npm - codeslick-cli - Versions diffs - 1.4.0 → 1.4.2 - Mend

codeslick-cli 1.4.0 → 1.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

package/dist/src/lib/analyzers/kubernetes/checks/pod-security.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pod-security.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/kubernetes/checks/pod-security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;AAWH,8DA+CC;AAMD,4CAkCC;AAMD,oCAkCC;AAMD,oCAkCC;AAMD,sCA0DC;AAMD,kEA8CC;AAMD,gEAqDC;AAMD,oDA8CC;AAKD,oDAsBC;AA5aD,sCAA8D;AAC9D,oCAAkD;AAElD;;;GAGG;AACH,SAAgB,yBAAyB,CAAC,QAA4B;IACpE,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,oBAAoB,GAAa,EAAE,CAAC;IAE1C,MAAM,UAAU,GAAG;QACjB,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;QAC7B,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;KAClC,CAAC;IAEF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,SAAS,CAAC,eAAe,EAAE,UAAU,KAAK,IAAI,EAAE,CAAC;YACnD,oBAAoB,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,OAAO;YACL,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,kCAAkC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,IAAA,8BAAqB,EAAC,QAAQ,CAAC,EAAE;YAClH,UAAU,EAAE,iHAAiH;YAC7H,QAAQ,EAAE,iCAAiC;YAC3C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,sBAAsB;YAC9B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,4FAA4F;gBACzG,cAAc,EAAE,wGAAwG;gBACxH,eAAe,EAAE;oBACf,iCAAiC;oBACjC,uBAAuB;oBACvB,4BAA4B;oBAC5B,4BAA4B;iBAC7B;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,sCAAsC;gBAC9C,KAAK,EAAE,yEAAyE;gBAChF,WAAW,EAAE,sFAAsF;aACpG;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,QAA4B;IAC3D,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,IAAI,OAAO,CAAC,WAAW,KAAK,IAAI,EAAE,CAAC;QACjC,OAAO;YACL,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,kCAAkC,IAAA,8BAAqB,EAAC,QAAQ,CAAC,EAAE;YAC5E,UAAU,EAAE,qGAAqG;YACjH,QAAQ,EAAE,yBAAyB;YACnC,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,sBAAsB;YAC9B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,uGAAuG;gBACpH,cAAc,EAAE,2FAA2F;gBAC3G,eAAe,EAAE;oBACf,8BAA8B;oBAC9B,yBAAyB;oBACzB,uCAAuC;oBACvC,kCAAkC;iBACnC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,4BAA4B;gBACpC,KAAK,EAAE,qEAAqE;gBAC5E,WAAW,EAAE,6DAA6D;aAC3E;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,YAAY,CAAC,QAA4B;IACvD,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,IAAI,OAAO,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;QAC7B,OAAO;YACL,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,iCAAiC,IAAA,8BAAqB,EAAC,QAAQ,CAAC,EAAE;YAC3E,UAAU,EAAE,0EAA0E;YACtF,QAAQ,EAAE,qBAAqB;YAC/B,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,sBAAsB;YAC9B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,sGAAsG;gBACnH,cAAc,EAAE,kGAAkG;gBAClH,eAAe,EAAE;oBACf,yBAAyB;oBACzB,gCAAgC;oBAChC,2BAA2B;oBAC3B,mBAAmB;iBACpB;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,wBAAwB;gBAChC,KAAK,EAAE,6DAA6D;gBACpE,WAAW,EAAE,qDAAqD;aACnE;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,YAAY,CAAC,QAA4B;IACvD,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,IAAI,OAAO,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;QAC7B,OAAO;YACL,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,iCAAiC,IAAA,8BAAqB,EAAC,QAAQ,CAAC,EAAE;YAC3E,UAAU,EAAE,yEAAyE;YACrF,QAAQ,EAAE,qBAAqB;YAC/B,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,sBAAsB;YAC9B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,wFAAwF;gBACrG,cAAc,EAAE,2FAA2F;gBAC3G,eAAe,EAAE;oBACf,kCAAkC;oBAClC,wBAAwB;oBACxB,4BAA4B;oBAC5B,6BAA6B;iBAC9B;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,wBAAwB;gBAChC,KAAK,EAAE,6DAA6D;gBACpE,WAAW,EAAE,mDAAmD;aACjE;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,QAA4B;IACxD,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,cAAc,GAAa,EAAE,CAAC;IACpC,MAAM,UAAU,GAAG;QACjB,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;QAC7B,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;KAClC,CAAC;IAEF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,WAAW,GAAG,SAAS,CAAC,eAAe,CAAC;QAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,eAAe,CAAC;QAEtC,kEAAkE;QAClE,MAAM,wBAAwB,GAAG,WAAW,EAAE,YAAY,KAAK,IAAI,CAAC;QACpE,MAAM,kBAAkB,GAAG,KAAK,EAAE,YAAY,KAAK,IAAI,CAAC;QAExD,4DAA4D;QAC5D,IAAI,CAAC,wBAAwB,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACrD,qDAAqD;YACrD,MAAM,SAAS,GAAG,WAAW,EAAE,SAAS,IAAI,KAAK,EAAE,SAAS,CAAC;YAC7D,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;gBAC/C,cAAc,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,oCAAoC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,IAAA,8BAAqB,EAAC,QAAQ,CAAC,EAAE;YAC9G,UAAU,EAAE,4FAA4F;YACxG,QAAQ,EAAE,sBAAsB;YAChC,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,sBAAsB;YAC9B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,kGAAkG;gBAC/G,cAAc,EAAE,gGAAgG;gBAChH,eAAe,EAAE;oBACf,2CAA2C;oBAC3C,4BAA4B;oBAC5B,2BAA2B;oBAC3B,8BAA8B;iBAC/B;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,qBAAqB;gBAC7B,KAAK,EAAE,+EAA+E;gBACtF,WAAW,EAAE,+DAA+D;aAC7E;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,2BAA2B,CAAC,QAA4B;IACtE,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,kBAAkB,GAAa,EAAE,CAAC;IACxC,MAAM,UAAU,GAAG;QACjB,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;QAC7B,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;KAClC,CAAC;IAEF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,SAAS,CAAC,eAAe,EAAE,sBAAsB,KAAK,IAAI,EAAE,CAAC;YAC/D,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,2CAA2C,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,IAAA,8BAAqB,EAAC,QAAQ,CAAC,EAAE;YACzH,UAAU,EAAE,kGAAkG;YAC9G,QAAQ,EAAE,6BAA6B;YACvC,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,QAAQ;YAC3B,MAAM,EAAE,iBAAiB;YACzB,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,gGAAgG;gBAC7G,cAAc,EAAE,wFAAwF;gBACxG,eAAe,EAAE;oBACf,qBAAqB;oBACrB,qBAAqB;oBACrB,eAAe;oBACf,uBAAuB;iBACxB;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,qBAAqB;gBAC7B,KAAK,EAAE,qGAAqG;gBAC5G,WAAW,EAAE,0GAA0G;aACxH;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,0BAA0B,CAAC,QAA4B;IACrE,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,mBAAmB,GAAoD,EAAE,CAAC;IAChF,MAAM,UAAU,GAAG;QACjB,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;QAC7B,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;KAClC,CAAC;IAEF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,SAAS,GAAG,SAAS,CAAC,eAAe,EAAE,YAAY,EAAE,GAAG,IAAI,EAAE,CAAC;QACrE,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,GAAW,EAAE,EAAE,CAAC,8BAAsB,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;QAE1F,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,mBAAmB,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IAED,IAAI,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,mBAAmB;aAChC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;aACpD,IAAI,CAAC,IAAI,CAAC,CAAC;QAEd,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,sCAAsC,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,OAAO,EAAE;YAC5F,UAAU,EAAE,yGAAyG;YACrH,QAAQ,EAAE,mCAAmC;YAC7C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,sBAAsB;YAC9B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,mGAAmG;gBAChH,cAAc,EAAE,0EAA0E;gBAC1F,eAAe,EAAE;oBACf,oCAAoC;oBACpC,yCAAyC;oBACzC,2BAA2B;oBAC3B,mCAAmC;iBACpC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,yDAAyD;gBACjE,KAAK,EAAE,qFAAqF;gBAC5F,WAAW,EAAE,6FAA6F;aAC3G;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB,CAAC,QAA4B;IAC/D,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,eAAe,GAA0C,EAAE,CAAC;IAElE,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACrC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,eAAe,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE7E,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,iCAAiC,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,OAAO,EAAE;YACvF,UAAU,EAAE,gFAAgF;YAC5F,QAAQ,EAAE,6BAA6B;YACvC,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,aAAa;YACrB,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,6FAA6F;gBAC1G,cAAc,EAAE,8EAA8E;gBAC9F,eAAe,EAAE;oBACf,wBAAwB;oBACxB,iDAAiD;oBACjD,wBAAwB;oBACxB,kBAAkB;iBACnB;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,wEAAwE;gBAChF,KAAK,EAAE,+EAA+E;gBACtF,WAAW,EAAE,iFAAiF;aAC/F;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,QAA4B;IAC/D,MAAM,eAAe,GAA4B,EAAE,CAAC;IAEpD,MAAM,MAAM,GAAG;QACb,yBAAyB;QACzB,gBAAgB;QAChB,YAAY;QACZ,YAAY;QACZ,aAAa;QACb,2BAA2B;QAC3B,0BAA0B;QAC1B,oBAAoB;KACrB,CAAC;IAEF,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC7B,IAAI,IAAI,EAAE,CAAC;YACT,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/kubernetes/checks/rbac-security.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * Kubernetes RBAC Security Checks
+ *
+ * WR3 Week 6: 5 Critical/High/Medium Severity RBAC Security Checks
+ * - Cluster-admin bindings
+ * - Wildcard rules
+ * - Overly permissive roles
+ * - ServiceAccount token automount
+ * - Default ServiceAccount usage
+ *
+ * Created: February 5, 2026
+ */
+import { SecurityVulnerability } from '../../types';
+import type { KubernetesResource } from '../types';
+/**
+ * Check #9: Cluster-Admin Bindings (Critical - CVSS 9.5)
+ * Detects RoleBindings/ClusterRoleBindings that grant cluster-admin role
+ */
+export declare function checkClusterAdminBindings(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #10: Wildcard RBAC Rules (High - CVSS 8.5)
+ * Detects roles with wildcard (*) permissions on resources or verbs
+ */
+export declare function checkWildcardRules(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #11: Overly Permissive Roles (High - CVSS 8.0)
+ * Detects roles with dangerous verbs on sensitive resources
+ */
+export declare function checkOverlyPermissiveRoles(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #12: ServiceAccount Token Automount (Medium - CVSS 6.5)
+ * Detects pods with automountServiceAccountToken not disabled
+ */
+export declare function checkServiceAccountTokenAutomount(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #13: Default ServiceAccount Usage (Medium - CVSS 6.0)
+ * Detects pods using the default service account
+ */
+export declare function checkDefaultServiceAccount(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Run all RBAC security checks on a resource
+ */
+export declare function runRBACSecurityChecks(resource: KubernetesResource): SecurityVulnerability[];
+//# sourceMappingURL=rbac-security.d.ts.map

package/dist/src/lib/analyzers/kubernetes/checks/rbac-security.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rbac-security.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/kubernetes/checks/rbac-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,KAAK,EAAE,kBAAkB,EAAY,MAAM,UAAU,CAAC;AAI7D;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CA0CpG;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CAqD7F;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CAwDrG;AAED;;;GAGG;AACH,wBAAgB,iCAAiC,CAC/C,QAAQ,EAAE,kBAAkB,GAC3B,qBAAqB,GAAG,IAAI,CAmC9B;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CAqCrG;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,EAAE,CAmB3F"}

package/dist/src/lib/analyzers/kubernetes/checks/rbac-security.js ADDED Viewed

@@ -0,0 +1,275 @@
+"use strict";
+/**
+ * Kubernetes RBAC Security Checks
+ *
+ * WR3 Week 6: 5 Critical/High/Medium Severity RBAC Security Checks
+ * - Cluster-admin bindings
+ * - Wildcard rules
+ * - Overly permissive roles
+ * - ServiceAccount token automount
+ * - Default ServiceAccount usage
+ *
+ * Created: February 5, 2026
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkClusterAdminBindings = checkClusterAdminBindings;
