npm - codeslick-cli - Versions diffs - 1.4.0 → 1.4.2 - Mend

codeslick-cli 1.4.0 → 1.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

package/dist/src/lib/analyzers/kubernetes/checks/secrets-management.js ADDED Viewed

@@ -0,0 +1,266 @@
+"use strict";
+/**
+ * Kubernetes Secrets Management Checks
+ *
+ * WR3 Week 6: 4 High/Medium Severity Secrets Management Checks
+ * - Hardcoded secrets in ConfigMaps
+ * - Secrets in environment variables
+ * - Secrets mounted without readOnly
+ * - Base64-encoded secrets in YAML
+ *
+ * Created: February 5, 2026
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkHardcodedSecretsInConfigMaps = checkHardcodedSecretsInConfigMaps;
+exports.checkSecretsInEnvVars = checkSecretsInEnvVars;
+exports.checkSecretVolumesWritable = checkSecretVolumesWritable;
+exports.checkBase64SecretsInYAML = checkBase64SecretsInYAML;
+exports.runSecretsManagementChecks = runSecretsManagementChecks;
+const parser_1 = require("../parser");
+// Common secret patterns to detect in ConfigMaps and environment variables
+const SECRET_PATTERNS = [
+    { name: 'password', regex: /password\s*[:=]\s*["']?[^\s"']+/i },
+    { name: 'api_key', regex: /api[_-]?key\s*[:=]\s*["']?[^\s"']+/i },
+    { name: 'token', regex: /token\s*[:=]\s*["']?[^\s"']+/i },
+    { name: 'secret', regex: /secret\s*[:=]\s*["']?[^\s"']+/i },
+    { name: 'private_key', regex: /private[_-]?key\s*[:=]\s*["']?[^\s"']+/i },
+    { name: 'access_key', regex: /access[_-]?key\s*[:=]\s*["']?[^\s"']+/i },
+];
+/**
+ * Check #14: Hardcoded Secrets in ConfigMaps (High - CVSS 7.5)
+ * Detects sensitive data patterns in ConfigMap data fields
+ */
+function checkHardcodedSecretsInConfigMaps(resource) {
+    if (resource.kind !== 'ConfigMap') {
+        return null;
+    }
+    const data = resource.data || {};
+    const foundSecrets = [];
+    // Scan ConfigMap data for secret patterns
+    for (const [key, value] of Object.entries(data)) {
+        const lowerKey = key.toLowerCase();
+        const lowerValue = value.toLowerCase();
+        // Check if key or value contains secret patterns
+        for (const pattern of SECRET_PATTERNS) {
+            if (lowerKey.includes(pattern.name) ||
+                pattern.regex.test(lowerValue) ||
+                pattern.regex.test(key)) {
+                foundSecrets.push(key);
+                break;
+            }
+        }
+    }
+    if (foundSecrets.length > 0) {
+        return {
+            severity: 'high',
+            message: `Hardcoded secrets detected in ConfigMap ${(0, parser_1.getResourceIdentifier)(resource)}: ${foundSecrets.join(', ')}`,
+            suggestion: 'Use Kubernetes Secrets instead of ConfigMaps for sensitive data. ConfigMaps are not designed for secret storage.',
+            category: 'kubernetes-configmap-secrets',
+            cvssScore: 7.5,
+            exploitLikelihood: 'high',
+            impact: 'data-breach',
+            owasp: 'A02:2021',
+            cwe: 'CWE-798',
+            attackVector: {
+                description: 'ConfigMaps are stored unencrypted in etcd and can be read by anyone with namespace access.',
+                exploitExample: 'Attacker gains namespace access → Lists ConfigMaps → Extracts hardcoded credentials → Accesses external services',
+                realWorldImpact: [
+                    'Credentials stored in plain text',
+                    'Exposed in etcd backups',
+                    'Visible to all namespace users',
+                    'No encryption at rest by default',
+                ],
+            },
+            remediation: {
+                before: `apiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: app-config\ndata:\n  api_key: "sk-1234567890abcdef"`,
+                after: `apiVersion: v1\nkind: Secret\nmetadata:\n  name: app-secrets\ntype: Opaque\nstringData:\n  api_key: "sk-1234567890abcdef"  # Better: use external secret manager`,
+                explanation: 'Migrate sensitive data to Kubernetes Secrets (minimum) or preferably use external secret managers (Vault, AWS Secrets Manager).',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #15: Secrets in Environment Variables (High - CVSS 7.0)
+ * Detects containers with environment variables containing plain-text secrets
+ */
+function checkSecretsInEnvVars(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const containers = [...(podSpec.containers || []), ...(podSpec.initContainers || [])];
