security-mcp 1.0.5 → 1.1.1

package/dist/gate/checks/dlp.js

@@ -0,0 +1,153 @@
+import { searchRepo } from "../../repo/search.js";
+export async function checkDlp(_opts) {
+    const findings = [];
+    try {
+        // 1. SSN in logs
+        const ssnHits = await searchRepo({
+            query: String.raw `(?:console\.log|logger\.\w+|log\.\w+)\s*\([^)]*\b\d{3}[-\s]?\d{2}[-\s]?\d{4}\b`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (ssnHits.length > 0) {
+            findings.push({
+                id: "DLP_SSN_IN_LOGS",
+                title: "Social Security Number pattern detected in log statement",
+                severity: "CRITICAL",
+                evidence: ssnHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(ssnHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Remove SSN values from log statements immediately.",
+                    "HIPAA requires protection of SSNs as Protected Health Information (PHI).",
+                    "Use tokenization or masking before logging any government ID."
+                ]
+            });
+        }
+        // 2. Credit card in logs (PAN)
+        const panHits = await searchRepo({
+            query: String.raw `(?:console\.log|logger\.\w+)\s*\([^)]*\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13})\b`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (panHits.length > 0) {
+            findings.push({
+                id: "DLP_PAN_IN_LOGS",
+                title: "Credit card PAN pattern detected in log statement — PCI DSS violation",
+                severity: "CRITICAL",
+                evidence: panHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(panHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Remove all PAN values from log statements immediately.",
+                    "PCI DSS Requirement 3: Never log full card numbers.",
+                    "Use masked PANs (show only last 4 digits) if logging is required."
+                ]
+            });
+        }
+        // 3. Full request body logged
+        const reqBodyLogHits = await searchRepo({
+            query: String.raw `(?:console\.log|logger\.\w+)\s*\(\s*(?:req\.body|request\.body|ctx\.body|\{\.\.\.req)`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (reqBodyLogHits.length > 0) {
+            findings.push({
+                id: "DLP_REQUEST_BODY_LOGGED",
+                title: "Full request body logged — may expose PII/credentials",
+                severity: "HIGH",
+                evidence: reqBodyLogHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(reqBodyLogHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Never log full request bodies — use field allowlists to log only non-sensitive fields.",
+                    "GDPR Article 5: data minimization applies to logs. HIPAA prohibits logging PHI."
+                ]
+            });
+        }
+        // 4. User object logged
+        const userLogHits = await searchRepo({
+            query: String.raw `(?:console\.log|logger\.\w+)\s*\(\s*(?:user|currentUser|req\.user|session\.user)\s*[,)]`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (userLogHits.length > 0) {
+            findings.push({
+                id: "DLP_USER_OBJECT_LOGGED",
+                title: "User object logged — may expose PII, hashed passwords, or tokens",
+                severity: "HIGH",
+                evidence: userLogHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(userLogHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Log only specific non-sensitive user fields (e.g. userId, role).",
+                    "Never log the full user object — it likely contains PII and auth data (GDPR, HIPAA)."
+                ]
+            });
+        }
+        // 5. Email in logs
+        const emailLogHits = await searchRepo({
+            query: String.raw `(?:console\.log|logger\.\w+)\s*\([^)]*[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (emailLogHits.length > 0) {
+            findings.push({
+                id: "DLP_EMAIL_IN_LOGS",
+                title: "Email address detected in log statement",
+                severity: "MEDIUM",
+                evidence: emailLogHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(emailLogHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Mask or hash email addresses before logging (GDPR Article 5 — data minimization).",
+                    "Use a user ID or anonymized identifier in logs instead of the email."
+                ]
+            });
+        }
+        // 6. Stack traces in API responses
+        const stackTraceHits = await searchRepo({
+            query: String.raw `(?:res\.json|res\.send|response\.json)\s*\(\s*\{[^}]*(?:stack|stackTrace|error\.stack)`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (stackTraceHits.length > 0) {
+            findings.push({
+                id: "DLP_STACK_TRACE_IN_RESPONSE",
+                title: "Stack trace exposed in API response — CWE-209 information leakage",
+                severity: "HIGH",
+                evidence: stackTraceHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(stackTraceHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Never expose stack traces in API responses (CWE-209).",
+                    "Log errors internally with a correlation ID; return only a safe error message to clients."
