAAQ,EAAE,kBAAkB,GAAG,OAAO,CAInE;AAED,wBAAgB,cAAc,CAAC,QAAQ,EAAE,kBAAkB,GAAG,OAAO,CAEpE;AAED,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,OAAO,CAEtE;AAED,wBAAgB,cAAc,CAAC,QAAQ,EAAE,kBAAkB,GAAG,OAAO,GAAG,IAAI,CAoB3E;AAED,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,MAAM,CAG1E;AAGD,eAAO,MAAM,sBAAsB,UAalC,CAAC;AAGF,eAAO,MAAM,mBAAmB,UAU/B,CAAC;AAGF,eAAO,MAAM,eAAe,UAAmE,CAAC"}

package/dist/src/lib/analyzers/kubernetes/types.js

@@ -0,0 +1,77 @@
+"use strict";
+/**
+ * Kubernetes Resource Type Definitions
+ *
+ * WR3 Week 6: Kubernetes YAML Security Scanner
+ * Type definitions for K8s resources, pod specs, RBAC, and security contexts
+ *
+ * Created: February 5, 2026
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DANGEROUS_VERBS = exports.SENSITIVE_RESOURCES = exports.DANGEROUS_CAPABILITIES = void 0;
+exports.isPodResource = isPodResource;
+exports.isRBACResource = isRBACResource;
+exports.isSecretResource = isSecretResource;
+exports.extractPodSpec = extractPodSpec;
+exports.getResourceIdentifier = getResourceIdentifier;
+// Helper type guards
+function isPodResource(resource) {
+    return ['Pod', 'Deployment', 'StatefulSet', 'DaemonSet', 'ReplicaSet', 'Job', 'CronJob'].includes(resource.kind);
+}
+function isRBACResource(resource) {
+    return ['Role', 'ClusterRole', 'RoleBinding', 'ClusterRoleBinding'].includes(resource.kind);
+}
+function isSecretResource(resource) {
+    return ['Secret', 'ConfigMap'].includes(resource.kind);
+}
+function extractPodSpec(resource) {
+    if (resource.kind === 'Pod') {
+        return resource.spec;
+    }
+    // Extract from workload resources
+    if (['Deployment', 'StatefulSet', 'DaemonSet', 'ReplicaSet'].includes(resource.kind)) {
+        return resource.spec?.template?.spec;
+    }
+    // Extract from Job/CronJob
+    if (resource.kind === 'Job') {
+        return resource.spec?.template?.spec;
+    }
+    if (resource.kind === 'CronJob') {
+        return resource.spec?.jobTemplate?.spec?.template?.spec;
+    }
+    return null;
+}
+function getResourceIdentifier(resource) {
+    const namespace = resource.metadata.namespace ? `${resource.metadata.namespace}/` : '';
+    return `${resource.kind}/${namespace}${resource.metadata.name}`;
+}
+// Dangerous capabilities that should trigger alerts
+exports.DANGEROUS_CAPABILITIES = [
+    'SYS_ADMIN',
+    'NET_ADMIN',
+    'SYS_MODULE',
+    'SYS_RAWIO',
+    'SYS_PTRACE',
+    'SYS_BOOT',
+    'MAC_ADMIN',
+    'MAC_OVERRIDE',
+    'PERFMON',
+    'BPF',
+    'DAC_READ_SEARCH',
+    'DAC_OVERRIDE',
+];
+// Sensitive RBAC resources that should be protected
+exports.SENSITIVE_RESOURCES = [
+    'secrets',
+    'configmaps',
+    'pods',
+    'pods/exec',
+    'pods/log',
+    'nodes',
+    'persistentvolumes',
+    'clusterroles',
+    'clusterrolebindings',
+];
+// Dangerous RBAC verbs
+exports.DANGEROUS_VERBS = ['*', 'create', 'delete', 'deletecollection', 'patch', 'update'];
+//# sourceMappingURL=types.js.map

