- [Trivy checks](https://github.com/aquasecurity/trivy-checks/tree/main) – entry point for Docker rules.

- [Hadolint](https://github.com/hadolint/hadolint) – source of additional Docker rules.

- [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) – entry point for Kubernetes rules.

- [Kubescape Rego library](https://github.com/kubescape/regolibrary) – source of Kubernetes rules.

package dev.protsenko.securityLinter.kubernetes

import com.intellij.codeInspection.LocalInspectionTool

import com.intellij.codeInspection.ProblemHighlightType

import com.intellij.codeInspection.ProblemsHolder

import com.intellij.psi.PsiElementVisitor

import dev.protsenko.securityLinter.core.HtmlProblemDescriptor

import dev.protsenko.securityLinter.core.SecurityPluginBundle

import dev.protsenko.securityLinter.kubernetes.quickfix.ReplaceValueToRuntimeDefaultQuickFix

import dev.protsenko.securityLinter.utils.YamlPath

import org.jetbrains.yaml.psi.YAMLDocument

import org.jetbrains.yaml.psi.YAMLScalar

class AppArmorOverrideInspection : LocalInspectionTool() {

override fun buildVisitor(holder: ProblemsHolder, isOnTheFly: Boolean): PsiElementVisitor {

return object : BaseKubernetesVisitor() {

override fun analyze(specPrefix: String, document: YAMLDocument) {

val appArmorSearchPath = "$specPrefix$APP_ARMOR_PROFILE_TYPE"

val appArmorProfileType = YamlPath.findByYamlPath(

appArmorSearchPath,

document

) as? YAMLScalar

highlightIfProblem(appArmorProfileType)

val containers = containers(specPrefix, document)

for (container in containers) {

val appArmorProfileType = YamlPath.findByYamlPath(

appArmorSearchPath,

container

) as? YAMLScalar ?: continue

highlightIfProblem(appArmorProfileType)

}

}

//TODO: verify metadata (in docs in beta version)

private fun highlightIfProblem(appArmorProfileType: YAMLScalar?) {

if (appArmorProfileType != null && appArmorProfileType.textValue !in allowedProfiles) {

val descriptor = HtmlProblemDescriptor(

appArmorProfileType,

SecurityPluginBundle.message("kube007.documentation"),

SecurityPluginBundle.message("kube007.apparmor-disabled-or-override"),

ProblemHighlightType.ERROR, arrayOf(

ReplaceValueToRuntimeDefaultQuickFix(

SecurityPluginBundle.message("kube007.qf.fix-value"),

)

)

)

holder.registerProblem(descriptor)

}

}

}

}

}

private const val APP_ARMOR_PROFILE_TYPE = "spec.securityContext.appArmorProfile.type"

private val allowedProfiles = setOf("RuntimeDefault", "Localhost")

package dev.protsenko.securityLinter.kubernetes

import com.intellij.codeInspection.LocalInspectionTool

import com.intellij.codeInspection.ProblemHighlightType

import com.intellij.codeInspection.ProblemsHolder

import com.intellij.psi.PsiElementVisitor

import dev.protsenko.securityLinter.core.HtmlProblemDescriptor

import dev.protsenko.securityLinter.core.SecurityPluginBundle

import dev.protsenko.securityLinter.utils.YamlPath

import org.jetbrains.yaml.psi.YAMLDocument

import org.jetbrains.yaml.psi.YAMLMapping

import org.jetbrains.yaml.psi.YAMLSequence

class HostPortsInspection : LocalInspectionTool() {

override fun buildVisitor(holder: ProblemsHolder, isOnTheFly: Boolean): PsiElementVisitor {

return object : BaseKubernetesVisitor() {

override fun analyze(specPrefix: String, document: YAMLDocument) {

val containers = containers(specPrefix, document)

for (container in containers) {

val ports = (YamlPath.findByYamlPath(

"ports",

container

) as? YAMLSequence) ?: continue

for (port in ports.items) {

val portMapping = port.value as? YAMLMapping ?: continue

val hostPort = portMapping.getKeyValueByKey("hostPort") ?: continue

val portValue = hostPort.valueText

//FTI: allow list and removing whole yaml node

if (portValue != "0"){

val descriptor = HtmlProblemDescriptor(

port,

SecurityPluginBundle.message("kube006.documentation"),

SecurityPluginBundle.message("kube006.host-ports"),

ProblemHighlightType.ERROR, emptyArray()

)

holder.registerProblem(descriptor)

}

}

}

}

}

}

}

class ReplaceValueToRuntimeDefaultQuickFix(@IntentionFamilyName private val message: String) : ReplaceValueWithEnumQuickFix(message) {

override val enumValue: ReplacedValueEnum = ReplacedValueEnum.RUNTIME_DEFAULT

}

TRUE("true"), FALSE("false"), ONE_THOUSAND("1000"),

RUNTIME_DEFAULT("RuntimeDefault")

<localInspection

implementationClass="dev.protsenko.securityLinter.kubernetes.HostPortsInspection"

displayName="HostPorts"

groupPathKey="common.group-key" groupKey="common.kubernetes-group-key"

enabledByDefault="true" language="yaml"/>

<localInspection

implementationClass="dev.protsenko.securityLinter.kubernetes.AppArmorOverrideInspection"

displayName="AppArmor or SELinux override"

groupPathKey="common.group-key" groupKey="common.kubernetes-group-key"

enabledByDefault="true" language="yaml"/>

<p>Detects AppArmor profile disabling or override</p>

<p>Letting a Pod override or turn off the default AppArmor profile weakens one of the last lines of defence between the container and the host kernel, so the Pod Security Baseline policy blocks anything except the safe defaults (RuntimeDefault, or a vetted localhost/… profile).</p>

<p>Detects using hostPorts</p>

<p>hostPort maps a container port straight onto the node’s primary IP address. Traffic reaches the pod before it traverses Kubernetes Services or most NetworkPolicy rules, so any bug in the app is now a node-level exposure, not just an in-cluster one.</p>

kube006.documentation=hostPort-opens-the-nodes-port

kube006.host-ports=HostPort opens the node's port. Remove hostPort definition and/or use Service/Ingress instead.

kube007.documentation=apparmor-disabled-or-override

kube007.apparmor-disabled-or-override=AppArmor profile disabled or overridden - container loses kernel protection. Use RuntimeDefault or remove profile type

kube007.qf.fix-value=Set value to RuntimeDefault