codeslick-cli 1.4.0 → 1.4.2

package/dist/src/lib/analyzers/kubernetes/checks/network-security.js

@@ -0,0 +1,184 @@
+"use strict";
+/**
+ * Kubernetes Network Security Checks
+ *
+ * WR3 Week 6: 3 High/Medium Severity Network Security Checks
+ * - Missing network policies
+ * - Unrestricted ingress
+ * - Public LoadBalancer services
+ *
+ * Created: February 5, 2026
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkMissingNetworkPolicies = checkMissingNetworkPolicies;
+exports.checkUnrestrictedIngress = checkUnrestrictedIngress;
+exports.checkPublicLoadBalancer = checkPublicLoadBalancer;
+exports.runNetworkSecurityChecks = runNetworkSecurityChecks;
+const parser_1 = require("../parser");
+/**
+ * Check #18: Missing Network Policies (Medium - CVSS 6.5)
+ * Detects namespaces without NetworkPolicy resources (context-sensitive)
+ * Note: This check flags pods that may not have network policies applied
+ */
+function checkMissingNetworkPolicies(resource) {
+    // This is a simplified check - in production, you'd cross-reference with actual NetworkPolicies
+    // For now, we'll just warn about services that might need network policies
+    if (resource.kind === 'Service') {
+        const spec = resource.spec;
+        const type = spec?.type || 'ClusterIP';
+        // Public-facing services should have network policies
+        if (['LoadBalancer', 'NodePort'].includes(type)) {
+            return {
+                severity: 'medium',
+                message: `Public service ${(0, parser_1.getResourceIdentifier)(resource)} may lack NetworkPolicy protection`,
+                suggestion: 'Create NetworkPolicy resources to restrict pod-to-pod and ingress/egress traffic. Implement zero-trust networking.',
+                category: 'kubernetes-missing-network-policy',
+                cvssScore: 6.5,
+                exploitLikelihood: 'medium',
+                impact: 'network-exposure',
+                owasp: 'A05:2021',
+                cwe: 'CWE-284',
+                attackVector: {
+                    description: 'Without NetworkPolicies, all pods can communicate freely, enabling lateral movement after initial compromise.',
+                    exploitExample: 'Attacker compromises web pod → No network segmentation → Accesses database pod directly → Exfiltrates data',
+                    realWorldImpact: [
+                        'Unrestricted pod-to-pod communication',
+                        'Lateral movement opportunities',
+                        'No network segmentation',
+                        'Flat network topology enables attacks',
+                    ],
+                },
+                remediation: {
+                    before: `# No NetworkPolicy defined\napiVersion: v1\nkind: Service\nmetadata:\n  name: public-api`,
+                    after: `apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n  name: api-netpol\nspec:\n  podSelector:\n    matchLabels:\n      app: api\n  policyTypes:\n    - Ingress\n    - Egress\n  ingress:\n    - from:\n      - podSelector:\n          matchLabels:\n            role: frontend\n  egress:\n    - to:\n      - podSelector:\n          matchLabels:\n            role: database`,
+                    explanation: 'Define NetworkPolicy to explicitly allow only required traffic between pods. Default deny all, then whitelist specific connections.',
+                },
+            };
+        }
+    }
+    return null;
+}
+/**
+ * Check #19: Unrestricted Ingress (High - CVSS 7.5)
+ * Detects Ingress resources without authentication or IP whitelisting
+ */
+function checkUnrestrictedIngress(resource) {
+    if (resource.kind !== 'Ingress') {
+        return null;
+    }
+    const annotations = resource.metadata.annotations || {};
+    const spec = resource.spec;
+    // Check for authentication annotations (common ingress controller patterns)
+    const hasAuth = annotations['nginx.ingress.kubernetes.io/auth-type'] ||
+        annotations['nginx.ingress.kubernetes.io/whitelist-source-range'] ||
+        annotations['alb.ingress.kubernetes.io/auth-type'] ||
+        annotations['traefik.ingress.kubernetes.io/auth-type'] ||
+        annotations['cert-manager.io/cluster-issuer']; // TLS cert alone doesn't provide auth
+    // Check for IP whitelisting