package/dist/src/lib/analyzers/kubernetes/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/kubernetes/types.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AA8SH,sCAIC;AAED,wCAEC;AAED,4CAEC;AAED,wCAoBC;AAED,sDAGC;AAzCD,qBAAqB;AAErB,SAAgB,aAAa,CAAC,QAA4B;IACxD,OAAO,CAAC,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,YAAY,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,QAAQ,CAC/F,QAAQ,CAAC,IAAI,CACd,CAAC;AACJ,CAAC;AAED,SAAgB,cAAc,CAAC,QAA4B;IACzD,OAAO,CAAC,MAAM,EAAE,aAAa,EAAE,aAAa,EAAE,oBAAoB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC9F,CAAC;AAED,SAAgB,gBAAgB,CAAC,QAA4B;IAC3D,OAAO,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACzD,CAAC;AAED,SAAgB,cAAc,CAAC,QAA4B;IACzD,IAAI,QAAQ,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC5B,OAAO,QAAQ,CAAC,IAAe,CAAC;IAClC,CAAC;IAED,kCAAkC;IAClC,IAAI,CAAC,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACrF,OAAO,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAe,CAAC;IAClD,CAAC;IAED,2BAA2B;IAC3B,IAAI,QAAQ,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC5B,OAAO,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAe,CAAC;IAClD,CAAC;IAED,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAe,CAAC;IACrE,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAgB,qBAAqB,CAAC,QAA4B;IAChE,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IACvF,OAAO,GAAG,QAAQ,CAAC,IAAI,IAAI,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;AAClE,CAAC;AAED,oDAAoD;AACvC,QAAA,sBAAsB,GAAG;IACpC,WAAW;IACX,WAAW;IACX,YAAY;IACZ,WAAW;IACX,YAAY;IACZ,UAAU;IACV,WAAW;IACX,cAAc;IACd,SAAS;IACT,KAAK;IACL,iBAAiB;IACjB,cAAc;CACf,CAAC;AAEF,oDAAoD;AACvC,QAAA,mBAAmB,GAAG;IACjC,SAAS;IACT,YAAY;IACZ,MAAM;IACN,WAAW;IACX,UAAU;IACV,OAAO;IACP,mBAAmB;IACnB,cAAc;IACd,qBAAqB;CACtB,CAAC;AAEF,uBAAuB;AACV,QAAA,eAAe,GAAG,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,kBAAkB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC"}

package/dist/src/lib/analyzers/kubernetes-analyzer.d.ts

@@ -0,0 +1,93 @@
+/**
+ * ⚠️ SHARED MODULE: Kubernetes Security Analyzer
+ *
+ * CRITICAL: This module is used by WebTool, GitHub App, and CLI
+ *
+ * WebTool uses this for:
+ * - /api/analyze endpoint - Interactive single-file K8s analysis (<5s target)
+ * - Real-time misconfiguration detection for individual developers
+ *
+ * GitHub App uses this for:
+ * - /api/github/webhook - Batch PR analysis of K8s YAML files (10-30s OK)
+ * - Automated K8s security checks for professional teams
+ *
+ * CLI uses this for:
+ * - Pre-commit hooks - K8s manifest validation (<5s target)
+ * - CI/CD pipeline integration
+ *
+ * WR3 Week 6: Kubernetes YAML Security Scanner
+ * 25 security checks + 12 PII patterns = 37 total checks
+ *
+ * ⚠️ BEFORE MODIFYING THIS FILE:
+ * 1. Run all analyzer tests: npm test kubernetes-analyzer
+ * 2. Test WebTool: Paste K8s YAML at /analyze → Verify results
+ * 3. Test GitHub: Open PR with .yaml file → Verify webhook comment
+ * 4. Test CLI: Scan K8s manifest → Verify exit codes
+ * 5. Verify performance: Analysis must complete in <5s per file
+ * 6. Check detection rate: All 25 K8s checks + 12 PII must still detect
+ *
+ * CRITICAL OUTPUT FORMAT (DO NOT CHANGE):
+ * - result.security.vulnerabilities - Used by all 3 systems
+ * - Each vulnerability has: line, message, severity, cvssScore, owasp, cwe
+ * - Changing this structure breaks ALL product UIs
+ *
+ * Created: February 5, 2026
+ * Last verified (all systems): TBD (after first commit)
+ */
+import { ICodeAnalyzer, AnalyzerInput, AnalyzerResult } from './types';
+import { SupportedLanguage } from '../types';
+export declare class KubernetesAnalyzer implements ICodeAnalyzer {
+    readonly language: SupportedLanguage;
+    analyze(input: AnalyzerInput): Promise<AnalyzerResult>;
+    /**
+     * Route resource to appropriate security checks based on kind
+     */
+    private analyzeResource;
+    /**
+     * Pod Security checks (8 checks)
+     * - Privileged containers, host namespaces, root users, capabilities, etc.