+exports.checkWildcardRules = checkWildcardRules;
+exports.checkOverlyPermissiveRoles = checkOverlyPermissiveRoles;
+exports.checkServiceAccountTokenAutomount = checkServiceAccountTokenAutomount;
+exports.checkDefaultServiceAccount = checkDefaultServiceAccount;
+exports.runRBACSecurityChecks = runRBACSecurityChecks;
+const parser_1 = require("../parser");
+const types_1 = require("../types");
+/**
+ * Check #9: Cluster-Admin Bindings (Critical - CVSS 9.5)
+ * Detects RoleBindings/ClusterRoleBindings that grant cluster-admin role
+ */
+function checkClusterAdminBindings(resource) {
+    if (!['RoleBinding', 'ClusterRoleBinding'].includes(resource.kind)) {
+        return null;
+    }
+    const roleRef = resource.roleRef;
+    if (!roleRef)
+        return null;
+    // Check if binding references cluster-admin role
+    if (roleRef.name === 'cluster-admin' || roleRef.name.includes('cluster-admin')) {
+        const subjects = resource.subjects || [];
+        const subjectNames = subjects.map(s => `${s.kind}:${s.name}`).join(', ');
+        return {
+            severity: 'critical',
+            message: `Cluster-admin role binding detected in ${(0, parser_1.getResourceIdentifier)(resource)} for subjects: ${subjectNames}`,
+            suggestion: 'Avoid binding cluster-admin role. Use least-privilege principle with specific roles that grant only required permissions.',
+            category: 'kubernetes-cluster-admin-binding',
+            cvssScore: 9.5,
+            exploitLikelihood: 'high',
+            impact: 'privilege-escalation',
+            owasp: 'A01:2021',
+            cwe: 'CWE-250',
+            attackVector: {
+                description: 'Cluster-admin grants full cluster control. If compromised, attacker has unlimited access to all resources.',
+                exploitExample: 'Attacker compromises service account → Has cluster-admin → Accesses all secrets → Full cluster takeover',
+                realWorldImpact: [
+                    'Complete cluster compromise',
+                    'Access to all secrets and sensitive data',
+                    'Ability to create/delete any resource',
+                    'Node-level access via pod exec',
+                ],
+            },
+            remediation: {
+                before: `roleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: cluster-admin`,
+                after: `roleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: Role\n  name: app-specific-role  # Create custom role with minimal permissions`,
+                explanation: 'Create a custom Role with only the specific permissions needed (e.g., get/list pods in specific namespace).',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #10: Wildcard RBAC Rules (High - CVSS 8.5)
+ * Detects roles with wildcard (*) permissions on resources or verbs
+ */
+function checkWildcardRules(resource) {
+    if (!['Role', 'ClusterRole'].includes(resource.kind)) {
+        return null;
+    }
+    const rules = resource.rules || [];
+    const wildcardRules = [];
+    for (let i = 0; i < rules.length; i++) {
+        const rule = rules[i];
+        const hasWildcardVerbs = rule.verbs.includes('*');
+        const hasWildcardResources = rule.resources?.includes('*');
+        const hasWildcardApiGroups = rule.apiGroups?.includes('*');
+        if (hasWildcardVerbs || hasWildcardResources || hasWildcardApiGroups) {
+            const details = [];
+            if (hasWildcardVerbs)
+                details.push('verbs: *');
+            if (hasWildcardResources)
+                details.push('resources: *');
+            if (hasWildcardApiGroups)
+                details.push('apiGroups: *');
+            wildcardRules.push(`Rule ${i + 1} (${details.join(', ')})`);
+        }
+    }
+    if (wildcardRules.length > 0) {
+        return {
+            severity: 'high',
+            message: `Wildcard RBAC permissions detected in ${(0, parser_1.getResourceIdentifier)(resource)}: ${wildcardRules.join('; ')}`,
+            suggestion: 'Replace wildcard (*) permissions with explicit resource types and verbs. Use principle of least privilege.',
+            category: 'kubernetes-rbac-wildcard',
+            cvssScore: 8.5,
+            exploitLikelihood: 'high',
+            impact: 'privilege-escalation',
+            owasp: 'A01:2021',
+            cwe: 'CWE-269',
+            attackVector: {
+                description: 'Wildcard permissions grant excessive privileges that can be exploited for privilege escalation and lateral movement.',
+                exploitExample: 'Service account with verbs:* on secrets → Attacker reads all secrets in namespace → Accesses database credentials',
+                realWorldImpact: [
+                    'Excessive permissions beyond requirements',
+                    'Privilege escalation opportunities',
+                    'Access to sensitive resources (secrets, configmaps)',
+                    'Ability to modify critical workloads',
+                ],
+            },
+            remediation: {
+                before: `rules:\n  - apiGroups: ["*"]\n    resources: ["*"]\n    verbs: ["*"]`,
+                after: `rules:\n  - apiGroups: [""]\n    resources: ["pods", "services"]\n    verbs: ["get", "list", "watch"]`,
+                explanation: 'Specify exact API groups, resource types, and verbs needed for the application to function.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #11: Overly Permissive Roles (High - CVSS 8.0)
+ * Detects roles with dangerous verbs on sensitive resources
+ */
+function checkOverlyPermissiveRoles(resource) {
+    if (!['Role', 'ClusterRole'].includes(resource.kind)) {
+        return null;
+    }
+    const rules = resource.rules || [];
+    const dangerousRules = [];