+    const hasIPWhitelist = annotations['nginx.ingress.kubernetes.io/whitelist-source-range'] ||
+        annotations['alb.ingress.kubernetes.io/inbound-cidrs'];
+    // Check for TLS
+    const hasTLS = spec?.tls && Array.isArray(spec.tls) && spec.tls.length > 0;
+    const issues = [];
+    if (!hasAuth && !hasIPWhitelist) {
+        issues.push('no authentication');
+    }
+    if (!hasTLS) {
+        issues.push('no TLS');
+    }
+    if (issues.length > 0) {
+        return {
+            severity: 'high',
+            message: `Unrestricted ingress detected in ${(0, parser_1.getResourceIdentifier)(resource)}: ${issues.join(', ')}`,
+            suggestion: 'Add authentication (OAuth, basic auth), IP whitelisting, and TLS to ingress resources.',
+            category: 'kubernetes-unrestricted-ingress',
+            cvssScore: 7.5,
+            exploitLikelihood: 'high',
+            impact: 'unauthorized-access',
+            owasp: 'A07:2021',
+            cwe: 'CWE-306',
+            attackVector: {
+                description: 'Unrestricted ingress exposes internal services to the internet without authentication or encryption.',
+                exploitExample: 'Public ingress with no auth → Attacker discovers endpoint → Direct access to internal service → Data breach',
+                realWorldImpact: [
+                    'Unauthenticated public access',
+                    'Exposure of internal services',
+                    'No transport encryption (if no TLS)',
+                    'Man-in-the-middle attacks',
+                ],
+            },
+            remediation: {
+                before: `apiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  name: public-api\nspec:\n  rules:\n    - host: api.example.com`,
+                after: `apiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  name: public-api\n  annotations:\n    nginx.ingress.kubernetes.io/auth-type: basic\n    nginx.ingress.kubernetes.io/auth-secret: basic-auth\n    cert-manager.io/cluster-issuer: letsencrypt-prod\nspec:\n  tls:\n    - hosts:\n      - api.example.com\n      secretName: api-tls\n  rules:\n    - host: api.example.com`,
+                explanation: 'Add authentication (OAuth2, basic auth), TLS certificates, and optionally IP whitelisting for sensitive endpoints.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #20: Public LoadBalancer Services (Medium - CVSS 6.0)
+ * Detects LoadBalancer services without source IP restrictions
+ */
+function checkPublicLoadBalancer(resource) {
+    if (resource.kind !== 'Service') {
+        return null;
+    }
+    const spec = resource.spec;
+    const type = spec?.type;
+    if (type !== 'LoadBalancer') {
+        return null;
+    }
+    // Check for loadBalancerSourceRanges (IP whitelisting)
+    const sourceRanges = spec?.loadBalancerSourceRanges || [];
+    const hasIPRestrictions = sourceRanges.length > 0;
+    // Check for internal load balancer annotations (cloud-specific)
+    const annotations = resource.metadata.annotations || {};
+    const isInternal = annotations['service.beta.kubernetes.io/aws-load-balancer-internal'] === 'true' ||
+        annotations['cloud.google.com/load-balancer-type'] === 'Internal' ||
+        annotations['service.beta.kubernetes.io/azure-load-balancer-internal'] === 'true';
+    if (!hasIPRestrictions && !isInternal) {
+        return {
+            severity: 'medium',
+            message: `Public LoadBalancer service ${(0, parser_1.getResourceIdentifier)(resource)} without IP restrictions`,
+            suggestion: 'Add loadBalancerSourceRanges to restrict access or use internal load balancer annotations.',
+            category: 'kubernetes-public-loadbalancer',
+            cvssScore: 6.0,
+            exploitLikelihood: 'medium',
+            impact: 'network-exposure',
+            owasp: 'A05:2021',
+            cwe: 'CWE-284',
+            attackVector: {
+                description: 'Public LoadBalancers without IP restrictions expose services to the entire internet.',
+                exploitExample: 'LoadBalancer with public IP → No source IP filtering → Attacker scans and finds service → Exploits application vulnerabilities',
+                realWorldImpact: [
+                    'Service exposed to entire internet',