+    const vulnerableContainers = [];
+    for (const container of containers) {
+        const env = container.env || [];
+        const secretEnvVars = [];
+        for (const envVar of env) {
+            // Skip if using valueFrom (good practice - references Secret)
+            if (envVar.valueFrom) {
+                continue;
+            }
+            // Check if env var has a plain-text value that looks like a secret
+            if (envVar.value) {
+                const lowerName = envVar.name.toLowerCase();
+                const lowerValue = envVar.value.toLowerCase();
+                for (const pattern of SECRET_PATTERNS) {
+                    if (lowerName.includes(pattern.name) || pattern.regex.test(lowerValue)) {
+                        secretEnvVars.push(envVar.name);
+                        break;
+                    }
+                }
+            }
+        }
+        if (secretEnvVars.length > 0) {
+            vulnerableContainers.push({ name: container.name, envVars: secretEnvVars });
+        }
+    }
+    if (vulnerableContainers.length > 0) {
+        const details = vulnerableContainers
+            .map(c => `${c.name} (${c.envVars.join(', ')})`)
+            .join('; ');
+        return {
+            severity: 'high',
+            message: `Plain-text secrets in environment variables detected in ${(0, parser_1.getResourceIdentifier)(resource)}: ${details}`,
+            suggestion: 'Use env.valueFrom.secretKeyRef to reference Secrets instead of hardcoding values in env.value.',
+            category: 'kubernetes-env-secrets',
+            cvssScore: 7.0,
+            exploitLikelihood: 'high',
+            impact: 'data-breach',
+            owasp: 'A02:2021',
+            cwe: 'CWE-798',
+            attackVector: {
+                description: 'Environment variables are visible in container inspect, process listings, and logs.',
+                exploitExample: 'Attacker accesses container → Runs "env" command → Extracts secret values → Compromises external services',
+                realWorldImpact: [
+                    'Secrets visible in container runtime',
+                    'Exposed in crash dumps and logs',
+                    'Readable via /proc/[pid]/environ',
+                    'Stored in image layer metadata',
+                ],
+            },
+            remediation: {
+                before: `env:\n  - name: DATABASE_PASSWORD\n    value: "hardcoded-password-123"`,
+                after: `env:\n  - name: DATABASE_PASSWORD\n    valueFrom:\n      secretKeyRef:\n        name: db-credentials\n        key: password`,
+                explanation: 'Reference secrets using valueFrom.secretKeyRef instead of hardcoding values.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #16: Secrets Mounted Without ReadOnly (Medium - CVSS 6.0)
+ * Detects secret volumes mounted without readOnly: true
+ */
+function checkSecretVolumesWritable(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const volumes = podSpec.volumes || [];
+    const secretVolumeNames = volumes
+        .filter((v) => v.secret)
+        .map((v) => v.name);
+    if (secretVolumeNames.length === 0) {
+        return null;
+    }
+    const containers = [...(podSpec.containers || []), ...(podSpec.initContainers || [])];
+    const writableSecretMounts = [];
+    for (const container of containers) {
+        const volumeMounts = container.volumeMounts || [];
+        for (const mount of volumeMounts) {
+            if (secretVolumeNames.includes(mount.name) && mount.readOnly !== true) {
+                writableSecretMounts.push(`${container.name}:${mount.mountPath}`);
+            }
+        }
+    }
+    if (writableSecretMounts.length > 0) {
+        return {
+            severity: 'medium',
+            message: `Secret volumes mounted without readOnly in ${(0, parser_1.getResourceIdentifier)(resource)}: ${writableSecretMounts.join(', ')}`,
+            suggestion: 'Set readOnly: true for all secret volume mounts to prevent tampering.',
+            category: 'kubernetes-secret-volume-writable',
+            cvssScore: 6.0,
+            exploitLikelihood: 'medium',
+            impact: 'data-tampering',
+            owasp: 'A04:2021',
+            cwe: 'CWE-732',
+            attackVector: {
+                description: 'Writable secret mounts allow attackers to modify secret files, potentially creating backdoors or corrupting credentials.',