+    for (let i = 0; i < rules.length; i++) {
+        const rule = rules[i];
+        const resources = rule.resources || [];
+        const verbs = rule.verbs || [];
+        // Check if rule grants dangerous verbs on sensitive resources
+        const hasSensitiveResource = resources.some(r => types_1.SENSITIVE_RESOURCES.includes(r));
+        const hasDangerousVerb = verbs.some(v => types_1.DANGEROUS_VERBS.includes(v));
+        if (hasSensitiveResource && hasDangerousVerb) {
+            const sensitiveFound = resources.filter(r => types_1.SENSITIVE_RESOURCES.includes(r));
+            const dangerousFound = verbs.filter(v => types_1.DANGEROUS_VERBS.includes(v));
+            dangerousRules.push(`Rule ${i + 1}: ${dangerousFound.join(', ')} on ${sensitiveFound.join(', ')}`);
+        }
+    }
+    if (dangerousRules.length > 0) {
+        return {
+            severity: 'high',
+            message: `Overly permissive RBAC role detected in ${(0, parser_1.getResourceIdentifier)(resource)}: ${dangerousRules.join('; ')}`,
+            suggestion: 'Limit dangerous verbs (create, delete, update, patch) on sensitive resources (secrets, pods/exec, clusterroles).',
+            category: 'kubernetes-rbac-overly-permissive',
+            cvssScore: 8.0,
+            exploitLikelihood: 'high',
+            impact: 'privilege-escalation',
+            owasp: 'A01:2021',
+            cwe: 'CWE-269',
+            attackVector: {
+                description: 'Dangerous verbs on sensitive resources enable privilege escalation, secret theft, and command execution.',
+                exploitExample: 'Role with create on pods/exec → Attacker creates pod → Executes commands in container → Accesses secrets',
+                realWorldImpact: [
+                    'Secret exfiltration (create/update on secrets)',
+                    'Remote code execution (create on pods/exec)',
+                    'Privilege escalation (update on clusterroles)',
+                    'Data deletion (delete on persistentvolumes)',
+                ],
+            },
+            remediation: {
+                before: `rules:\n  - apiGroups: [""]\n    resources: ["secrets"]\n    verbs: ["*", "delete", "create"]`,
+                after: `rules:\n  - apiGroups: [""]\n    resources: ["secrets"]\n    verbs: ["get", "list"]  # Read-only access`,
+                explanation: 'Grant only read permissions (get, list, watch) unless write access is absolutely required.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #12: ServiceAccount Token Automount (Medium - CVSS 6.5)
+ * Detects pods with automountServiceAccountToken not disabled
+ */
+function checkServiceAccountTokenAutomount(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    // Check if automountServiceAccountToken is explicitly set to false
+    if (podSpec.automountServiceAccountToken !== false) {
+        return {
+            severity: 'medium',
+            message: `ServiceAccount token automount enabled in ${(0, parser_1.getResourceIdentifier)(resource)}`,
+            suggestion: 'Set automountServiceAccountToken: false unless the pod needs Kubernetes API access.',
+            category: 'kubernetes-serviceaccount-automount',
+            cvssScore: 6.5,
+            exploitLikelihood: 'medium',
+            impact: 'privilege-escalation',
+            owasp: 'A05:2021',
+            cwe: 'CWE-250',
+            attackVector: {
+                description: 'Automounted service account tokens can be stolen from compromised containers and used to access Kubernetes API.',
+                exploitExample: 'Attacker compromises container → Reads /var/run/secrets/kubernetes.io/serviceaccount/token → Accesses API with pod permissions',
+                realWorldImpact: [
+                    'Service account token theft',
+                    'Kubernetes API access from compromised container',
+                    'Lateral movement within cluster',
+                    'Privilege escalation if service account has elevated permissions',
+                ],
+            },
+            remediation: {
+                before: `spec:\n  # automountServiceAccountToken defaults to true`,
+                after: `spec:\n  automountServiceAccountToken: false\n  # Only set to true if pod needs K8s API access`,
+                explanation: 'Disable service account token mounting for pods that do not need to communicate with the Kubernetes API.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #13: Default ServiceAccount Usage (Medium - CVSS 6.0)
+ * Detects pods using the default service account
+ */
+function checkDefaultServiceAccount(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const serviceAccountName = podSpec.serviceAccountName;
+    // Check if using default service account (explicitly or implicitly)
+    if (!serviceAccountName || serviceAccountName === 'default') {
+        return {
+            severity: 'medium',
+            message: `Default ServiceAccount usage detected in ${(0, parser_1.getResourceIdentifier)(resource)}`,
+            suggestion: 'Create a dedicated ServiceAccount with minimal permissions instead of using the default account.',
+            category: 'kubernetes-default-serviceaccount',
+            cvssScore: 6.0,
+            exploitLikelihood: 'medium',
+            impact: 'privilege-escalation',
+            owasp: 'A05:2021',
+            cwe: 'CWE-250',
+            attackVector: {
+                description: 'Default service accounts may have excessive permissions or be shared across multiple workloads, increasing blast radius.',
+                exploitExample: 'Multiple pods use default SA → One pod compromised → Attacker has permissions from shared SA → Lateral movement',