+                    'No IP-based access control',
+                    'Increased attack surface',
+                    'DDoS attack target',
+                ],
+            },
+            remediation: {
+                before: `apiVersion: v1\nkind: Service\nmetadata:\n  name: web-service\nspec:\n  type: LoadBalancer\n  ports:\n    - port: 80`,
+                after: `apiVersion: v1\nkind: Service\nmetadata:\n  name: web-service\n  annotations:\n    # Option 1: Make it internal (recommended for most services)\n    service.beta.kubernetes.io/aws-load-balancer-internal: "true"\nspec:\n  type: LoadBalancer\n  # Option 2: Restrict source IPs if public access needed\n  loadBalancerSourceRanges:\n    - "203.0.113.0/24"  # Your office IP range\n  ports:\n    - port: 80`,
+                explanation: 'Use internal load balancers for internal services, or add loadBalancerSourceRanges to whitelist specific IP ranges.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Run all network security checks on a resource
+ */
+function runNetworkSecurityChecks(resource) {
+    const vulnerabilities = [];
+    const checks = [checkMissingNetworkPolicies, checkUnrestrictedIngress, checkPublicLoadBalancer];
+    for (const check of checks) {
+        const vuln = check(resource);
+        if (vuln) {
+            vulnerabilities.push(vuln);
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=network-security.js.map

package/dist/src/lib/analyzers/kubernetes/checks/network-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-security.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/kubernetes/checks/network-security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAWH,kEAyCC;AAMD,4DA8DC;AAMD,0DAqDC;AAKD,4DAaC;AAjMD,sCAAkD;AAElD;;;;GAIG;AACH,SAAgB,2BAA2B,CACzC,QAA4B;IAE5B,gGAAgG;IAChG,2EAA2E;IAC3E,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAW,CAAC;QAClC,MAAM,IAAI,GAAG,IAAI,EAAE,IAAI,IAAI,WAAW,CAAC;QAEvC,sDAAsD;QACtD,IAAI,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAChD,OAAO;gBACL,QAAQ,EAAE,QAAQ;gBAClB,OAAO,EAAE,kBAAkB,IAAA,8BAAqB,EAAC,QAAQ,CAAC,oCAAoC;gBAC9F,UAAU,EAAE,oHAAoH;gBAChI,QAAQ,EAAE,mCAAmC;gBAC7C,SAAS,EAAE,GAAG;gBACd,iBAAiB,EAAE,QAAQ;gBAC3B,MAAM,EAAE,kBAAkB;gBAC1B,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,YAAY,EAAE;oBACZ,WAAW,EAAE,+GAA+G;oBAC5H,cAAc,EAAE,4GAA4G;oBAC5H,eAAe,EAAE;wBACf,uCAAuC;wBACvC,gCAAgC;wBAChC,yBAAyB;wBACzB,uCAAuC;qBACxC;iBACF;gBACD,WAAW,EAAE;oBACX,MAAM,EAAE,0FAA0F;oBAClG,KAAK,EAAE,+XAA+X;oBACtY,WAAW,EAAE,qIAAqI;iBACnJ;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,wBAAwB,CAAC,QAA4B;IACnE,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,WAAW,GAAG,QAAQ,CAAC,QAAQ,CAAC,WAAW,IAAI,EAAE,CAAC;IACxD,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAW,CAAC;IAElC,4EAA4E;IAC5E,MAAM,OAAO,GACX,WAAW,CAAC,uCAAuC,CAAC;QACpD,WAAW,CAAC,oDAAoD,CAAC;QACjE,WAAW,CAAC,qCAAqC,CAAC;QAClD,WAAW,CAAC,yCAAyC,CAAC;QACtD,WAAW,CAAC,gCAAgC,CAAC,CAAC,CAAC,sCAAsC;IAEvF,4BAA4B;IAC5B,MAAM,cAAc,GAClB,WAAW,CAAC,oDAAoD,CAAC;QACjE,WAAW,CAAC,yCAAyC,CAAC,CAAC;IAEzD,gBAAgB;IAChB,MAAM,MAAM,GAAG,IAAI,EAAE,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAE3E,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO,IAAI,CAAC,cAAc,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxB,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,oCAAoC,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACpG,UAAU,EAAE,wFAAwF;YACpG,QAAQ,EAAE,iCAAiC;YAC3C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,qBAAqB;YAC7B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,sGAAsG;gBACnH,cAAc,EAAE,6GAA6G;gBAC7H,eAAe,EAAE;oBACf,+BAA+B;oBAC/B,+BAA+B;oBAC/B,qCAAqC;oBACrC,2BAA2B;iBAC5B;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,8HAA8H;gBACtI,KAAK,EAAE,yXAAyX;gBAChY,WAAW,EAAE,oHAAoH;aAClI;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,uBAAuB,CAAC,QAA4B;IAClE,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAW,CAAC;IAClC,MAAM,IAAI,GAAG,IAAI,EAAE,IAAI,CAAC;IAExB,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uDAAuD;IACvD,MAAM,YAAY,GAAG,IAAI,EAAE,wBAAwB,IAAI,EAAE,CAAC;IAC1D,MAAM,iBAAiB,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;IAElD,gEAAgE;IAChE,MAAM,WAAW,GAAG,QAAQ,CAAC,QAAQ,CAAC,WAAW,IAAI,EAAE,CAAC;IACxD,MAAM,UAAU,GACd,WAAW,CAAC,uDAAuD,CAAC,KAAK,MAAM;QAC/E,WAAW,CAAC,qCAAqC,CAAC,KAAK,UAAU