+                exploitExample: 'Attacker compromises container → Modifies mounted secret file → Application uses tampered credentials → Data exfiltration',
+                realWorldImpact: [
+                    'Secret file modification',
+                    'Credential tampering',
+                    'Backdoor injection in certificates',
+                    'Authentication bypass',
+                ],
+            },
+            remediation: {
+                before: `volumeMounts:\n  - name: app-secrets\n    mountPath: /etc/secrets`,
+                after: `volumeMounts:\n  - name: app-secrets\n    mountPath: /etc/secrets\n    readOnly: true`,
+                explanation: 'Always mount secret volumes as read-only to prevent tampering.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #17: Base64-Encoded Secrets in YAML (Medium - CVSS 5.5)
+ * Detects Secret resources with base64 data that may contain sensitive patterns
+ */
+function checkBase64SecretsInYAML(resource) {
+    if (resource.kind !== 'Secret') {
+        return null;
+    }
+    const data = resource.data || {};
+    const stringData = resource.stringData || {};
+    // Check if secret has data (which is base64-encoded in YAML source)
+    // This is a warning that secrets are visible in YAML files
+    if (Object.keys(data).length > 0 || Object.keys(stringData).length > 0) {
+        return {
+            severity: 'medium',
+            message: `Base64-encoded secrets detected in YAML manifest for ${(0, parser_1.getResourceIdentifier)(resource)}`,
+            suggestion: 'Avoid committing Secret YAML to version control. Use external secret managers (Sealed Secrets, External Secrets Operator, Vault).',
+            category: 'kubernetes-secret-in-yaml',
+            cvssScore: 5.5,
+            exploitLikelihood: 'medium',
+            impact: 'data-breach',
+            owasp: 'A02:2021',
+            cwe: 'CWE-312',
+            attackVector: {
+                description: 'Base64 is encoding, not encryption. Secrets in YAML files are easily decoded and exposed via version control.',
+                exploitExample: 'Developer commits Secret YAML to git → Attacker accesses repository → Base64-decodes secret values → Gains credentials',
+                realWorldImpact: [
+                    'Secrets exposed in version control',
+                    'Base64 easily decoded (not encrypted)',
+                    'Visible in git history forever',
+                    'Accessible to all repository users',
+                ],
+            },
+            remediation: {
+                before: `apiVersion: v1\nkind: Secret\nmetadata:\n  name: app-secrets\ndata:\n  password: cGFzc3dvcmQxMjM=  # Visible in git!`,
+                after: `# Install Sealed Secrets or External Secrets Operator\n# Use kubectl create secret to create at runtime\n# Never commit Secret YAML to version control`,
+                explanation: 'Use Sealed Secrets (bitnami-labs/sealed-secrets) or External Secrets Operator to manage secrets securely without exposing them in YAML.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Run all secrets management checks on a resource
+ */
+function runSecretsManagementChecks(resource) {
+    const vulnerabilities = [];
+    const checks = [
+        checkHardcodedSecretsInConfigMaps,
+        checkSecretsInEnvVars,
+        checkSecretVolumesWritable,
+        checkBase64SecretsInYAML,
+    ];
+    for (const check of checks) {
+        const vuln = check(resource);
+        if (vuln) {
+            vulnerabilities.push(vuln);
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=secrets-management.js.map

package/dist/src/lib/analyzers/kubernetes/checks/secrets-management.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"secrets-management.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/kubernetes/checks/secrets-management.