+                ]
+            });
+        }
+        // 7. Server version disclosure
+        const poweredByHits = await searchRepo({
+            query: String.raw `X-Powered-By|Server:\s*(?:Express|nginx|Apache)|app\.set\s*\(\s*['"]x-powered-by['"]`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (poweredByHits.length > 0) {
+            // Check if x-powered-by is disabled nearby
+            const disableHits = await searchRepo({
+                query: String.raw `app\.disable\s*\(\s*['"]x-powered-by['"]`,
+                isRegex: true,
+                maxMatches: 200
+            });
+            if (disableHits.length === 0) {
+                findings.push({
+                    id: "DLP_SERVER_HEADER_DISCLOSURE",
+                    title: "Server technology disclosed via X-Powered-By or Server response header",
+                    severity: "MEDIUM",
+                    evidence: poweredByHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                    files: [...new Set(poweredByHits.slice(0, 10).map((m) => m.file))],
+                    requiredActions: [
+                        "Call app.disable('x-powered-by') in Express.",
+                        "Remove or obscure Server headers — version disclosure aids attacker reconnaissance."
+                    ]
+                });
+            }
+        }
+    }
+    catch (err) {
+        console.warn("[checkDlp] Internal error:", err instanceof Error ? err.message : String(err));
+    }
+    return findings;
+}

package/dist/gate/checks/graphql.js

@@ -0,0 +1,122 @@
+import { searchRepo } from "../../repo/search.js";
+import fg from "fast-glob";
+import { readFileSafe } from "../../repo/fs.js";
+export async function checkGraphQL(_opts) {
+    const findings = [];
+    try {
+        // 1. Detect if GraphQL is in use
+        const graphqlHits = await searchRepo({
+            query: "graphql|typeDefs|makeExecutableSchema|gql`|@graphql|graphene|strawberry",
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (graphqlHits.length === 0) {
+            return [];
+        }
+        // 2. Introspection enabled in prod
+        const introspectionHits = await searchRepo({
+            query: String.raw `introspection.*true|disableIntrospection.*false|GraphQLSchema.*introspection`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (introspectionHits.length > 0) {
+            findings.push({
+                id: "GRAPHQL_INTROSPECTION_ENABLED",
+                title: "GraphQL introspection is enabled — exposes full schema to attackers",
+                severity: "HIGH",
+                evidence: introspectionHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(introspectionHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Disable introspection in non-dev environments.",
+                    "Use persisted queries instead of ad-hoc introspection in production."
+                ]
+            });
+        }
+        // 3. No query depth/complexity limiting
+        const depthLimitHits = await searchRepo({
+            query: String.raw `depthLimit|complexityLimit|queryComplexity|createComplexityRule|maxDepth`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (depthLimitHits.length === 0) {
+            findings.push({
+                id: "GRAPHQL_NO_DEPTH_LIMIT",
+                title: "No GraphQL query depth or complexity limiting detected",
+                severity: "HIGH",
+                requiredActions: [
+                    "Add graphql-depth-limit or graphql-query-complexity library.",
+                    "Set max depth ≤ 10 to prevent deeply nested query DoS attacks."
+                ]
+            });
+        }
+        // 4. No query batching limits
+        const batchingHits = await searchRepo({
+            query: String.raw `queryBatching|batchRequests|allowBatchedQueries`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (batchingHits.length === 0) {
+            findings.push({
+                id: "GRAPHQL_NO_BATCH_LIMIT",
+                title: "No GraphQL query batching limits detected",
+                severity: "MEDIUM",
+                requiredActions: [
+                    "Configure batching limits to prevent batch-based DoS attacks.",
+                    "Limit the number of operations per batch request."