;QACjE,WAAW,CAAC,yDAAyD,CAAC,KAAK,MAAM,CAAC;IAEpF,IAAI,CAAC,iBAAiB,IAAI,CAAC,UAAU,EAAE,CAAC;QACtC,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,+BAA+B,IAAA,8BAAqB,EAAC,QAAQ,CAAC,0BAA0B;YACjG,UAAU,EAAE,4FAA4F;YACxG,QAAQ,EAAE,gCAAgC;YAC1C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,QAAQ;YAC3B,MAAM,EAAE,kBAAkB;YAC1B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,sFAAsF;gBACnG,cAAc,EAAE,gIAAgI;gBAChJ,eAAe,EAAE;oBACf,oCAAoC;oBACpC,4BAA4B;oBAC5B,0BAA0B;oBAC1B,oBAAoB;iBACrB;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,sHAAsH;gBAC9H,KAAK,EAAE,mZAAmZ;gBAC1Z,WAAW,EAAE,qHAAqH;aACnI;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,wBAAwB,CAAC,QAA4B;IACnE,MAAM,eAAe,GAA4B,EAAE,CAAC;IAEpD,MAAM,MAAM,GAAG,CAAC,2BAA2B,EAAE,wBAAwB,EAAE,uBAAuB,CAAC,CAAC;IAEhG,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC7B,IAAI,IAAI,EAAE,CAAC;YACT,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/kubernetes/checks/pod-security.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Kubernetes Pod Security Checks
+ *
+ * WR3 Week 6: 8 Critical/High Severity Pod Security Checks
+ * - Privileged containers
+ * - Host namespace access (network, PID, IPC)
+ * - Root user containers
+ * - Writable root filesystem
+ * - Dangerous capabilities
+ * - Host path volumes
+ *
+ * Created: February 5, 2026
+ */
+import { SecurityVulnerability } from '../../types';
+import type { KubernetesResource } from '../types';
+/**
+ * Check #1: Privileged Containers (Critical - CVSS 9.0)
+ * Detects containers running with privileged: true
+ */
+export declare function checkPrivilegedContainers(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #2: Host Network Access (Critical - CVSS 9.0)
+ * Detects pods using hostNetwork: true
+ */
+export declare function checkHostNetwork(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #3: Host PID Namespace (Critical - CVSS 9.0)
+ * Detects pods using hostPID: true
+ */
+export declare function checkHostPID(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #4: Host IPC Namespace (Critical - CVSS 9.0)
+ * Detects pods using hostIPC: true
+ */
+export declare function checkHostIPC(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #5: Root User Containers (High - CVSS 8.0)
+ * Detects containers running as root (runAsNonRoot not set)
+ */
+export declare function checkRootUser(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #6: Writable Root Filesystem (Medium - CVSS 6.0)
+ * Detects containers without readOnlyRootFilesystem
+ */
+export declare function checkWritableRootFilesystem(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #7: Dangerous Capabilities (High - CVSS 8.5)
+ * Detects containers with dangerous Linux capabilities
+ */
+export declare function checkDangerousCapabilities(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #8: Host Path Volumes (High - CVSS 7.5)
+ * Detects pods mounting host filesystem paths
+ */
+export declare function checkHostPathVolumes(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Run all pod security checks on a resource
+ */
+export declare function runPodSecurityChecks(resource: KubernetesResource): SecurityVulnerability[];
+//# sourceMappingURL=pod-security.d.ts.map

package/dist/src/lib/analyzers/kubernetes/checks/pod-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pod-security.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/kubernetes/checks/pod-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,KAAK,EAAE,kBAAkB,EAAuC,MAAM,UAAU,CAAC;AAIxF;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CA+CpG;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CAkC3F;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CAkCvF;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CAkCvF;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CA0DxF;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CA8CtG;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CAqDrG;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CA8C/F;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,EAAE,CAsB1F"}

package/dist/src/lib/analyzers/kubernetes/checks/pod-security.js

@@ -0,0 +1,418 @@
+"use strict";
+/**
+ * Kubernetes Pod Security Checks
+ *
+ * WR3 Week 6: 8 Critical/High Severity Pod Security Checks
+ * - Privileged containers