+                realWorldImpact: [
+                    'Shared permissions across multiple workloads',
+                    'Difficult to audit which pod performed action',
+                    'Excessive permissions if default SA is over-privileged',
+                    'Increased blast radius of compromise',
+                ],
+            },
+            remediation: {
+                before: `spec:\n  # serviceAccountName defaults to "default"`,
+                after: `spec:\n  serviceAccountName: my-app-sa\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: my-app-sa`,
+                explanation: 'Create dedicated ServiceAccounts for each application with specific RBAC permissions tailored to their needs.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Run all RBAC security checks on a resource
+ */
+function runRBACSecurityChecks(resource) {
+    const vulnerabilities = [];
+    const checks = [
+        checkClusterAdminBindings,
+        checkWildcardRules,
+        checkOverlyPermissiveRoles,
+        checkServiceAccountTokenAutomount,
+        checkDefaultServiceAccount,
+    ];
+    for (const check of checks) {
+        const vuln = check(resource);
+        if (vuln) {
+            vulnerabilities.push(vuln);
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=rbac-security.js.map

package/dist/src/lib/analyzers/kubernetes/checks/rbac-security.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rbac-security.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/kubernetes/checks/rbac-security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAWH,8DA0CC;AAMD,gDAqDC;AAMD,gEAwDC;AAMD,8EAqCC;AAMD,gEAqCC;AAKD,sDAmBC;AAxRD,sCAA8D;AAC9D,oCAAgE;AAEhE;;;GAGG;AACH,SAAgB,yBAAyB,CAAC,QAA4B;IACpE,IAAI,CAAC,CAAC,aAAa,EAAE,oBAAoB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IACjC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,iDAAiD;IACjD,IAAI,OAAO,CAAC,IAAI,KAAK,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QAC/E,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC;QACzC,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEzE,OAAO;YACL,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,0CAA0C,IAAA,8BAAqB,EAAC,QAAQ,CAAC,kBAAkB,YAAY,EAAE;YAClH,UAAU,EAAE,2HAA2H;YACvI,QAAQ,EAAE,kCAAkC;YAC5C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,sBAAsB;YAC9B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,4GAA4G;gBACzH,cAAc,EAAE,yGAAyG;gBACzH,eAAe,EAAE;oBACf,6BAA6B;oBAC7B,0CAA0C;oBAC1C,uCAAuC;oBACvC,gCAAgC;iBACjC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,6FAA6F;gBACrG,KAAK,EAAE,yIAAyI;gBAChJ,WAAW,EAAE,6GAA6G;aAC3H;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,QAA4B;IAC7D,IAAI,CAAC,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACrD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,KAAK,GAAe,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC;IAC/C,MAAM,aAAa,GAAa,EAAE,CAAC;IAEnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAClD,MAAM,oBAAoB,GAAG,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC3D,MAAM,oBAAoB,GAAG,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC;QAE3D,IAAI,gBAAgB,IAAI,oBAAoB,IAAI,oBAAoB,EAAE,CAAC;YACrE,MAAM,OAAO,GAAa,EAAE,CAAC;YAC7B,IAAI,gBAAgB;gBAAE,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC/C,IAAI,oBAAoB;gBAAE,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACvD,IAAI,oBAAoB;gBAAE,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACvD,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,yCAAyC,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAChH,UAAU,EAAE,4GAA4G;YACxH,QAAQ,EAAE,0BAA0B;YACpC,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,sBAAsB;YAC9B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,sHAAsH;gBACnI,cAAc,EAAE,mHAAmH;gBACnI,eAAe,EAAE;oBACf,2CAA2C;oBAC3C,oCAAoC;oBACpC,qDAAqD;oBACrD,sCAAsC;iBACvC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,sEAAsE;gBAC9E,KAAK,EAAE,uGAAuG;gBAC9G,WAAW,EAAE,6FAA6F;aAC3G;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,0BAA0B,CAAC,QAA4B;IACrE,IAAI,CAAC,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACrD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,KAAK,GAAe,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC;IAC/C,MAAM,cAAc,GAAa,EAAE,CAAC;IAEpC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;QAE/B,8DAA8D;QAC9D,MAAM,oBAAoB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,2BAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAClF,MAAM,gBAAgB,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,uBAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAEtE,IAAI,oBAAoB,IAAI,gBAAgB,EAAE,CAAC;YAC7C,MAAM,cAAc,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,2BAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9E,MAAM,cAAc,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,uBAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACtE,cAAc,CAAC,IAAI,CACjB,QAAQ,CAAC,GAAG,CAAC,KAAK,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC9E,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,2CAA2C,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACnH,UAAU,EAAE,kHAAkH;YAC9H,QAAQ,EAAE,mCAAmC;YAC7C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,sBAAsB;YAC9B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,0GAA0G;gBACvH,cAAc,EAAE,0GAA0G;gBAC1H,eAAe,EAAE;oBACf,gDAAgD;oBAChD,6CAA6C;oBAC7C,+CAA+C;oBAC/C,6CAA6C;iBAC9C;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,+FAA+F;gBACvG,KAAK,EAAE,yGAAyG;gBAChH,WAAW,EAAE,4FAA4F;aAC1G;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,iCAAiC,CAC/C,QAA4B;IAE5B,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,mEAAmE;IACnE,IAAI,OAAO,CAAC,4BAA4B,KAAK,KAAK,EAAE,CAAC;QACnD,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,6CAA6C,IAAA,8BAAqB,EAAC,QAAQ,CAAC,EAAE;YACvF,UAAU,EAAE,qFAAqF;YACjG,QAAQ,