+                ]
+            });
+        }
+        // 5. Schema files found but no auth directives
+        const schemaFiles = await fg(["**/*.graphql", "**/*.gql"], {
+            ignore: ["**/node_modules/**", "**/.git/**", "**/dist/**"]
+        });
+        if (schemaFiles.length > 0) {
+            let hasAuthDirectives = false;
+            for (const file of schemaFiles) {
+                try {
+                    const content = await readFileSafe(file);
+                    if (/@auth|@authenticated|@hasRole|@requiresAuth|directive.*auth/i.test(content)) {
+                        hasAuthDirectives = true;
+                        break;
+                    }
+                }
+                catch {
+                    // skip unreadable files
+                }
+            }
+            if (!hasAuthDirectives) {
+                findings.push({
+                    id: "GRAPHQL_NO_FIELD_AUTH",
+                    title: "GraphQL schema files found but no auth directives detected",
+                    severity: "HIGH",
+                    files: schemaFiles.slice(0, 10),
+                    requiredActions: [
+                        "Add @auth, @authenticated, or @hasRole directives to protect sensitive fields.",
+                        "Use a GraphQL auth plugin (e.g. graphql-shield) for field-level authorization."
+                    ]
+                });
+            }
+        }
+        // 6. N+1 query protection
+        const dataloaderHits = await searchRepo({
+            query: String.raw `DataLoader|dataloader|BatchLoader`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (dataloaderHits.length === 0) {
+            findings.push({
+                id: "GRAPHQL_NO_DATALOADER",
+                title: "No DataLoader detected — GraphQL resolvers may be vulnerable to N+1 query attacks",
+                severity: "MEDIUM",
+                requiredActions: [
+                    "Add DataLoader (or equivalent batch loader) to batch and cache resolver requests.",
+                    "Prevent N+1 database queries which can be exploited as a DoS vector."
+                ]
+            });
+        }
+    }
+    catch (err) {
+        console.warn("[checkGraphQL] Internal error:", err instanceof Error ? err.message : String(err));
+    }
+    return findings;
+}

package/dist/gate/checks/infra.js

@@ -1,36 +1,150 @@
 import { searchRepo } from "../../repo/search.js";
+// Split into two patterns to stay under the 256-char ReDoS guard in searchRepo.
+// AWS + GCP secret managers
+const SECRET_MANAGER_PATTERN_A = [
+    "secretsmanager", // AWS Secrets Manager
+    "ssm:GetParameter|GetSecretValue", // AWS SSM Parameter Store
+    String.raw `secretmanager\.googleapis`, // GCP Secret Manager REST/gRPC
+    "google_secret_manager", // GCP Terraform resource
+    "SecretManagerServiceClient", // GCP Secret Manager client lib
+].join("|");
+// Azure + HashiCorp Vault + Doppler + 1Password
+const SECRET_MANAGER_PATTERN_B = [
+    "@azure/keyvault", // Azure Key Vault SDK (JS/TS)
+    String.raw `azure\.keyvault`, // Azure Key Vault (Python)
+    "KeyVaultSecret|SecretClient", // Azure Key Vault client classes
+    String.raw `vault\.read|vault\.write`, // HashiCorp Vault API calls
+    "hvault:|vault_generic_secret", // HashiCorp Vault Terraform
+    "doppler run|DOPPLER_TOKEN", // Doppler
+    "op run|op read|onepassword", // 1Password Secrets Automation
+].join("|");
+// IAM wildcard patterns — any cloud provider
+const IAM_WILDCARD_PATTERN = String.raw `"Action"\s*:\s*"\*"|` + // AWS IAM wildcard action
+    String.raw `"Resource"\s*:\s*"\*"|` + // AWS IAM wildcard resource
+    String.raw `roles/owner|roles/editor|` + // GCP over-privileged built-in roles