+ * - Host namespace access (network, PID, IPC)
+ * - Root user containers
+ * - Writable root filesystem
+ * - Dangerous capabilities
+ * - Host path volumes
+ *
+ * Created: February 5, 2026
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkPrivilegedContainers = checkPrivilegedContainers;
+exports.checkHostNetwork = checkHostNetwork;
+exports.checkHostPID = checkHostPID;
+exports.checkHostIPC = checkHostIPC;
+exports.checkRootUser = checkRootUser;
+exports.checkWritableRootFilesystem = checkWritableRootFilesystem;
+exports.checkDangerousCapabilities = checkDangerousCapabilities;
+exports.checkHostPathVolumes = checkHostPathVolumes;
+exports.runPodSecurityChecks = runPodSecurityChecks;
+const parser_1 = require("../parser");
+const types_1 = require("../types");
+/**
+ * Check #1: Privileged Containers (Critical - CVSS 9.0)
+ * Detects containers running with privileged: true
+ */
+function checkPrivilegedContainers(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const privilegedContainers = [];
+    const containers = [
+        ...(podSpec.containers || []),
+        ...(podSpec.initContainers || []),
+    ];
+    for (const container of containers) {
+        if (container.securityContext?.privileged === true) {
+            privilegedContainers.push(container.name);
+        }
+    }
+    if (privilegedContainers.length > 0) {
+        return {
+            severity: 'critical',
+            message: `Privileged container detected: ${privilegedContainers.join(', ')} in ${(0, parser_1.getResourceIdentifier)(resource)}`,
+            suggestion: 'Remove privileged: true from securityContext. Privileged containers have unrestricted access to host resources.',
+            category: 'kubernetes-privileged-container',
+            cvssScore: 9.0,
+            exploitLikelihood: 'high',
+            impact: 'privilege-escalation',
+            owasp: 'A01:2021',
+            cwe: 'CWE-250',
+            attackVector: {
+                description: 'Privileged containers can bypass all security restrictions and access host kernel features',
+                exploitExample: 'Attacker gains container access → Escalates to host root via privileged mode → Full cluster compromise',
+                realWorldImpact: [
+                    'Complete host system compromise',
+                    'Kernel module loading',
+                    'Access to all host devices',
+                    'Container breakout to host',
+                ],
+            },
+            remediation: {
+                before: 'securityContext:\n  privileged: true',
+                after: 'securityContext:\n  privileged: false\n  # Or remove this line entirely',
+                explanation: 'Run containers without privileged mode. Use specific capabilities instead if needed.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #2: Host Network Access (Critical - CVSS 9.0)
+ * Detects pods using hostNetwork: true
+ */
+function checkHostNetwork(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    if (podSpec.hostNetwork === true) {
+        return {
+            severity: 'critical',
+            message: `Host network access enabled in ${(0, parser_1.getResourceIdentifier)(resource)}`,
+            suggestion: 'Remove hostNetwork: true. Pods using host network can intercept and manipulate all network traffic.',
+            category: 'kubernetes-host-network',
+            cvssScore: 9.0,
+            exploitLikelihood: 'high',
+            impact: 'privilege-escalation',
+            owasp: 'A01:2021',
+            cwe: 'CWE-250',
+            attackVector: {
+                description: 'Pods with hostNetwork access can sniff traffic, bind to privileged ports, and bypass network policies',
+                exploitExample: 'Attacker compromises pod → Binds to port 22 → Intercepts SSH traffic → Steals credentials',
+                realWorldImpact: [
+                    'Network traffic interception',
+                    'Bypass network policies',
+                    'Access to host services (kubelet API)',
+                    'Privileged port binding (< 1024)',
+                ],
+            },
+            remediation: {
+                before: 'spec:\n  hostNetwork: true',
+                after: 'spec:\n  # Remove hostNetwork or set to false\n  hostNetwork: false',