EAAE,qCAAqC;YAC/C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,QAAQ;YAC3B,MAAM,EAAE,sBAAsB;YAC9B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,iHAAiH;gBAC9H,cAAc,EAAE,gIAAgI;gBAChJ,eAAe,EAAE;oBACf,6BAA6B;oBAC7B,kDAAkD;oBAClD,iCAAiC;oBACjC,kEAAkE;iBACnE;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,0DAA0D;gBAClE,KAAK,EAAE,gGAAgG;gBACvG,WAAW,EAAE,0GAA0G;aACxH;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,0BAA0B,CAAC,QAA4B;IACrE,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAEtD,oEAAoE;IACpE,IAAI,CAAC,kBAAkB,IAAI,kBAAkB,KAAK,SAAS,EAAE,CAAC;QAC5D,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,4CAA4C,IAAA,8BAAqB,EAAC,QAAQ,CAAC,EAAE;YACtF,UAAU,EAAE,kGAAkG;YAC9G,QAAQ,EAAE,mCAAmC;YAC7C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,QAAQ;YAC3B,MAAM,EAAE,sBAAsB;YAC9B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,0HAA0H;gBACvI,cAAc,EAAE,iHAAiH;gBACjI,eAAe,EAAE;oBACf,8CAA8C;oBAC9C,+CAA+C;oBAC/C,wDAAwD;oBACxD,sCAAsC;iBACvC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,qDAAqD;gBAC7D,KAAK,EAAE,iHAAiH;gBACxH,WAAW,EAAE,+GAA+G;aAC7H;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,QAA4B;IAChE,MAAM,eAAe,GAA4B,EAAE,CAAC;IAEpD,MAAM,MAAM,GAAG;QACb,yBAAyB;QACzB,kBAAkB;QAClB,0BAA0B;QAC1B,iCAAiC;QACjC,0BAA0B;KAC3B,CAAC;IAEF,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC7B,IAAI,IAAI,EAAE,CAAC;YACT,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/kubernetes/checks/resource-management.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Kubernetes Resource Management Checks
+ *
+ * WR3 Week 6: 3 High/Medium Severity Resource Management Checks
+ * - Missing resource limits
+ * - Missing resource requests
+ * - Latest image tag usage
+ *
+ * Created: February 5, 2026
+ */
+import { SecurityVulnerability } from '../../types';
+import type { KubernetesResource } from '../types';
+/**
+ * Check #21: Missing Resource Limits (High - CVSS 7.0)
+ * Detects containers without resource limits (CPU/memory)
+ */
+export declare function checkMissingResourceLimits(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #22: Missing Resource Requests (Medium - CVSS 6.0)
+ * Detects containers without resource requests (CPU/memory)
+ */
+export declare function checkMissingResourceRequests(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #23: Latest Image Tag (Medium - CVSS 5.5)
+ * Detects containers using :latest or no tag (mutable tags)
+ */
+export declare function checkLatestImageTag(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Run all resource management checks on a resource
+ */
+export declare function runResourceManagementChecks(resource: KubernetesResource): SecurityVulnerability[];
+//# sourceMappingURL=resource-management.d.ts.map

package/dist/src/lib/analyzers/kubernetes/checks/resource-management.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"resource-management.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/kubernetes/checks/resource-management.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,KAAK,EAAE,kBAAkB,EAAa,MAAM,UAAU,CAAC;AAG9D;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,QAAQ,EAAE,kBAAkB,GAC3B,qBAAqB,GAAG,IAAI,CA6C9B;AAED;;;GAGG;AACH,wBAAgB,4BAA4B,CAC1C,QAAQ,EAAE,kBAAkB,GAC3B,qBAAqB,GAAG,IAAI,CA6C9B;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CAgD9F;AAED;;GAEG;AACH,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,EAAE,CAiBjG"}

package/dist/src/lib/analyzers/kubernetes/checks/resource-management.js ADDED Viewed

@@ -0,0 +1,176 @@
+"use strict";
+/**
+ * Kubernetes Resource Management Checks
+ *
+ * WR3 Week 6: 3 High/Medium Severity Resource Management Checks
+ * - Missing resource limits
+ * - Missing resource requests
+ * - Latest image tag usage
+ *
+ * Created: February 5, 2026
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkMissingResourceLimits = checkMissingResourceLimits;
+exports.checkMissingResourceRequests = checkMissingResourceRequests;
+exports.checkLatestImageTag = checkLatestImageTag;
+exports.runResourceManagementChecks = runResourceManagementChecks;
+const parser_1 = require("../parser");
+/**
+ * Check #21: Missing Resource Limits (High - CVSS 7.0)
+ * Detects containers without resource limits (CPU/memory)
+ */
+function checkMissingResourceLimits(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const containers = [...(podSpec.containers || []), ...(podSpec.initContainers || [])];
+    const missingLimits = [];
+    for (const container of containers) {
+        const limits = container.resources?.limits;
+        if (!limits || (!limits.cpu && !limits.memory)) {
+            missingLimits.push(container.name);
+        }
+    }
+    if (missingLimits.length > 0) {
+        return {
+            severity: 'high',
+            message: `Containers without resource limits in ${(0, parser_1.getResourceIdentifier)(resource)}: ${missingLimits.join(', ')}`,
+            suggestion: 'Set resources.limits.cpu and resources.limits.memory for all containers to prevent resource exhaustion.',
+            category: 'kubernetes-missing-resource-limits',
+            cvssScore: 7.0,
+            exploitLikelihood: 'high',
+            impact: 'denial-of-service',
+            owasp: 'A04:2021',
+            cwe: 'CWE-770',
+            attackVector: {
+                description: 'Containers without resource limits can consume all node resources, causing denial of service for other workloads.',
+                exploitExample: 'Attacker exploits vulnerability → Triggers resource-intensive operation → Container consumes all CPU/memory → Node becomes unresponsive',
+                realWorldImpact: [
+                    'Noisy neighbor problem',
+                    'Node resource exhaustion',
+                    'Cascading failures across workloads',