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AAoBH,8EA0DC;AAMD,sDAsEC;AAMD,gEA0DC;AAMD,4DAwCC;AAKD,gEAkBC;AA3RD,sCAA8D;AAE9D,2EAA2E;AAC3E,MAAM,eAAe,GAAG;IACtB,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,kCAAkC,EAAE;IAC/D,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,qCAAqC,EAAE;IACjE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,+BAA+B,EAAE;IACzD,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,gCAAgC,EAAE;IAC3D,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,yCAAyC,EAAE;IACzE,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,wCAAwC,EAAE;CACxE,CAAC;AAEF;;;GAGG;AACH,SAAgB,iCAAiC,CAC/C,QAA4B;IAE5B,IAAI,QAAQ,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC;IACjC,MAAM,YAAY,GAAa,EAAE,CAAC;IAElC,0CAA0C;IAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAEvC,iDAAiD;QACjD,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;YACtC,IACE,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;gBAC/B,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC;gBAC9B,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EACvB,CAAC;gBACD,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACvB,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,2CAA2C,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACjH,UAAU,EAAE,kHAAkH;YAC9H,QAAQ,EAAE,8BAA8B;YACxC,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,aAAa;YACrB,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,4FAA4F;gBACzG,cAAc,EAAE,kHAAkH;gBAClI,eAAe,EAAE;oBACf,kCAAkC;oBAClC,yBAAyB;oBACzB,gCAAgC;oBAChC,kCAAkC;iBACnC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,yGAAyG;gBACjH,KAAK,EAAE,kKAAkK;gBACzK,WAAW,EAAE,iIAAiI;aAC/I;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,qBAAqB,CAAC,QAA4B;IAChE,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,CAAC;IACtF,MAAM,oBAAoB,GAA+C,EAAE,CAAC;IAE5E,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,IAAI,EAAE,CAAC;QAChC,MAAM,aAAa,GAAa,EAAE,CAAC;QAEnC,KAAK,MAAM,MAAM,IAAI,GAAG,EAAE,CAAC;YACzB,8DAA8D;YAC9D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACrB,SAAS;YACX,CAAC;YAED,mEAAmE;YACnE,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC5C,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;gBAE9C,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;oBACtC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;wBACvE,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;wBAChC,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,oBAAoB,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IAED,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,oBAAoB;aACjC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;aAC/C,IAAI,CAAC,IAAI,CAAC,CAAC;QAEd,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,2DAA2D,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,OAAO,EAAE;YACjH,UAAU,EAAE,gGAAgG;YAC5G,QAAQ,EAAE,wBAAwB;YAClC,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,MAAM;YACzB,MAAM,EAAE,aAAa;YACrB,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,qFAAqF;gBAClG,cAAc,EAAE,2GAA2G;gBAC3H,eAAe,EAAE;oBACf,sCAAsC;oBACtC,iCAAiC;oBACjC,kCAAkC;oBAClC,gCAAgC;iBACjC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,wEAAwE;gBAChF,KAAK,EAAE,6HAA6H;gBACpI,WAAW,EAAE,8EAA8E;aAC5F;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,0BAA0B,CACxC,QAA4B;IAE5B,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC;IACtC,MAAM,iBAAiB,GAAG,OAAO;SAC9B,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;SAC/B,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAE9B,IAAI,iBAAiB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,CAAC;IACtF,MAAM,oBAAoB,GAAa,EAAE,CAAC;IAE1C,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,YAAY,GAAG,SAAS,CAAC,YAAY,IAAI,EAAE,CAAC;QAElD,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;YACjC,IAAI,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;gBACtE,oBAAoB,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,IAAI,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,8CAA8C,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC5H,UAAU,EAAE,uEAAuE;YACnF,QAAQ,EAAE,mCAAmC;YAC7C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,QAAQ;YAC3B,MAAM,EAAE,gBAAgB;YACxB,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,0HAA0H;gBACvI,cAAc,EAAE,2HAA2H;gBAC3I,eAAe,EAAE;oBACf,0BAA0B;oBAC1B,sBAAsB;oBACtB,oCAAoC;oBACpC,uBAAuB;iBACxB;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,mEAAmE;gBAC3E,KAAK,EAAE,uFAAuF;gBAC9F,WAAW,EAAE,gEAAgE;aAC9E;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,wBAAwB,CAAC,QAA4B;IACnE,IAAI,QAAQ,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC;IACjC,MAAM,UAAU,GAAG,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAC;IAE7C,oEAAoE;IACpE,2DAA2D;IAC3D,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvE,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,wDAAwD,IAAA,8BAAqB,EAAC,QAAQ,CAAC,EAAE;YAClG,UAAU,EAAE,mIAAmI;YAC/I,QAAQ,EAAE,2BAA2B;YACrC,