+                explanation: 'Use standard pod networking with Services for connectivity.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #3: Host PID Namespace (Critical - CVSS 9.0)
+ * Detects pods using hostPID: true
+ */
+function checkHostPID(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    if (podSpec.hostPID === true) {
+        return {
+            severity: 'critical',
+            message: `Host PID namespace enabled in ${(0, parser_1.getResourceIdentifier)(resource)}`,
+            suggestion: 'Remove hostPID: true. Pods can see and interact with all host processes.',
+            category: 'kubernetes-host-pid',
+            cvssScore: 9.0,
+            exploitLikelihood: 'high',
+            impact: 'privilege-escalation',
+            owasp: 'A01:2021',
+            cwe: 'CWE-250',
+            attackVector: {
+                description: 'Pods with hostPID can view all host processes, kill critical services, or inject into host processes',
+                exploitExample: 'Attacker accesses pod → Views host processes (ps aux) → Kills kubelet → Node becomes unavailable',
+                realWorldImpact: [
+                    'View all host processes',
+                    'Kill critical system processes',
+                    'Process injection attacks',
+                    'Denial of service',
+                ],
+            },
+            remediation: {
+                before: 'spec:\n  hostPID: true',
+                after: 'spec:\n  # Remove hostPID or set to false\n  hostPID: false',
+                explanation: 'Use isolated PID namespaces for process separation.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #4: Host IPC Namespace (Critical - CVSS 9.0)
+ * Detects pods using hostIPC: true
+ */
+function checkHostIPC(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    if (podSpec.hostIPC === true) {
+        return {
+            severity: 'critical',
+            message: `Host IPC namespace enabled in ${(0, parser_1.getResourceIdentifier)(resource)}`,
+            suggestion: 'Remove hostIPC: true. Pods can access host inter-process communication.',
+            category: 'kubernetes-host-ipc',
+            cvssScore: 9.0,
+            exploitLikelihood: 'high',
+            impact: 'privilege-escalation',
+            owasp: 'A01:2021',
+            cwe: 'CWE-250',
+            attackVector: {
+                description: 'Pods with hostIPC can access shared memory, semaphores, and message queues on the host',
+                exploitExample: 'Attacker accesses pod → Reads shared memory → Extracts sensitive data from host processes',
+                realWorldImpact: [
+                    'Access to shared memory segments',
+                    'Semaphore manipulation',
+                    'Message queue interception',
+                    'Data exfiltration from host',
+                ],
+            },
+            remediation: {
+                before: 'spec:\n  hostIPC: true',
+                after: 'spec:\n  # Remove hostIPC or set to false\n  hostIPC: false',
+                explanation: 'Use standard IPC mechanisms within pod namespace.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #5: Root User Containers (High - CVSS 8.0)
+ * Detects containers running as root (runAsNonRoot not set)
+ */
+function checkRootUser(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const rootContainers = [];
+    const containers = [
+        ...(podSpec.containers || []),
+        ...(podSpec.initContainers || []),
+    ];
+    for (const container of containers) {
+        const containerSC = container.securityContext;
+        const podSC = podSpec.securityContext;
+        // Check if runAsNonRoot is explicitly set to true at either level
+        const containerEnforcesNonRoot = containerSC?.runAsNonRoot === true;
+        const podEnforcesNonRoot = podSC?.runAsNonRoot === true;
+        // If neither enforces non-root, container might run as root
+        if (!containerEnforcesNonRoot && !podEnforcesNonRoot) {
+            // Additionally check if runAsUser is set to non-zero
+            const runAsUser = containerSC?.runAsUser ?? podSC?.runAsUser;
+            if (runAsUser === undefined || runAsUser === 0) {