+     */
+    private analyzePodSecurity;
+    /**
+     * RBAC Security checks (5 checks)
+     * - Cluster-admin bindings, wildcard rules, overly permissive roles
+     */
+    private analyzeRBACSecurity;
+    /**
+     * Secrets Management checks (4 checks)
+     * - Hardcoded secrets in ConfigMaps, secrets in env vars
+     */
+    private analyzeSecretsManagement;
+    /**
+     * Network Security checks (3 checks)
+     * - Missing network policies, unrestricted ingress, public services
+     */
+    private analyzeNetworkSecurity;
+    /**
+     * Resource Management checks (3 checks)
+     * - Missing resource limits/requests, latest image tags
+     */
+    private analyzeResourceManagement;
+    /**
+     * Service Security checks (2 checks)
+     * - Missing liveness/readiness probes
+     */
+    private analyzeServiceSecurity;
+    /**
+     * PII Detection (12 patterns)
+     * Reuse existing PII patterns from Terraform/IaC
+     * Scan ConfigMaps, Secrets, environment variables
+     */
+    private analyzePII;
+    /**
+     * Calculate metrics for Kubernetes manifests
+     */
+    private calculateMetrics;
+    validateSyntax(code: string): Promise<boolean>;
+    getLanguageInfo(): {
+        name: string;
+        extensions: string[];
+        description: string;
+    };
+}
+//# sourceMappingURL=kubernetes-analyzer.d.ts.map

package/dist/src/lib/analyzers/kubernetes-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kubernetes-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../src/lib/analyzers/kubernetes-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAEH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,EAAyB,MAAM,SAAS,CAAC;AAC9F,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAa7C,qBAAa,kBAAmB,YAAW,aAAa;IACtD,SAAgB,QAAQ,EAAE,iBAAiB,CAAgB;IAErD,OAAO,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IAmD5D;;OAEG;IACH,OAAO,CAAC,eAAe;IA8BvB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAK1B;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAK3B;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IAKhC;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAK9B;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IAKjC;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAK9B;;;;OAIG;IACH,OAAO,CAAC,UAAU;IAOlB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAgBlB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAYpD,eAAe,IAAI;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,WAAW,EAAE,MAAM,CAAC;KACrB;CAOF"}

package/dist/src/lib/analyzers/kubernetes-analyzer.js

@@ -0,0 +1,215 @@
+"use strict";
+/**
+ * ⚠️ SHARED MODULE: Kubernetes Security Analyzer
+ *
+ * CRITICAL: This module is used by WebTool, GitHub App, and CLI
+ *
+ * WebTool uses this for:
+ * - /api/analyze endpoint - Interactive single-file K8s analysis (<5s target)
+ * - Real-time misconfiguration detection for individual developers
+ *
+ * GitHub App uses this for:
+ * - /api/github/webhook - Batch PR analysis of K8s YAML files (10-30s OK)
+ * - Automated K8s security checks for professional teams
+ *
+ * CLI uses this for:
+ * - Pre-commit hooks - K8s manifest validation (<5s target)
+ * - CI/CD pipeline integration
+ *
+ * WR3 Week 6: Kubernetes YAML Security Scanner
+ * 25 security checks + 12 PII patterns = 37 total checks
+ *
+ * ⚠️ BEFORE MODIFYING THIS FILE:
+ * 1. Run all analyzer tests: npm test kubernetes-analyzer
+ * 2. Test WebTool: Paste K8s YAML at /analyze → Verify results
+ * 3. Test GitHub: Open PR with .yaml file → Verify webhook comment
+ * 4. Test CLI: Scan K8s manifest → Verify exit codes
+ * 5. Verify performance: Analysis must complete in <5s per file
+ * 6. Check detection rate: All 25 K8s checks + 12 PII must still detect
+ *
+ * CRITICAL OUTPUT FORMAT (DO NOT CHANGE):
+ * - result.security.vulnerabilities - Used by all 3 systems
+ * - Each vulnerability has: line, message, severity, cvssScore, owasp, cwe
+ * - Changing this structure breaks ALL product UIs
+ *
+ * Created: February 5, 2026
+ * Last verified (all systems): TBD (after first commit)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KubernetesAnalyzer = void 0;
+const parser_1 = require("./kubernetes/parser");
+const types_1 = require("./kubernetes/types");