+    String.raw `allUsers|allAuthenticatedUsers|` + // GCP public IAM
+    String.raw `"role"\s*:\s*"roles/owner"|` + // GCP Terraform owner binding
+    String.raw `contributor|Owner\b.*roleDefinitionId`; // Azure Contributor/Owner
+// Public network exposure — Terraform, K8s, CloudFormation, ARM, CDK
+const PUBLIC_INGRESS_PATTERN = String.raw `0\.0\.0\.0/0|::/0|` +
+    String.raw `public\s*=\s*true|` +
+    String.raw `PubliclyAccessible\s*:\s*true|` + // AWS RDS
+    String.raw `allow_stopping_for_update.*true|` +
+    String.raw `internet-facing|` + // AWS ALB scheme
+    String.raw `"Scheme"\s*:\s*"internet-facing"|` +
+    String.raw `block_public_acls\s*=\s*false|` + // AWS S3 block public access disabled
+    String.raw `restrict_public_buckets\s*=\s*false`;
+// Logging / audit disabled
+const LOGGING_DISABLED_PATTERN = String.raw `enable_logging\s*=\s*false|` +
+    String.raw `log_config\s*\{\s*\}|` + // GCP empty log config
+    String.raw `"CloudWatchLogs"\s*:\s*\{\s*\}|` + // AWS empty CloudWatch config
+    String.raw `disable_api_termination\s*=\s*true|` +
+    String.raw `deletion_protection\s*=\s*false`;
+// Encryption disabled
+const ENCRYPTION_DISABLED_PATTERN = String.raw `encrypted\s*=\s*false|` + // AWS EBS, RDS
+    String.raw `enable_encryption\s*=\s*false|` +
+    String.raw `kms_key_id\s*=\s*""|` +
+    String.raw `storage_encrypted\s*=\s*false|` +
+    String.raw `"EnableEncryption"\s*:\s*false`;
 export async function checkInfra(_) {
     const findings = [];
-    const secretManagerRefs = await searchRepo({
-        query: "secretmanager|Secret Manager|google_secret_manager",
+    // 1. Secret manager usage — cloud-agnostic check (split across two searches
+    //    to stay under the 256-char ReDoS guard in searchRepo)
+    const [smRefsA, smRefsB] = await Promise.all([
+        searchRepo({ query: SECRET_MANAGER_PATTERN_A, isRegex: true, maxMatches: 5 }),
+        searchRepo({ query: SECRET_MANAGER_PATTERN_B, isRegex: true, maxMatches: 5 })
+    ]);
+    const secretManagerRefs = [...smRefsA, ...smRefsB];
+    if (secretManagerRefs.length === 0) {
+        findings.push({
+            id: "SECRET_MANAGER_NOT_DETECTED",
+            title: "No secret manager usage detected — secrets may be hardcoded or in env files",
+            severity: "HIGH",
+            requiredActions: [
+                "Integrate a cloud secret manager appropriate for your platform:",
+                "  • AWS: AWS Secrets Manager or SSM Parameter Store (SecureString)",
+                "  • GCP: Secret Manager with Workload Identity",
+                "  • Azure: Azure Key Vault with Managed Identity",
+                "  • Multi-cloud / self-hosted: HashiCorp Vault, Doppler, or 1Password Secrets Automation",
+                "Never store secrets in environment files committed to the repo, CI log output, or container images."
+            ]
+        });
+    }
+    // 2. IAM wildcards / over-privileged roles
+    const iamWildcards = await searchRepo({
+        query: IAM_WILDCARD_PATTERN,
         isRegex: true,
         maxMatches: 200
     });
-    if (secretManagerRefs.length === 0) {
+    if (iamWildcards.length > 0) {
         findings.push({
-            id: "SECRET_MANAGER_NOT_DETECTED",
-            title: "GCP Secret Manager usage not detected in infra/app config",
+            id: "IAM_OVERPRIVILEGED",
+            title: "Overprivileged IAM role or wildcard permission detected",
             severity: "HIGH",
+            evidence: iamWildcards.slice(0, 20).map((m) => `${m.file}:${m.line}: ${m.preview}`),
             requiredActions: [
-                "Store secrets only in GCP Secret Manager.",
-                "Configure workload identity / service accounts to access secrets, never plaintext env in repo."