+                rootContainers.push(container.name);
+            }
+        }
+    }
+    if (rootContainers.length > 0) {
+        return {
+            severity: 'high',
+            message: `Containers may run as root user: ${rootContainers.join(', ')} in ${(0, parser_1.getResourceIdentifier)(resource)}`,
+            suggestion: 'Set securityContext.runAsNonRoot: true or specify runAsUser > 0 to prevent root execution.',
+            category: 'kubernetes-root-user',
+            cvssScore: 8.0,
+            exploitLikelihood: 'high',
+            impact: 'privilege-escalation',
+            owasp: 'A01:2021',
+            cwe: 'CWE-250',
+            attackVector: {
+                description: 'Containers running as root have elevated privileges that can be exploited for container breakout',
+                exploitExample: 'Attacker exploits vulnerability in root container → Mounts host filesystem → Gains host access',
+                realWorldImpact: [
+                    'Increased blast radius of vulnerabilities',
+                    'Potential container escape',
+                    'File system modifications',
+                    'Process privilege escalation',
+                ],
+            },
+            remediation: {
+                before: 'securityContext: {}',
+                after: 'securityContext:\n  runAsNonRoot: true\n  runAsUser: 1000\n  runAsGroup: 1000',
+                explanation: 'Always run containers as non-root users for defense in depth.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #6: Writable Root Filesystem (Medium - CVSS 6.0)
+ * Detects containers without readOnlyRootFilesystem
+ */
+function checkWritableRootFilesystem(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const writableContainers = [];
+    const containers = [
+        ...(podSpec.containers || []),
+        ...(podSpec.initContainers || []),
+    ];
+    for (const container of containers) {
+        if (container.securityContext?.readOnlyRootFilesystem !== true) {
+            writableContainers.push(container.name);
+        }
+    }
+    if (writableContainers.length > 0) {
+        return {
+            severity: 'medium',
+            message: `Writable root filesystem in containers: ${writableContainers.join(', ')} in ${(0, parser_1.getResourceIdentifier)(resource)}`,
+            suggestion: 'Set securityContext.readOnlyRootFilesystem: true and use volume mounts for writable directories.',
+            category: 'kubernetes-writable-root-fs',
+            cvssScore: 6.0,
+            exploitLikelihood: 'medium',
+            impact: 'info-disclosure',
+            owasp: 'A05:2021',
+            cwe: 'CWE-732',
+            attackVector: {
+                description: 'Writable filesystems allow attackers to modify binaries, install backdoors, or persist malware',
+                exploitExample: 'Attacker gains access → Modifies /bin/bash → Creates backdoor → Persists after restart',
+                realWorldImpact: [
+                    'Malware persistence',
+                    'Binary modification',
+                    'Log tampering',
+                    'Backdoor installation',
+                ],
+            },
+            remediation: {
+                before: 'securityContext: {}',
+                after: 'securityContext:\n  readOnlyRootFilesystem: true\nvolumeMounts:\n  - name: tmp\n    mountPath: /tmp',
+                explanation: 'Use read-only root filesystem with explicit volume mounts for directories that need writes (e.g., /tmp).',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #7: Dangerous Capabilities (High - CVSS 8.5)
+ * Detects containers with dangerous Linux capabilities
+ */
+function checkDangerousCapabilities(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const dangerousContainers = [];
+    const containers = [
+        ...(podSpec.containers || []),
+        ...(podSpec.initContainers || []),
+    ];
+    for (const container of containers) {
+        const addedCaps = container.securityContext?.capabilities?.add || [];
+        const dangerous = addedCaps.filter((cap) => types_1.DANGEROUS_CAPABILITIES.includes(cap));
+        if (dangerous.length > 0) {
+            dangerousContainers.push({ name: container.name, capabilities: dangerous });
+        }
