codeslick-cli 1.4.0 → 1.4.2

package/dist/src/lib/analyzers/kubernetes/parser.js

@@ -0,0 +1,233 @@
+"use strict";
+/**
+ * Kubernetes YAML Parser
+ *
+ * WR3 Week 6: Kubernetes YAML Security Scanner
+ * Parses Kubernetes YAML manifests (single and multi-document)
+ *
+ * Created: February 5, 2026
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseKubernetes = parseKubernetes;
+exports.isKubernetesResource = isKubernetesResource;
+exports.isKubernetesYAML = isKubernetesYAML;
+exports.extractContainers = extractContainers;
+exports.getPodSpec = getPodSpec;
+exports.getResourceIdentifier = getResourceIdentifier;
+exports.isProductionResource = isProductionResource;
+exports.getContainerEnvVars = getContainerEnvVars;
+const yaml = __importStar(require("js-yaml"));
+/**
+ * Parse Kubernetes YAML content (supports multi-document YAML with ---)
+ *
+ * @param yamlContent - YAML string to parse
+ * @returns Array of Kubernetes resources
+ */
+function parseKubernetes(yamlContent) {
+    const resources = [];
+    try {
+        // Split by document separator (---)
+        const documents = yamlContent.split(/^---$/m);
+        for (const doc of documents) {
+            const trimmed = doc.trim();
+            if (!trimmed) {
+                continue; // Skip empty documents
+            }
+            try {
+                const parsed = yaml.load(trimmed);
+                if (parsed && isKubernetesResource(parsed)) {
+                    resources.push(parsed);
+                }
+                else {
+                    // Log why resource was rejected for debugging
+                    console.log('[K8s Parser] Resource rejected:', {
+                        parsed: !!parsed,
+                        hasApiVersion: parsed && 'apiVersion' in parsed,
+                        hasKind: parsed && 'kind' in parsed,
+                        hasMetadata: parsed && 'metadata' in parsed,
+                        hasName: parsed && parsed.metadata && 'name' in parsed.metadata,
+                        kind: parsed?.kind,
+                        name: parsed?.metadata?.name
+                    });
+                }
+            }
+            catch (err) {
+                // Skip invalid YAML documents, continue with others
+                console.error('[K8s Parser] Failed to parse YAML document:', err);
+            }
+        }
+    }
+    catch (error) {
+        throw new Error(`YAML parsing error: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+    return resources;
+}
+/**
+ * Check if an object is a valid Kubernetes resource
+ *
+ * @param obj - Object to check
+ * @returns True if object has apiVersion and kind
+ */
+function isKubernetesResource(obj) {
+    return (obj &&
+        typeof obj === 'object' &&
+        'apiVersion' in obj &&
+        'kind' in obj &&
+        'metadata' in obj &&
+        obj.metadata &&
+        typeof obj.metadata === 'object' &&
+        'name' in obj.metadata);
+}
+/**
+ * Check if YAML content contains Kubernetes resources
+ *
+ * @param yamlContent - YAML string to check
+ * @returns True if content contains K8s resources
+ */
+function isKubernetesYAML(yamlContent) {
+    try {
+        // Quick check for common K8s indicators
+        return (yamlContent.includes('apiVersion:') &&
+            yamlContent.includes('kind:') &&
+            yamlContent.includes('metadata:'));
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Extract all containers from a Kubernetes resource
+ * Handles Pod, Deployment, StatefulSet, DaemonSet, Job, CronJob
+ *
+ * @param resource - Kubernetes resource
+ * @returns Array of containers (including initContainers)
+ */
+function extractContainers(resource) {
+    const containers = [];
+    let podSpec = null;
+    // Extract pod spec based on resource kind
+    if (resource.kind === 'Pod') {
+        podSpec = resource.spec;
+    }
+    else if (['Deployment', 'StatefulSet', 'DaemonSet', 'ReplicaSet'].includes(resource.kind)) {
+        podSpec = resource.spec?.template?.spec;
+    }
+    else if (resource.kind === 'Job') {
+        podSpec = resource.spec?.template?.spec;
+    }
+    else if (resource.kind === 'CronJob') {
+        podSpec = resource.spec?.jobTemplate?.spec?.template?.spec;
+    }
+    if (!podSpec) {
+        return containers;
+    }
+    // Add regular containers
+    if (Array.isArray(podSpec.containers)) {
+        for (const container of podSpec.containers) {