+                "Apply least-privilege to every IAM role — enumerate only the specific actions and resources required.",
+                "Replace wildcard actions ('*') with explicit action lists.",
+                "Replace Owner/Contributor/Editor bindings with purpose-scoped custom roles.",
+                "Run IAM Access Analyzer (AWS) or Policy Analyzer (GCP) to detect unused permissions."
             ]
         });
     }
+    // 3. Public network exposure
     const publicIngress = await searchRepo({
-        query: String.raw `0\.0\.0\.0/0|::/0|public\s*=\s*true|allowAll|allUsers`,
+        query: PUBLIC_INGRESS_PATTERN,
         isRegex: true,
         maxMatches: 200
     });
     if (publicIngress.length > 0) {
         findings.push({
             id: "PUBLIC_EXPOSURE_RISK",
-            title: "Potential public exposure patterns detected in IaC/config",
+            title: "Public network exposure detected in IaC or cloud config",
             severity: "HIGH",
-            evidence: publicIngress.slice(0, 20).map((m) => `${m.file}:${m.line}:${m.preview}`),
+            evidence: publicIngress.slice(0, 20).map((m) => `${m.file}:${m.line}: ${m.preview}`),
+            requiredActions: [
+                "Restrict ingress to known CIDR ranges or private VPC subnets only.",
+                "Place public load balancers in a DMZ; never expose internal services directly.",
+                "Enable S3 Block Public Access at the account level.",
+                "Use Zero Trust network access (BeyondCorp / Zscaler / Cloudflare Access) instead of IP allowlisting."
+            ]
+        });
+    }
+    // 4. Encryption disabled
+    const encryptionDisabled = await searchRepo({
+        query: ENCRYPTION_DISABLED_PATTERN,
+        isRegex: true,
+        maxMatches: 200
+    });
+    if (encryptionDisabled.length > 0) {
+        findings.push({
+            id: "ENCRYPTION_DISABLED",
+            title: "Encryption at rest explicitly disabled in IaC config",
+            severity: "HIGH",
+            evidence: encryptionDisabled.slice(0, 20).map((m) => `${m.file}:${m.line}: ${m.preview}`),
+            requiredActions: [
+                "Enable encryption at rest on all storage resources (RDS, EBS, S3, GCS, Azure Blob, etc.).",
+                "Use customer-managed keys (CMK/CMEK) for regulated data (PCI, HIPAA, SOC 2).",
+                "Never set encrypted=false or storage_encrypted=false in Terraform."
+            ]
+        });
+    }
+    // 5. Audit logging disabled
+    const loggingDisabled = await searchRepo({
+        query: LOGGING_DISABLED_PATTERN,
+        isRegex: true,
+        maxMatches: 200
+    });
+    if (loggingDisabled.length > 0) {
+        findings.push({
+            id: "AUDIT_LOGGING_DISABLED",
+            title: "Audit logging or deletion protection explicitly disabled in IaC config",
+            severity: "MEDIUM",
+            evidence: loggingDisabled.slice(0, 20).map((m) => `${m.file}:${m.line}: ${m.preview}`),
             requiredActions: [
-                "Remove or justify public ingress. Enforce Zero Trust. No implicit trust for any request or service call.",
-                "Use private services, IAM-based auth, and least-privileged firewall rules."
+                "Enable audit logging on all cloud resources and ship logs to a centralised, tamper-evident store.",
+                "Enable deletion protection on databases and stateful resources.",
+                "Retain audit logs for at least 1 year (SOC 2 / PCI DSS requirement)."