+    }
+    if (dangerousContainers.length > 0) {
+        const details = dangerousContainers
+            .map(c => `${c.name} (${c.capabilities.join(', ')})`)
+            .join('; ');
+        return {
+            severity: 'high',
+            message: `Dangerous capabilities detected in ${(0, parser_1.getResourceIdentifier)(resource)}: ${details}`,
+            suggestion: 'Remove dangerous capabilities like SYS_ADMIN, NET_ADMIN, SYS_MODULE. Use minimal capabilities required.',
+            category: 'kubernetes-dangerous-capabilities',
+            cvssScore: 8.5,
+            exploitLikelihood: 'high',
+            impact: 'privilege-escalation',
+            owasp: 'A01:2021',
+            cwe: 'CWE-250',
+            attackVector: {
+                description: 'Dangerous capabilities grant kernel-level privileges that can be exploited for container breakout',
+                exploitExample: 'Container with SYS_ADMIN → Mounts host filesystem → Full host compromise',
+                realWorldImpact: [
+                    'Kernel module loading (SYS_MODULE)',
+                    'Network packet manipulation (NET_ADMIN)',
+                    'Device access (SYS_RAWIO)',
+                    'System administration (SYS_ADMIN)',
+                ],
+            },
+            remediation: {
+                before: 'capabilities:\n  add:\n    - SYS_ADMIN\n    - NET_ADMIN',
+                after: 'capabilities:\n  drop:\n    - ALL\n  add:\n    - NET_BIND_SERVICE  # Only if needed',
+                explanation: 'Drop all capabilities by default, then add only the minimum required specific capabilities.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #8: Host Path Volumes (High - CVSS 7.5)
+ * Detects pods mounting host filesystem paths
+ */
+function checkHostPathVolumes(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const hostPathVolumes = [];
+    if (podSpec.volumes) {
+        for (const volume of podSpec.volumes) {
+            if (volume.hostPath) {
+                hostPathVolumes.push({ name: volume.name, path: volume.hostPath.path });
+            }
+        }
+    }
+    if (hostPathVolumes.length > 0) {
+        const details = hostPathVolumes.map(v => `${v.name} (${v.path})`).join(', ');
+        return {
+            severity: 'high',
+            message: `Host path volumes detected in ${(0, parser_1.getResourceIdentifier)(resource)}: ${details}`,
+            suggestion: 'Avoid hostPath volumes. Use PersistentVolumes, ConfigMaps, or Secrets instead.',
+            category: 'kubernetes-host-path-volume',
+            cvssScore: 7.5,
+            exploitLikelihood: 'high',
+            impact: 'data-breach',
+            owasp: 'A01:2021',
+            cwe: 'CWE-552',
+            attackVector: {
+                description: 'HostPath volumes expose host filesystem to containers, enabling data theft and modification',
+                exploitExample: 'Container mounts /etc → Modifies /etc/shadow → Creates backdoor user on host',
+                realWorldImpact: [
+                    'Host filesystem access',
+                    'Sensitive file exposure (/etc/shadow, SSH keys)',
+                    'Host file modification',
+                    'Credential theft',
+                ],
+            },
+            remediation: {
+                before: 'volumes:\n  - name: hostfs\n    hostPath:\n      path: /var/lib/docker',
+                after: 'volumes:\n  - name: data\n    persistentVolumeClaim:\n      claimName: my-pvc',
+                explanation: 'Use PersistentVolumeClaims for storage instead of mounting host paths directly.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Run all pod security checks on a resource
+ */
+function runPodSecurityChecks(resource) {
+    const vulnerabilities = [];
+    const checks = [
+        checkPrivilegedContainers,
+        checkHostNetwork,
+        checkHostPID,
+        checkHostIPC,
+        checkRootUser,
+        checkWritableRootFilesystem,
+        checkDangerousCapabilities,
+        checkHostPathVolumes,
+    ];
+    for (const check of checks) {
+        const vuln = check(resource);
+        if (vuln) {
+            vulnerabilities.push(vuln);
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=pod-security.js.map