+const pod_security_1 = require("./kubernetes/checks/pod-security");
+const rbac_security_1 = require("./kubernetes/checks/rbac-security");
+const secrets_management_1 = require("./kubernetes/checks/secrets-management");
+const network_security_1 = require("./kubernetes/checks/network-security");
+const resource_management_1 = require("./kubernetes/checks/resource-management");
+const service_security_1 = require("./kubernetes/checks/service-security");
+const pii_detector_1 = require("./kubernetes/pii-detector");
+const ignore_patterns_1 = require("../utils/ignore-patterns");
+class KubernetesAnalyzer {
+    constructor() {
+        this.language = 'kubernetes';
+    }
+    async analyze(input) {
+        const result = {
+            syntax: { valid: true, errors: [], lineErrors: [] },
+            quality: { score: 100, issues: [] },
+            performance: { score: 100, suggestions: [] },
+            security: { vulnerabilities: [] },
+            metrics: { complexity: 1, maintainability: 100, lines: 0, functions: 0 },
+        };
+        try {
+            // Quick validation: Is this Kubernetes YAML?
+            if (!(0, parser_1.isKubernetesYAML)(input.code)) {
+                result.syntax.valid = false;
+                result.syntax.errors.push('Not a valid Kubernetes YAML manifest');
+                return result;
+            }
+            // Parse Kubernetes YAML (supports multi-document with ---)
+            const resources = (0, parser_1.parseKubernetes)(input.code);
+            if (resources.length === 0) {
+                result.syntax.valid = false;
+                result.syntax.errors.push('No valid Kubernetes resources found');
+                return result;
+            }
+            // Analyze each resource
+            for (const resource of resources) {
+                this.analyzeResource(resource, result);
+            }
+            // Apply PII detection across all resources
+            this.analyzePII(resources, result);
+            // Calculate basic metrics
+            this.calculateMetrics(input.code, resources, result);
+            // Filter suppressed vulnerabilities (inline comments: # codeslick-ignore-next-line)
+            result.security.vulnerabilities = (0, ignore_patterns_1.filterSuppressedVulnerabilities)(input.code, result.security.vulnerabilities);
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            result.syntax.valid = false;
+            result.syntax.errors.push(`Kubernetes analysis error: ${errorMessage}`);
+        }
+        return result;
+    }
+    /**
+     * Route resource to appropriate security checks based on kind
+     */
+    analyzeResource(resource, result) {
+        // Pod security checks (Pod, Deployment, StatefulSet, DaemonSet, Job, CronJob)
+        if ((0, types_1.isPodResource)(resource)) {
+            this.analyzePodSecurity(resource, result);
+            this.analyzeResourceManagement(resource, result);
+            this.analyzeServiceSecurity(resource, result);
+            // RBAC checks that apply to pods (ServiceAccount-related)
+            const rbacVulns = (0, rbac_security_1.runRBACSecurityChecks)(resource);
+            result.security.vulnerabilities.push(...rbacVulns);
+            // Secrets management checks that apply to pods (env vars, secret volumes)
+            const secretsVulns = (0, secrets_management_1.runSecretsManagementChecks)(resource);
+            result.security.vulnerabilities.push(...secretsVulns);
+        }
+        // RBAC checks (Role, ClusterRole, RoleBinding, ClusterRoleBinding)
+        if ((0, types_1.isRBACResource)(resource)) {
+            this.analyzeRBACSecurity(resource, result);
+        }
+        // Secrets management checks (ConfigMap, Secret)
+        if ((0, types_1.isSecretResource)(resource)) {
+            this.analyzeSecretsManagement(resource, result);
+        }
+        // Network security checks (NetworkPolicy, Service, Ingress)
+        if (['NetworkPolicy', 'Service', 'Ingress'].includes(resource.kind)) {
+            this.analyzeNetworkSecurity(resource, result);
+        }
+    }
+    /**
+     * Pod Security checks (8 checks)
+     * - Privileged containers, host namespaces, root users, capabilities, etc.