             ]
         });
     }

package/dist/gate/checks/k8s.js

@@ -0,0 +1,190 @@
+import fg from "fast-glob";
+import { readFileSafe } from "../../repo/fs.js";
+export async function checkKubernetes(_opts) {
+    const findings = [];
+    try {
+        // 1. Glob YAML files and filter to K8s manifests
+        const yamlFiles = await fg(["**/*.yaml", "**/*.yml"], {
+            ignore: ["**/node_modules/**", "**/dist/**", "**/.git/**"]
+        });
+        const k8sFiles = [];
+        const k8sContents = new Map();
+        for (const file of yamlFiles) {
+            try {
+                const content = await readFileSafe(file);
+                if (/kind\s*:/.test(content)) {
+                    k8sFiles.push(file);
+                    k8sContents.set(file, content);
+                }
+            }
+            catch {
+                // skip unreadable files
+            }
+        }
+        if (k8sFiles.length === 0) {
+            return [];
+        }
+        // Helper to collect files matching a pattern
+        function filesMatching(pattern) {
+            return k8sFiles.filter((f) => pattern.test(k8sContents.get(f) ?? "")).slice(0, 10);
+        }
+        // 3. Privileged containers
+        const privilegedFiles = filesMatching(/privileged:\s*true/);
+        if (privilegedFiles.length > 0) {
+            findings.push({
+                id: "K8S_PRIVILEGED_CONTAINER",
+                title: "Kubernetes manifests with privileged containers detected",
+                severity: "CRITICAL",
+                files: privilegedFiles,
+                requiredActions: [
+                    "Remove privileged: true from all container securityContexts.",
+                    "Use specific capability grants (e.g. NET_ADMIN) instead of full privileged mode."
+                ]
+            });
+        }
+        // 4. allowPrivilegeEscalation
+        const escFiles = filesMatching(/allowPrivilegeEscalation:\s*true/);
+        if (escFiles.length > 0) {
+            findings.push({
+                id: "K8S_PRIVILEGE_ESCALATION",
+                title: "Kubernetes manifests allow privilege escalation",
+                severity: "HIGH",
+                files: escFiles,
+                requiredActions: [
+                    "Set allowPrivilegeEscalation: false in all container securityContexts.",
+                    "This prevents child processes from gaining more privileges than their parent."
+                ]
+            });
+        }
+        // 5. Host namespaces
+        const hostNsFiles = filesMatching(/hostPID:\s*true|hostNetwork:\s*true|hostIPC:\s*true/);
+        if (hostNsFiles.length > 0) {
+            findings.push({
+                id: "K8S_HOST_NAMESPACE",
+                title: "Kubernetes manifests use host namespaces (hostPID/hostNetwork/hostIPC)",
+                severity: "HIGH",
+                files: hostNsFiles,
+                requiredActions: [
+                    "Remove hostPID, hostNetwork, and hostIPC settings from pod specs.",
+                    "Host namespace sharing breaks container isolation and exposes the host."
+                ]
+            });
+        }
+        // 6. Missing securityContext
+        const missingSecCtxFiles = k8sFiles.filter((f) => {
+            const c = k8sContents.get(f) ?? "";
+            return /containers:/.test(c) && !/securityContext:/.test(c);
+        }).slice(0, 10);
+        if (missingSecCtxFiles.length > 0) {
+            findings.push({
+                id: "K8S_NO_SECURITY_CONTEXT",
+                title: "Kubernetes manifests with containers but no securityContext",
+                severity: "MEDIUM",
+                files: missingSecCtxFiles,
+                requiredActions: [
+                    "Add securityContext to all containers with runAsNonRoot: true, readOnlyRootFilesystem: true.",
+                    "Set allowPrivilegeEscalation: false and drop all capabilities."
+                ]
+            });
+        }
+        // 7. Secrets in ConfigMap
+        const configMapFiles = k8sFiles.filter((f) => {
+            const c = k8sContents.get(f) ?? "";
+            return /kind:\s*ConfigMap/.test(c) && /password|secret|key|token/i.test(c);
+        }).slice(0, 10);
+        if (configMapFiles.length > 0) {
+            findings.push({
+                id: "K8S_SECRET_IN_CONFIGMAP",
+                title: "Sensitive data (password/secret/key/token) found in Kubernetes ConfigMap",
+                severity: "CRITICAL",
+                files: configMapFiles,
+                requiredActions: [
+                    "Move secrets to Kubernetes Secrets objects or a secrets manager (Vault, AWS SM).",
+                    "Never store plaintext credentials in ConfigMaps — they are not encrypted at rest by default."