+            containers.push({ container, isInitContainer: false });
+        }
+    }
+    // Add init containers
+    if (Array.isArray(podSpec.initContainers)) {
+        for (const container of podSpec.initContainers) {
+            containers.push({ container, isInitContainer: true });
+        }
+    }
+    return containers;
+}
+/**
+ * Get pod spec from various Kubernetes workload resources
+ *
+ * @param resource - Kubernetes resource
+ * @returns Pod spec or null
+ */
+function getPodSpec(resource) {
+    if (resource.kind === 'Pod') {
+        return resource.spec;
+    }
+    if (['Deployment', 'StatefulSet', 'DaemonSet', 'ReplicaSet'].includes(resource.kind)) {
+        return resource.spec?.template?.spec;
+    }
+    if (resource.kind === 'Job') {
+        return resource.spec?.template?.spec;
+    }
+    if (resource.kind === 'CronJob') {
+        return resource.spec?.jobTemplate?.spec?.template?.spec;
+    }
+    return null;
+}
+/**
+ * Get resource identifier for error messages
+ *
+ * @param resource - Kubernetes resource
+ * @returns Formatted identifier (e.g., "Deployment/default/nginx")
+ */
+function getResourceIdentifier(resource) {
+    const namespace = resource.metadata.namespace || 'default';
+    return `${resource.kind}/${namespace}/${resource.metadata.name}`;
+}
+/**
+ * Check if resource is in a production-like namespace
+ *
+ * @param resource - Kubernetes resource
+ * @returns True if in prod/production/live namespace
+ */
+function isProductionResource(resource) {
+    const namespace = (resource.metadata.namespace || '').toLowerCase();
+    const prodIndicators = ['prod', 'production', 'live', 'prd'];
+    return prodIndicators.some(indicator => namespace.includes(indicator));
+}
+/**
+ * Get all environment variables from a container (including valueFrom)
+ *
+ * @param container - Container spec
+ * @returns Array of environment variable names and values
+ */
+function getContainerEnvVars(container) {
+    const envVars = [];
+    // Direct env vars
+    if (Array.isArray(container.env)) {
+        for (const env of container.env) {
+            envVars.push({
+                name: env.name,
+                value: env.value,
+                source: env.valueFrom ? 'valueFrom' : 'direct',
+            });
+        }
+    }
+    return envVars;
+}
+//# sourceMappingURL=parser.js.map

package/dist/src/lib/analyzers/kubernetes/parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.js","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/kubernetes/parser.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAWH,0CAwCC;AAQD,oDAWC;AAQD,4CAWC;AASD,8CAsCC;AAQD,gCAkBC;AAQD,sDAGC;AAQD,oDAKC;AAQD,kDAeC;AA/MD,8CAAgC;AAGhC;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,WAAmB;IACjD,MAAM,SAAS,GAAyB,EAAE,CAAC;IAE3C,IAAI,CAAC;QACH,oCAAoC;QACpC,MAAM,SAAS,GAAG,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAE9C,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;YAC3B,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,SAAS,CAAC,uBAAuB;YACnC,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAQ,CAAC;gBAEzC,IAAI,MAAM,IAAI,oBAAoB,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC3C,SAAS,CAAC,IAAI,CAAC,MAA4B,CAAC,CAAC;gBAC/C,CAAC;qBAAM,CAAC;oBACN,8CAA8C;oBAC9C,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE;wBAC7C,MAAM,EAAE,CAAC,CAAC,MAAM;wBAChB,aAAa,EAAE,MAAM,IAAI,YAAY,IAAI,MAAM;wBAC/C,OAAO,EAAE,MAAM,IAAI,MAAM,IAAI,MAAM;wBACnC,WAAW,EAAE,MAAM,IAAI,UAAU,IAAI,MAAM;wBAC3C,OAAO,EAAE,MAAM,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,QAAQ;wBAC/D,IAAI,EAAE,MAAM,EAAE,IAAI;wBAClB,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI;qBAC7B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,oDAAoD;gBACpD,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,GAAG,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;IACrG,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,oBAAoB,CAAC,GAAQ;IAC3C,OAAO,CACL,GAAG;QACH,OAAO,GAAG,KAAK,QAAQ;QACvB,YAAY,IAAI,GAAG;QACnB,MAAM,IAAI,GAAG;QACb,UAAU,IAAI,GAAG;QACjB,GAAG,CAAC,QAAQ;QACZ,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAChC,MAAM,IAAI,GAAG,CAAC,QAAQ,CACvB,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,gBAAgB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,wCAAwC;QACxC,OAAO,CACL,WAAW,CAAC,QAAQ,CAAC,aAAa,CAAC;YACnC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC7B,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,CAClC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,iBAAiB,CAAC,QAA4B;IAI5D,MAAM,UAAU,GAAwD,EAAE,CAAC;IAE3E,IAAI,OAAO,GAAQ,IAAI,CAAC;IAExB,0CAA0C;IAC1C,IAAI,QAAQ,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC5B,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC;IAC1B,CAAC;SAAM,IAAI,CAAC,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5F,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC;IAC1C,CAAC;SAAM,IAAI,QAAQ,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QACnC,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC;IAC1C,CAAC;SAAM,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACvC,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC;IAC7D,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,yBAAyB;IACzB,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QACtC,KAAK,MAAM,SAAS,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YAC3C,UAAU,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;QAC1C,KAAK,MAAM,SAAS,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC/C,UAAU,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,UAAU,CAAC,QAA4B;IACrD,IAAI,QAAQ,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC5B,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,IAAI,CAAC,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACrF,OAAO,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC;IACvC,CAAC;IAED,IAAI,QAAQ,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC5B,OAAO,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC;IACvC,CAAC;IAED,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC;IAC1D,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,SAAgB,qBAAqB,CAAC,QAA4B;IAChE,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,IAAI,SAAS,CAAC;IAC3D,OAAO,GAAG,QAAQ,CAAC,IAAI,IAAI,SAAS,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;AACnE,CAAC;AAED;;;;;GAKG;AACH,SAAgB,oBAAoB,CAAC,QAA4B;IAC/D,MAAM,SAAS,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACpE,MAAM,cAAc,GAAG,CAAC,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IAE7D,OAAO,cAAc,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;AACzE,CAAC;AAED;;;;;GAKG;AACH,SAAgB,mBAAmB,CAAC,SAAc;IAChD,MAAM,OAAO,GAA6D,EAAE,CAAC;IAE7E,kBAAkB;IAClB,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;QACjC,KAAK,MAAM,GAAG,IAAI,SAAS,CAAC,GAAG,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,MAAM,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ;aAC/C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/src/lib/analyzers/kubernetes/pii-detector.d.ts

@@ -0,0 +1,34 @@
+/**
+ * PII Detection for Kubernetes Resources
+ *
+ * Reuses the 12 PII patterns from Terraform/IaC scanning and applies them to:
+ * - ConfigMap data fields
+ * - Secret data fields (stringData and decoded data)
+ * - Environment variables (env and envFrom)
+ * - Annotations and labels
+ *
+ * Created: February 5, 2026
+ */
+import { SecurityVulnerability } from '../types';
+import type { KubernetesResource } from './types';
+/**
+ * Check ConfigMap resources for PII in data fields
+ */
+export declare function checkConfigMapPII(resource: KubernetesResource): SecurityVulnerability[];
+/**
+ * Check Secret resources for PII in stringData fields
+ */
+export declare function checkSecretPII(resource: KubernetesResource): SecurityVulnerability[];
+/**
+ * Check pod environment variables for PII
+ */
+export declare function checkEnvironmentVariablesPII(resource: KubernetesResource): SecurityVulnerability[];
+/**
+ * Check annotations and labels for PII
+ */
+export declare function checkMetadataPII(resource: KubernetesResource): SecurityVulnerability[];
+/**
+ * Run all PII detection checks on a Kubernetes resource
+ */
+export declare function runKubernetesPIIChecks(resource: KubernetesResource): SecurityVulnerability[];
+//# sourceMappingURL=pii-detector.d.ts.map

package/dist/src/lib/analyzers/kubernetes/pii-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-detector.d.ts","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/kubernetes/pii-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC;AACjD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAyElD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,EAAE,CAmBvF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,EAAE,CAuBpF;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,QAAQ,EAAE,kBAAkB,GAC3B,qBAAqB,EAAE,CA2BzB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,EAAE,CA4BtF;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,qBAAqB,EAAE,CAoB5F"}

package/dist/src/lib/analyzers/kubernetes/pii-detector.js