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,QAAQ;YAC3B,MAAM,EAAE,aAAa;YACrB,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,+GAA+G;gBAC5H,cAAc,EAAE,wHAAwH;gBACxI,eAAe,EAAE;oBACf,oCAAoC;oBACpC,uCAAuC;oBACvC,gCAAgC;oBAChC,oCAAoC;iBACrC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,sHAAsH;gBAC9H,KAAK,EAAE,wJAAwJ;gBAC/J,WAAW,EAAE,yIAAyI;aACvJ;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,0BAA0B,CAAC,QAA4B;IACrE,MAAM,eAAe,GAA4B,EAAE,CAAC;IAEpD,MAAM,MAAM,GAAG;QACb,iCAAiC;QACjC,qBAAqB;QACrB,0BAA0B;QAC1B,wBAAwB;KACzB,CAAC;IAEF,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC7B,IAAI,IAAI,EAAE,CAAC;YACT,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/kubernetes/checks/service-security.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Kubernetes Service Security Checks
+ *
+ * WR3 Week 6: 2 Medium Severity Service Security Checks
+ * - Missing liveness probes
+ * - Missing readiness probes
+ *
+ * Created: February 5, 2026
+ */
+import { SecurityVulnerability } from '../../types';
+import type { KubernetesResource } from '../types';
+/**
+ * Check #24: Missing Liveness Probes (Medium - CVSS 5.0)
+ * Detects containers without liveness probes
+ */
+export declare function checkMissingLivenessProbe(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Check #25: Missing Readiness Probes (Medium - CVSS 5.0)
+ * Detects containers without readiness probes
+ */
+export declare function checkMissingReadinessProbe(resource: KubernetesResource): SecurityVulnerability | null;
+/**
+ * Run all service security checks on a resource
+ */
+export declare function runServiceSecurityChecks(resource: KubernetesResource): SecurityVulnerability[];
+//# sourceMappingURL=service-security.d.ts.map

package/dist/src/lib/analyzers/kubernetes/checks/service-security.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"service-security.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/kubernetes/checks/service-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,KAAK,EAAE,kBAAkB,EAAa,MAAM,UAAU,CAAC;AAG9D;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,kBAAkB,GAC3B,qBAAqB,GAAG,IAAI,CA2C9B;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,QAAQ,EAAE,kBAAkB,GAC3B,qBAAqB,GAAG,IAAI,CA2C9B;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,EAAE,CAa9F"}

package/dist/src/lib/analyzers/kubernetes/checks/service-security.js ADDED Viewed

@@ -0,0 +1,120 @@
+"use strict";
+/**
+ * Kubernetes Service Security Checks
+ *
+ * WR3 Week 6: 2 Medium Severity Service Security Checks
+ * - Missing liveness probes
+ * - Missing readiness probes
+ *
+ * Created: February 5, 2026
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkMissingLivenessProbe = checkMissingLivenessProbe;
+exports.checkMissingReadinessProbe = checkMissingReadinessProbe;
+exports.runServiceSecurityChecks = runServiceSecurityChecks;
+const parser_1 = require("../parser");
+/**
+ * Check #24: Missing Liveness Probes (Medium - CVSS 5.0)
+ * Detects containers without liveness probes
+ */
+function checkMissingLivenessProbe(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const containers = podSpec.containers || [];
+    const missingProbes = [];
+    for (const container of containers) {
+        if (!container.livenessProbe) {
+            missingProbes.push(container.name);
+        }
+    }
+    if (missingProbes.length > 0) {
+        return {
+            severity: 'medium',
+            message: `Containers without liveness probes in ${(0, parser_1.getResourceIdentifier)(resource)}: ${missingProbes.join(', ')}`,
+            suggestion: 'Add livenessProbe to detect and restart unhealthy containers automatically.',
+            category: 'kubernetes-missing-liveness-probe',
+            cvssScore: 5.0,
+            exploitLikelihood: 'medium',
+            impact: 'availability',
+            owasp: 'A04:2021',
+            cwe: 'CWE-400',
+            attackVector: {
+                description: 'Without liveness probes, deadlocked or crashed applications continue running without recovery.',
+                exploitExample: 'Application deadlocks → No liveness probe to detect → Container stays running but unresponsive → Service degradation',
+                realWorldImpact: [
+                    'Undetected application failures',
+                    'No automatic recovery from deadlocks',
+                    'Extended service outages',