+                ]
+            });
+        }
+        // 8. ClusterAdmin binding
+        const clusterAdminFiles = k8sFiles.filter((f) => {
+            const c = k8sContents.get(f) ?? "";
+            return /kind:\s*ClusterRoleBinding/.test(c) && /cluster-admin/.test(c);
+        }).slice(0, 10);
+        if (clusterAdminFiles.length > 0) {
+            findings.push({
+                id: "K8S_CLUSTER_ADMIN_BINDING",
+                title: "ClusterRoleBinding to cluster-admin detected",
+                severity: "CRITICAL",
+                files: clusterAdminFiles,
+                requiredActions: [
+                    "Remove cluster-admin bindings and apply least-privilege RBAC roles.",
+                    "Create scoped Roles/ClusterRoles with only the permissions actually needed."
+                ]
+            });
+        }
+        // 9. No resource limits
+        const noLimitsFiles = k8sFiles.filter((f) => {
+            const c = k8sContents.get(f) ?? "";
+            return /containers:/.test(c) && !/limits:/.test(c);
+        }).slice(0, 10);
+        if (noLimitsFiles.length > 0) {
+            findings.push({
+                id: "K8S_NO_RESOURCE_LIMITS",
+                title: "Kubernetes containers without resource limits detected",
+                severity: "MEDIUM",
+                files: noLimitsFiles,
+                requiredActions: [
+                    "Add resources.limits (cpu, memory) to all containers.",
+                    "Missing limits allow a single container to starve the entire node (DoS)."
+                ]
+            });
+        }
+        // 10. Default namespace
+        const defaultNsFiles = k8sFiles.filter((f) => {
+            const c = k8sContents.get(f) ?? "";
+            return /namespace:\s*default/.test(c) || (!/namespace:/.test(c) && /kind:\s*(?:Deployment|Service|Pod|StatefulSet)/.test(c));
+        }).slice(0, 10);
+        if (defaultNsFiles.length > 0) {
+            findings.push({
+                id: "K8S_DEFAULT_NAMESPACE",
+                title: "Kubernetes manifests use default namespace or have no namespace set",
+                severity: "LOW",
+                files: defaultNsFiles,
+                requiredActions: [
+                    "Create dedicated namespaces for each application/team.",
+                    "Apply RBAC and NetworkPolicies scoped to those namespaces."
+                ]
+            });
+        }
+        // 11. Latest image tag
+        const latestTagFiles = filesMatching(/:latest\b/);
+        if (latestTagFiles.length > 0) {
+            findings.push({
+                id: "K8S_LATEST_IMAGE_TAG",
+                title: "Kubernetes manifests use ':latest' image tag",
+                severity: "HIGH",
+                files: latestTagFiles,
+                requiredActions: [
+                    "Pin container images to an immutable digest (e.g. image@sha256:...).",
+                    "Never use :latest in production — it leads to unpredictable deployments."
+                ]
+            });
+        }
+        // 12. No network policy
+        const networkPolicyFiles = await fg(["**/NetworkPolicy*.yaml", "**/*network-policy*.yaml", "**/NetworkPolicy*.yml", "**/*network-policy*.yml"], { ignore: ["**/node_modules/**", "**/dist/**", "**/.git/**"] });
+        if (networkPolicyFiles.length === 0) {
+            findings.push({
+                id: "K8S_NO_NETWORK_POLICY",
+                title: "No Kubernetes NetworkPolicy found — all pod-to-pod traffic is allowed",
+                severity: "HIGH",
+                requiredActions: [
+                    "Create NetworkPolicy resources to restrict ingress and egress traffic.",
+                    "Default-deny all traffic and only allow explicitly required paths."
+                ]
+            });
+        }
+    }
+    catch (err) {
+        console.warn("[checkKubernetes] Internal error:", err instanceof Error ? err.message : String(err));
+    }
+    return findings;
+}