@@ -0,0 +1,182 @@
+"use strict";
+/**
+ * PII Detection for Kubernetes Resources
+ *
+ * Reuses the 12 PII patterns from Terraform/IaC scanning and applies them to:
+ * - ConfigMap data fields
+ * - Secret data fields (stringData and decoded data)
+ * - Environment variables (env and envFrom)
+ * - Annotations and labels
+ *
+ * Created: February 5, 2026
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkConfigMapPII = checkConfigMapPII;
+exports.checkSecretPII = checkSecretPII;
+exports.checkEnvironmentVariablesPII = checkEnvironmentVariablesPII;
+exports.checkMetadataPII = checkMetadataPII;
+exports.runKubernetesPIIChecks = runKubernetesPIIChecks;
+const parser_1 = require("./parser");
+const pii_patterns_1 = require("../iac/pii-patterns");
+/**
+ * Scan text content for PII patterns
+ * Reuses the same logic as Terraform PII detection
+ */
+function scanTextForPII(text, context) {
+    const vulnerabilities = [];
+    // Check each PII pattern
+    for (const [type, pattern] of Object.entries(pii_patterns_1.PII_PATTERNS)) {
+        const matches = text.matchAll(pattern.regex);
+        for (const match of matches) {
+            const matchedText = match[0];
+            // Check if match should be excluded
+            if ((0, pii_patterns_1.shouldExcludeMatch)(matchedText, pattern)) {
+                continue;
+            }
+            // Validate if pattern has custom validation function
+            if (pattern.validate && !pattern.validate(matchedText)) {
+                continue;
+            }
+            vulnerabilities.push((0, pii_patterns_1.createPIIVulnerability)(type, pattern, matchedText, context));
+        }
+    }
+    return vulnerabilities;
+}
+/**
+ * Scan nested objects recursively for PII
+ */
+function scanNestedObject(obj, context) {
+    const vulnerabilities = [];
+    if (typeof obj === 'string') {
+        return scanTextForPII(obj, context);
+    }
+    if (typeof obj === 'object' && obj !== null) {
+        for (const [key, value] of Object.entries(obj)) {
+            const nestedContext = {
+                ...context,
+                attributePath: `${context.attributePath}.${key}`,
+            };
+            if (typeof value === 'string') {
+                vulnerabilities.push(...scanTextForPII(value, nestedContext));
+            }
+            else if (typeof value === 'object') {
+                vulnerabilities.push(...scanNestedObject(value, nestedContext));
+            }
+        }
+    }
+    return vulnerabilities;
+}
+/**
+ * Check ConfigMap resources for PII in data fields
+ */
+function checkConfigMapPII(resource) {
+    if (resource.kind !== 'ConfigMap') {
+        return [];
+    }
+    const vulnerabilities = [];
+    const data = resource.data || {};
+    for (const [key, value] of Object.entries(data)) {
+        const context = {
+            resourceName: (0, parser_1.getResourceIdentifier)(resource),
+            attributePath: `data.${key}`,
+            line: resource.line,
+        };
+        vulnerabilities.push(...scanTextForPII(value, context));
+    }
+    return vulnerabilities;
+}
+/**
+ * Check Secret resources for PII in stringData fields
+ */
+function checkSecretPII(resource) {
+    if (resource.kind !== 'Secret') {
+        return [];
+    }
+    const vulnerabilities = [];
+    // Check stringData (plain text secrets)
+    const stringData = resource.stringData || {};
+    for (const [key, value] of Object.entries(stringData)) {
+        const context = {
+            resourceName: (0, parser_1.getResourceIdentifier)(resource),
+            attributePath: `stringData.${key}`,
+            line: resource.line,
+        };
+        vulnerabilities.push(...scanTextForPII(value, context));
+    }
+    // Note: We don't scan base64-encoded 'data' fields to avoid false positives
+    // The secrets-management checks already flag hardcoded secrets
+    return vulnerabilities;
+}
+/**
+ * Check pod environment variables for PII
+ */
+function checkEnvironmentVariablesPII(resource) {
+    const podSpec = (0, parser_1.getPodSpec)(resource);
+    if (!podSpec) {
+        return [];
+    }
+    const vulnerabilities = [];
+    const containers = [...(podSpec.containers || []), ...(podSpec.initContainers || [])];
+    for (const container of containers) {
+        const env = container.env || [];
+        for (const envVar of env) {
+            // Only check direct values (not secretKeyRef, configMapKeyRef, etc.)