+                    'Cluster instability',
+                ],
+            },
+            remediation: {
+                before: `containers:\n  - name: app\n    image: myapp:1.0`,
+                after: `containers:\n  - name: app\n    image: myapp:1.0\n    resources:\n      limits:\n        cpu: "1000m"\n        memory: "512Mi"\n      requests:\n        cpu: "500m"\n        memory: "256Mi"`,
+                explanation: 'Define resource limits based on application profiling. Set limits slightly above peak usage to prevent OOM kills while protecting the node.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #22: Missing Resource Requests (Medium - CVSS 6.0)
+ * Detects containers without resource requests (CPU/memory)
+ */
+function checkMissingResourceRequests(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const containers = [...(podSpec.containers || []), ...(podSpec.initContainers || [])];
+    const missingRequests = [];
+    for (const container of containers) {
+        const requests = container.resources?.requests;
+        if (!requests || (!requests.cpu && !requests.memory)) {
+            missingRequests.push(container.name);
+        }
+    }
+    if (missingRequests.length > 0) {
+        return {
+            severity: 'medium',
+            message: `Containers without resource requests in ${(0, parser_1.getResourceIdentifier)(resource)}: ${missingRequests.join(', ')}`,
+            suggestion: 'Set resources.requests.cpu and resources.requests.memory for proper pod scheduling and QoS.',
+            category: 'kubernetes-missing-resource-requests',
+            cvssScore: 6.0,
+            exploitLikelihood: 'medium',
+            impact: 'availability',
+            owasp: 'A04:2021',
+            cwe: 'CWE-770',
+            attackVector: {
+                description: 'Without resource requests, pods may be scheduled on overcommitted nodes, leading to poor performance and evictions.',
+                exploitExample: 'Pod scheduled without requests → Node becomes overcommitted → Kubelet evicts pods under pressure → Service disruption',
+                realWorldImpact: [
+                    'Poor QoS (BestEffort class)',
+                    'Unpredictable pod evictions',
+                    'Suboptimal scheduling decisions',
+                    'Performance degradation under load',
+                ],
+            },
+            remediation: {
+                before: `containers:\n  - name: app\n    image: myapp:1.0`,
+                after: `containers:\n  - name: app\n    image: myapp:1.0\n    resources:\n      requests:\n        cpu: "500m"\n        memory: "256Mi"\n      limits:\n        cpu: "1000m"\n        memory: "512Mi"`,
+                explanation: 'Set resource requests to typical usage levels to ensure proper scheduling. Guaranteed QoS requires requests == limits.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #23: Latest Image Tag (Medium - CVSS 5.5)
+ * Detects containers using :latest or no tag (mutable tags)
+ */
+function checkLatestImageTag(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const containers = [...(podSpec.containers || []), ...(podSpec.initContainers || [])];
+    const latestImageContainers = [];
+    for (const container of containers) {
+        const image = container.image || '';
+        // Check for :latest tag or no tag at all
+        const hasLatestTag = image.endsWith(':latest') || !image.includes(':');
+        if (hasLatestTag) {
+            latestImageContainers.push(`${container.name} (${image})`);
+        }
+    }
+    if (latestImageContainers.length > 0) {
+        return {
+            severity: 'medium',
+            message: `Containers using :latest or untagged images in ${(0, parser_1.getResourceIdentifier)(resource)}: ${latestImageContainers.join(', ')}`,
+            suggestion: 'Use specific image tags (e.g., v1.2.3) or SHA256 digests for reproducible deployments.',
+            category: 'kubernetes-latest-image-tag',
+            cvssScore: 5.5,
+            exploitLikelihood: 'medium',
+            impact: 'supply-chain',
+            owasp: 'A06:2021',
+            cwe: 'CWE-494',
+            attackVector: {
+                description: 'Mutable tags like :latest can change without notice, leading to unexpected behavior or supply chain attacks.',
+                exploitExample: 'Attacker compromises registry → Replaces :latest tag with malicious image → Pod restart pulls compromised image → Backdoor deployed',
+                realWorldImpact: [
+                    'Non-reproducible deployments',
+                    'Supply chain attack vector',
+                    'Unexpected image changes',
+                    'Difficult rollback scenarios',
+                ],
+            },
+            remediation: {
+                before: `containers:\n  - name: app\n    image: nginx:latest  # or just "nginx"`,
+                after: `containers:\n  - name: app\n    image: nginx:1.25.3  # Specific version\n    # Or even better: use SHA256 digest\n    # image: nginx@sha256:a1b2c3d4...`,
+                explanation: 'Pin to specific semantic versions (v1.2.3) for stability, or use SHA256 digests (@sha256:...) for maximum security.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Run all resource management checks on a resource
+ */
+function runResourceManagementChecks(resource) {
+    const vulnerabilities = [];
+    const checks = [
+        checkMissingResourceLimits,
+        checkMissingResourceRequests,
+        checkLatestImageTag,
+    ];
+    for (const check of checks) {
+        const vuln = check(resource);
+        if (vuln) {
+            vulnerabilities.push(vuln);
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=resource-management.js.map