+                    'Manual intervention required for restarts',
+                ],
+            },
+            remediation: {
+                before: `containers:\n  - name: app\n    image: myapp:1.0`,
+                after: `containers:\n  - name: app\n    image: myapp:1.0\n    livenessProbe:\n      httpGet:\n        path: /healthz\n        port: 8080\n      initialDelaySeconds: 30\n      periodSeconds: 10\n      timeoutSeconds: 5\n      failureThreshold: 3`,
+                explanation: 'Configure liveness probe to check if the application is running. Kubernetes will restart the container if probe fails.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Check #25: Missing Readiness Probes (Medium - CVSS 5.0)
+ * Detects containers without readiness probes
+ */
+function checkMissingReadinessProbe(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec)
+        return null;
+    const containers = podSpec.containers || [];
+    const missingProbes = [];
+    for (const container of containers) {
+        if (!container.readinessProbe) {
+            missingProbes.push(container.name);
+        }
+    }
+    if (missingProbes.length > 0) {
+        return {
+            severity: 'medium',
+            message: `Containers without readiness probes in ${(0, parser_1.getResourceIdentifier)(resource)}: ${missingProbes.join(', ')}`,
+            suggestion: 'Add readinessProbe to prevent routing traffic to containers that are not ready to serve requests.',
+            category: 'kubernetes-missing-readiness-probe',
+            cvssScore: 5.0,
+            exploitLikelihood: 'medium',
+            impact: 'availability',
+            owasp: 'A04:2021',
+            cwe: 'CWE-400',
+            attackVector: {
+                description: 'Without readiness probes, Kubernetes routes traffic to containers still initializing, causing request failures.',
+                exploitExample: 'New pod starts → No readiness probe → Receives traffic immediately → Application not ready → 500 errors to users',
+                realWorldImpact: [
+                    'Traffic routed to unready pods',
+                    'Failed requests during startup',
+                    'Poor user experience during deployments',
+                    'Connection errors and timeouts',
+                ],
+            },
+            remediation: {
+                before: `containers:\n  - name: app\n    image: myapp:1.0`,
+                after: `containers:\n  - name: app\n    image: myapp:1.0\n    readinessProbe:\n      httpGet:\n        path: /ready\n        port: 8080\n      initialDelaySeconds: 10\n      periodSeconds: 5\n      timeoutSeconds: 3\n      successThreshold: 1\n      failureThreshold: 3`,
+                explanation: 'Configure readiness probe to check if the application is ready to receive traffic. Pod will not receive traffic until probe succeeds.',
+            },
+        };
+    }
+    return null;
+}
+/**
+ * Run all service security checks on a resource
+ */
+function runServiceSecurityChecks(resource) {
+    const vulnerabilities = [];
+    const checks = [checkMissingLivenessProbe, checkMissingReadinessProbe];
+    for (const check of checks) {
+        const vuln = check(resource);
+        if (vuln) {
+            vulnerabilities.push(vuln);
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=service-security.js.map

package/dist/src/lib/analyzers/kubernetes/checks/service-security.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"service-security.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/kubernetes/checks/service-security.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AAUH,8DA6CC;AAMD,gEA6CC;AAKD,4DAaC;AAxHD,sCAA8D;AAE9D;;;GAGG;AACH,SAAgB,yBAAyB,CACvC,QAA4B;IAE5B,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;IAC5C,MAAM,aAAa,GAAa,EAAE,CAAC;IAEnC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC;YAC7B,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,yCAAyC,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAChH,UAAU,EAAE,6EAA6E;YACzF,QAAQ,EAAE,mCAAmC;YAC7C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,QAAQ;YAC3B,MAAM,EAAE,cAAc;YACtB,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,gGAAgG;gBAC7G,cAAc,EAAE,sHAAsH;gBACtI,eAAe,EAAE;oBACf,iCAAiC;oBACjC,sCAAsC;oBACtC,0BAA0B;oBAC1B,2CAA2C;iBAC5C;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,kDAAkD;gBAC1D,KAAK,EAAE,8OAA8O;gBACrP,WAAW,EAAE,wHAAwH;aACtI;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,0BAA0B,CACxC,QAA4B;IAE5B,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;IAC5C,MAAM,aAAa,GAAa,EAAE,CAAC;IAEnC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC;YAC9B,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,0CAA0C,IAAA,8BAAqB,EAAC,QAAQ,CAAC,KAAK,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACjH,UAAU,EAAE,mGAAmG;YAC/G,QAAQ,EAAE,oCAAoC;YAC9C,SAAS,EAAE,GAAG;YACd,iBAAiB,EAAE,QAAQ;YAC3B,MAAM,EAAE,cAAc;YACtB,KAAK,EAAE,UAAU;YACjB,GAAG,EAAE,SAAS;YACd,YAAY,EAAE;gBACZ,WAAW,EAAE,iHAAiH;gBAC9H,cAAc,EAAE,kHAAkH;gBAClI,eAAe,EAAE;oBACf,gCAAgC;oBAChC,gCAAgC;oBAChC,yCAAyC;oBACzC,gCAAgC;iBACjC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,kDAAkD;gBAC1D,KAAK,EAAE,uQAAuQ;gBAC9Q,WAAW,EAAE,uIAAuI;aACrJ;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,wBAAwB,CAAC,QAA4B;IACnE,MAAM,eAAe,GAA4B,EAAE,CAAC;IAEpD,MAAM,MAAM,GAAG,CAAC,yBAAyB,EAAE,0BAA0B,CAAC,CAAC;IAEvE,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC7B,IAAI,IAAI,EAAE,CAAC;YACT,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/kubernetes/parser.d.ts ADDED Viewed

@@ -0,0 +1,74 @@
+/**
+ * Kubernetes YAML Parser
+ *
+ * WR3 Week 6: Kubernetes YAML Security Scanner
+ * Parses Kubernetes YAML manifests (single and multi-document)
+ *
+ * Created: February 5, 2026
+ */
+import { KubernetesResource } from './types';
+/**
+ * Parse Kubernetes YAML content (supports multi-document YAML with ---)
+ *
+ * @param yamlContent - YAML string to parse
+ * @returns Array of Kubernetes resources
+ */
+export declare function parseKubernetes(yamlContent: string): KubernetesResource[];
+/**
+ * Check if an object is a valid Kubernetes resource
+ *
+ * @param obj - Object to check
+ * @returns True if object has apiVersion and kind
+ */
+export declare function isKubernetesResource(obj: any): boolean;
+/**
+ * Check if YAML content contains Kubernetes resources
+ *
+ * @param yamlContent - YAML string to check
+ * @returns True if content contains K8s resources
+ */
+export declare function isKubernetesYAML(yamlContent: string): boolean;
+/**
+ * Extract all containers from a Kubernetes resource
+ * Handles Pod, Deployment, StatefulSet, DaemonSet, Job, CronJob
+ *
+ * @param resource - Kubernetes resource
+ * @returns Array of containers (including initContainers)
+ */
+export declare function extractContainers(resource: KubernetesResource): Array<{
+    container: any;
+    isInitContainer: boolean;
+}>;
+/**
+ * Get pod spec from various Kubernetes workload resources
+ *
+ * @param resource - Kubernetes resource
+ * @returns Pod spec or null
+ */
+export declare function getPodSpec(resource: KubernetesResource): any | null;
+/**
+ * Get resource identifier for error messages
+ *
+ * @param resource - Kubernetes resource
+ * @returns Formatted identifier (e.g., "Deployment/default/nginx")
+ */
+export declare function getResourceIdentifier(resource: KubernetesResource): string;
+/**
+ * Check if resource is in a production-like namespace
+ *
+ * @param resource - Kubernetes resource
+ * @returns True if in prod/production/live namespace
+ */
+export declare function isProductionResource(resource: KubernetesResource): boolean;
+/**
+ * Get all environment variables from a container (including valueFrom)
+ *
+ * @param container - Container spec
+ * @returns Array of environment variable names and values
+ */
+export declare function getContainerEnvVars(container: any): Array<{
+    name: string;
+    value?: string;
+    source?: string;
+}>;
+//# sourceMappingURL=parser.d.ts.map

package/dist/src/lib/analyzers/kubernetes/parser.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/kubernetes/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAE7C;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,kBAAkB,EAAE,CAwCzE;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAWtD;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAW7D;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,KAAK,CAAC;IACrE,SAAS,EAAE,GAAG,CAAC;IACf,eAAe,EAAE,OAAO,CAAC;CAC1B,CAAC,CAmCD;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,kBAAkB,GAAG,GAAG,GAAG,IAAI,CAkBnE;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,MAAM,CAG1E;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,OAAO,CAK1E;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,GAAG,GAAG,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAe5G"}