+     */
+    analyzePodSecurity(resource, result) {
+        const vulnerabilities = (0, pod_security_1.runPodSecurityChecks)(resource);
+        result.security.vulnerabilities.push(...vulnerabilities);
+    }
+    /**
+     * RBAC Security checks (5 checks)
+     * - Cluster-admin bindings, wildcard rules, overly permissive roles
+     */
+    analyzeRBACSecurity(resource, result) {
+        const vulnerabilities = (0, rbac_security_1.runRBACSecurityChecks)(resource);
+        result.security.vulnerabilities.push(...vulnerabilities);
+    }
+    /**
+     * Secrets Management checks (4 checks)
+     * - Hardcoded secrets in ConfigMaps, secrets in env vars
+     */
+    analyzeSecretsManagement(resource, result) {
+        const vulnerabilities = (0, secrets_management_1.runSecretsManagementChecks)(resource);
+        result.security.vulnerabilities.push(...vulnerabilities);
+    }
+    /**
+     * Network Security checks (3 checks)
+     * - Missing network policies, unrestricted ingress, public services
+     */
+    analyzeNetworkSecurity(resource, result) {
+        const vulnerabilities = (0, network_security_1.runNetworkSecurityChecks)(resource);
+        result.security.vulnerabilities.push(...vulnerabilities);
+    }
+    /**
+     * Resource Management checks (3 checks)
+     * - Missing resource limits/requests, latest image tags
+     */
+    analyzeResourceManagement(resource, result) {
+        const vulnerabilities = (0, resource_management_1.runResourceManagementChecks)(resource);
+        result.security.vulnerabilities.push(...vulnerabilities);
+    }
+    /**
+     * Service Security checks (2 checks)
+     * - Missing liveness/readiness probes
+     */
+    analyzeServiceSecurity(resource, result) {
+        const vulnerabilities = (0, service_security_1.runServiceSecurityChecks)(resource);
+        result.security.vulnerabilities.push(...vulnerabilities);
+    }
+    /**
+     * PII Detection (12 patterns)
+     * Reuse existing PII patterns from Terraform/IaC
+     * Scan ConfigMaps, Secrets, environment variables
+     */
+    analyzePII(resources, result) {
+        for (const resource of resources) {
+            const piiVulnerabilities = (0, pii_detector_1.runKubernetesPIIChecks)(resource);
+            result.security.vulnerabilities.push(...piiVulnerabilities);
+        }
+    }
+    /**
+     * Calculate metrics for Kubernetes manifests
+     */
+    calculateMetrics(code, resources, result) {
+        const lines = code.split('\n');
+        result.metrics.lines = lines.length;
+        // Count resources as "functions" for metrics
+        result.metrics.functions = resources.length;
+        // Basic complexity based on number of resources
+        result.metrics.complexity = Math.max(1, resources.length);
+        result.metrics.maintainability = Math.max(50, 100 - resources.length * 2);
+    }
+    async validateSyntax(code) {
+        try {
+            if (!(0, parser_1.isKubernetesYAML)(code)) {
+                return false;
+            }
+            const resources = (0, parser_1.parseKubernetes)(code);
+            return resources.length > 0;
+        }
+        catch {
+            return false;
+        }
+    }
+    getLanguageInfo() {
+        return {
+            name: 'Kubernetes',
+            extensions: ['.yaml', '.yml'],
+            description: 'Kubernetes YAML manifest security scanning with 25 checks + PII detection',
+        };
+    }
+}
+exports.KubernetesAnalyzer = KubernetesAnalyzer;
+//# sourceMappingURL=kubernetes-analyzer.js.map