package/dist/src/lib/analyzers/kubernetes/checks/resource-management.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"resource-management.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/kubernetes/checks/resource-management.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAUH,gEA+CC;AAMD,oEA+CC;AAMD,kDAgDC;AAKD,kEAiBC;AAtLD,sCAA8D;AAE9D;;;GAGG;AACH,SAAgB,0BAA0B,CACxC,QAA4B;IAE5B,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,CAAC;IACtF,MAAM,aAAa,GAAa,EAAE,CAAC;IAEnC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC;QAE3C,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/C,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,yCAAyC,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAChH,UAAU,EAAE,yGAAyG;YACrH,QAAQ,EAAE,oCAAoC;YAC9C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,mBAAmB;YAC3B,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,mHAAmH;gBAChI,cAAc,EAAE,yIAAyI;gBACzJ,eAAe,EAAE;oBACf,wBAAwB;oBACxB,0BAA0B;oBAC1B,qCAAqC;oBACrC,qBAAqB;iBACtB;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,kDAAkD;gBAC1D,KAAK,EAAE,+LAA+L;gBACtM,WAAW,EAAE,6IAA6I;aAC3J;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,4BAA4B,CAC1C,QAA4B;IAE5B,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,CAAC;IACtF,MAAM,eAAe,GAAa,EAAE,CAAC;IAErC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,EAAE,QAAQ,CAAC;QAE/C,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACrD,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,2CAA2C,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACpH,UAAU,EAAE,6FAA6F;YACzG,QAAQ,EAAE,sCAAsC;YAChD,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,QAAQ;YAC3B,MAAM,EAAE,cAAc;YACtB,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,qHAAqH;gBAClI,cAAc,EAAE,uHAAuH;gBACvI,eAAe,EAAE;oBACf,6BAA6B;oBAC7B,6BAA6B;oBAC7B,iCAAiC;oBACjC,oCAAoC;iBACrC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,kDAAkD;gBAC1D,KAAK,EAAE,+LAA+L;gBACtM,WAAW,EAAE,wHAAwH;aACtI;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,mBAAmB,CAAC,QAA4B;IAC9D,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,CAAC;IACtF,MAAM,qBAAqB,GAAa,EAAE,CAAC;IAE3C,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,IAAI,EAAE,CAAC;QAEpC,yCAAyC;QACzC,MAAM,YAAY,GAAG,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAEvE,IAAI,YAAY,EAAE,CAAC;YACjB,qBAAqB,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,IAAI,KAAK,KAAK,GAAG,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,IAAI,qBAAqB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrC,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,kDAAkD,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACjI,UAAU,EAAE,wFAAwF;YACpG,QAAQ,EAAE,6BAA6B;YACvC,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,QAAQ;YAC3B,MAAM,EAAE,cAAc;YACtB,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,8GAA8G;gBAC3H,cAAc,EAAE,qIAAqI;gBACrJ,eAAe,EAAE;oBACf,8BAA8B;oBAC9B,4BAA4B;oBAC5B,0BAA0B;oBAC1B,8BAA8B;iBAC/B;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,wEAAwE;gBAChF,KAAK,EAAE,yJAAyJ;gBAChK,WAAW,EAAE,qHAAqH;aACnI;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,2BAA2B,CAAC,QAA4B;IACtE,MAAM,eAAe,GAA4B,EAAE,CAAC;IAEpD,MAAM,MAAM,GAAG;QACb,0BAA0B;QAC1B,4BAA4B;QAC5B,mBAAmB;KACpB,CAAC;IAEF,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC7B,IAAI,IAAI,EAAE,CAAC;YACT,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/kubernetes/checks/secrets-management.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Kubernetes Secrets Management Checks
+ *
+ * WR3 Week 6: 4 High/Medium Severity Secrets Management Checks
+ * - Hardcoded secrets in ConfigMaps
+ * - Secrets in environment variables
+ * - Secrets mounted without readOnly
+ * - Base64-encoded secrets in YAML
+ *
+ * Created: February 5, 2026
+ */
+import { SecurityVulnerability } from '../../types';
+import type { KubernetesResource } from '../types';
+/**
+ * Check #14: Hardcoded Secrets in ConfigMaps (High - CVSS 7.5)
+ * Detects sensitive data patterns in ConfigMap data fields
+ */
+export declare function checkHardcodedSecretsInConfigMaps(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #15: Secrets in Environment Variables (High - CVSS 7.0)
+ * Detects containers with environment variables containing plain-text secrets
+ */
+export declare function checkSecretsInEnvVars(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #16: Secrets Mounted Without ReadOnly (Medium - CVSS 6.0)
+ * Detects secret volumes mounted without readOnly: true
+ */
+export declare function checkSecretVolumesWritable(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #17: Base64-Encoded Secrets in YAML (Medium - CVSS 5.5)
+ * Detects Secret resources with base64 data that may contain sensitive patterns
+ */
+export declare function checkBase64SecretsInYAML(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Run all secrets management checks on a resource
+ */
+export declare function runSecretsManagementChecks(resource: KubernetesResource): SecurityVulnerability[];
+//# sourceMappingURL=secrets-management.d.ts.map

package/dist/src/lib/analyzers/kubernetes/checks/secrets-management.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"secrets-management.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/kubernetes/checks/secrets-management.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,KAAK,EAAE,kBAAkB,EAAqB,MAAM,UAAU,CAAC;AAatE;;;GAGG;AACH,wBAAgB,iCAAiC,CAC/C,QAAQ,EAAE,kBAAkB,GAC3B,qBAAqB,GAAG,IAAI,CAwD9B;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CAsEhG;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,QAAQ,EAAE,kBAAkB,GAC3B,qBAAqB,GAAG,IAAI,CAwD9B;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,GAAG,IAAI,CAwCnG;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,EAAE,CAkBhG"}