+            if (envVar.value) {
+                const context = {
+                    resourceName: (0, parser_1.getResourceIdentifier)(resource),
+                    attributePath: `env.${envVar.name}`,
+                    line: resource.line,
+                };
+                vulnerabilities.push(...scanTextForPII(envVar.value, context));
+            }
+        }
+    }
+    return vulnerabilities;
+}
+/**
+ * Check annotations and labels for PII
+ */
+function checkMetadataPII(resource) {
+    const vulnerabilities = [];
+    // Check annotations
+    const annotations = resource.metadata.annotations || {};
+    for (const [key, value] of Object.entries(annotations)) {
+        const context = {
+            resourceName: (0, parser_1.getResourceIdentifier)(resource),
+            attributePath: `annotations.${key}`,
+            line: resource.line,
+        };
+        vulnerabilities.push(...scanTextForPII(value, context));
+    }
+    // Check labels
+    const labels = resource.metadata.labels || {};
+    for (const [key, value] of Object.entries(labels)) {
+        const context = {
+            resourceName: (0, parser_1.getResourceIdentifier)(resource),
+            attributePath: `labels.${key}`,
+            line: resource.line,
+        };
+        vulnerabilities.push(...scanTextForPII(value, context));
+    }
+    return vulnerabilities;
+}
+/**
+ * Run all PII detection checks on a Kubernetes resource
+ */
+function runKubernetesPIIChecks(resource) {
+    const vulnerabilities = [];
+    // Check all resource types for metadata PII
+    vulnerabilities.push(...checkMetadataPII(resource));
+    // Check ConfigMaps
+    if (resource.kind === 'ConfigMap') {
+        vulnerabilities.push(...checkConfigMapPII(resource));
+    }
+    // Check Secrets
+    if (resource.kind === 'Secret') {
+        vulnerabilities.push(...checkSecretPII(resource));
+    }
+    // Check pod environment variables (all pod-based resources)
+    vulnerabilities.push(...checkEnvironmentVariablesPII(resource));
+    return vulnerabilities;
+}
+//# sourceMappingURL=pii-detector.js.map

package/dist/src/lib/analyzers/kubernetes/pii-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-detector.js","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/kubernetes/pii-detector.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AA+EH,8CAmBC;AAKD,wCAuBC;AAKD,oEA6BC;AAKD,4CA4BC;AAKD,wDAoBC;AAtND,qCAA6D;AAC7D,sDAI6B;AAE7B;;;GAGG;AACH,SAAS,cAAc,CACrB,IAAY,EACZ,OAAuE;IAEvE,MAAM,eAAe,GAA4B,EAAE,CAAC;IAEpD,yBAAyB;IACzB,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,2BAAY,CAAC,EAAE,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAE7C,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAE7B,oCAAoC;YACpC,IAAI,IAAA,iCAAkB,EAAC,WAAW,EAAE,OAAO,CAAC,EAAE,CAAC;gBAC7C,SAAS;YACX,CAAC;YAED,qDAAqD;YACrD,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvD,SAAS;YACX,CAAC;YAED,eAAe,CAAC,IAAI,CAAC,IAAA,qCAAsB,EAAC,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,GAAQ,EACR,OAAuE;IAEvE,MAAM,eAAe,GAA4B,EAAE,CAAC;IAEpD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/C,MAAM,aAAa,GAAG;gBACpB,GAAG,OAAO;gBACV,aAAa,EAAE,GAAG,OAAO,CAAC,aAAa,IAAI,GAAG,EAAE;aACjD,CAAC;YAEF,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,eAAe,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;YAChE,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACrC,eAAe,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,QAA4B;IAC5D,IAAI,QAAQ,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC;IAEjC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,MAAM,OAAO,GAAG;YACd,YAAY,EAAE,IAAA,8BAAqB,EAAC,QAAQ,CAAC;YAC7C,aAAa,EAAE,QAAQ,GAAG,EAAE;YAC5B,IAAI,EAAE,QAAQ,CAAC,IAAI;SACpB,CAAC;QAEF,eAAe,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,QAA4B;IACzD,IAAI,QAAQ,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,eAAe,GAA4B,EAAE,CAAC;IAEpD,wCAAwC;IACxC,MAAM,UAAU,GAAG,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAC;IAC7C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QACtD,MAAM,OAAO,GAAG;YACd,YAAY,EAAE,IAAA,8BAAqB,EAAC,QAAQ,CAAC;YAC7C,aAAa,EAAE,cAAc,GAAG,EAAE;YAClC,IAAI,EAAE,QAAQ,CAAC,IAAI;SACpB,CAAC;QAEF,eAAe,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,4EAA4E;IAC5E,+DAA+D;IAE/D,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAgB,4BAA4B,CAC1C,QAA4B;IAE5B,MAAM,OAAO,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,CAAC;IAEtF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,IAAI,EAAE,CAAC;QAEhC,KAAK,MAAM,MAAM,IAAI,GAAG,EAAE,CAAC;YACzB,qEAAqE;YACrE,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,MAAM,OAAO,GAAG;oBACd,YAAY,EAAE,IAAA,8BAAqB,EAAC,QAAQ,CAAC;oBAC7C,aAAa,EAAE,OAAO,MAAM,CAAC,IAAI,EAAE;oBACnC,IAAI,EAAE,QAAQ,CAAC,IAAI;iBACpB,CAAC;gBAEF,eAAe,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,QAA4B;IAC3D,MAAM,eAAe,GAA4B,EAAE,CAAC;IAEpD,oBAAoB;IACpB,MAAM,WAAW,GAAG,QAAQ,CAAC,QAAQ,CAAC,WAAW,IAAI,EAAE,CAAC;IACxD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QACvD,MAAM,OAAO,GAAG;YACd,YAAY,EAAE,IAAA,8BAAqB,EAAC,QAAQ,CAAC;YAC7C,aAAa,EAAE,eAAe,GAAG,EAAE;YACnC,IAAI,EAAE,QAAQ,CAAC,IAAI;SACpB,CAAC;QAEF,eAAe,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,eAAe;IACf,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,IAAI,EAAE,CAAC;IAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,MAAM,OAAO,GAAG;YACd,YAAY,EAAE,IAAA,8BAAqB,EAAC,QAAQ,CAAC;YAC7C,aAAa,EAAE,UAAU,GAAG,EAAE;YAC9B,IAAI,EAAE,QAAQ,CAAC,IAAI;SACpB,CAAC;QAEF,eAAe,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB,CAAC,QAA4B;IACjE,MAAM,eAAe,GAA4B,EAAE,CAAC;IAEpD,4CAA4C;IAC5C,eAAe,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IAEpD,mBAAmB;IACnB,IAAI,QAAQ,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAClC,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACvD,CAAC;IAED,gBAAgB;IAChB,IAAI,QAAQ,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/B,eAAe,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,4DAA4D;IAC5D,eAAe,CAAC,IAAI,CAAC,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAC,CAAC;IAEhE,OAAO,eAAe,CAAC;AACzB,CAAC"}