Merge pull request #13648 from matejsmycka/discovery-vuln-distinc

[BULK EDIT] Implement asset-discovery and vulnerability detection distinction
2026-01-31 15:53:33 +08:00 · 2025-10-24 19:21:52 +05:30
parent 0c1f290d14 59aae880af
commit 0474fff656
9730 changed files with 15169 additions and 15168 deletions
--- a/cloud/enum/aws-app-enum.yaml
+++ b/cloud/enum/aws-app-enum.yaml
@@ -9,7 +9,7 @@ info:
  metadata:
    verified: true
    max-request: 1
-  tags: cloud,enum,cloud-enum,aws
+  tags: cloud,enum,cloud-enum,aws,discovery

 self-contained: true

--- a/cloud/enum/aws-s3-bucket-enum.yaml
+++ b/cloud/enum/aws-s3-bucket-enum.yaml
@@ -9,7 +9,7 @@ info:
  metadata:
    verified: true
    max-request: 1
-  tags: cloud,enum,cloud-enum,aws
+  tags: cloud,enum,cloud-enum,aws,discovery

 self-contained: true

--- a/cloud/enum/azure-db-enum.yaml
+++ b/cloud/enum/azure-db-enum.yaml
@@ -9,7 +9,7 @@ info:
  metadata:
    verified: true
    max-request: 1
-  tags: cloud,enum,cloud-enum,azure,dns
+  tags: cloud,enum,cloud-enum,azure,dns,discovery

 self-contained: true

--- a/cloud/enum/azure-vm-cloud-enum.yaml
+++ b/cloud/enum/azure-vm-cloud-enum.yaml
@@ -9,7 +9,7 @@ info:
  metadata:
    verified: true
    max-request: 1
-  tags: cloud,cloud-enum,azure,fuzz,enum,dns
+  tags: cloud,cloud-enum,azure,fuzz,enum,dns,discovery

 self-contained: true

--- a/cloud/enum/azure-website-enum.yaml
+++ b/cloud/enum/azure-website-enum.yaml
@@ -9,7 +9,7 @@ info:
  metadata:
    verified: true
    max-request: 1
-  tags: cloud,enum,azure
+  tags: cloud,enum,azure,discovery

 self-contained: true

--- a/cloud/enum/gcp-app-engine-enum.yaml
+++ b/cloud/enum/gcp-app-engine-enum.yaml
@@ -9,7 +9,7 @@ info:
  metadata:
    verified: true
    max-request: 1
-  tags: enum,cloud,cloud-enum,gcp
+  tags: enum,cloud,cloud-enum,gcp,discovery

 self-contained: true

--- a/cloud/enum/gcp-bucket-enum.yaml
+++ b/cloud/enum/gcp-bucket-enum.yaml
@@ -9,7 +9,7 @@ info:
  metadata:
    verified: true
    max-request: 1
-  tags: cloud,enum,cloud-enum,gcp
+  tags: cloud,enum,cloud-enum,gcp,discovery

 self-contained: true

--- a/cloud/enum/gcp-firebase-app-enum.yaml
+++ b/cloud/enum/gcp-firebase-app-enum.yaml
@@ -9,7 +9,7 @@ info:
  metadata:
    verified: true
    max-request: 1
-  tags: enum,cloud,cloud-enum,gcp
+  tags: enum,cloud,cloud-enum,gcp,discovery

 self-contained: true

--- a/cloud/enum/gcp-firebase-rtdb-enum.yaml
+++ b/cloud/enum/gcp-firebase-rtdb-enum.yaml
@@ -9,7 +9,7 @@ info:
  metadata:
    verified: true
    max-request: 1
-  tags: enum,cloud,cloud-enum,gcp
+  tags: enum,cloud,cloud-enum,gcp,discovery

 self-contained: true

--- a/cloud/gcp/dns/gcloud-dns-dangling-records.yaml
+++ b/cloud/gcp/dns/gcloud-dns-dangling-records.yaml
@@ -12,7 +12,7 @@ info:
    Regularly audit your DNS records and associated IP addresses. Remove any DNS records that point to IP addresses no longer reserved under your Google Cloud account.
  reference:
    - https://cloud.google.com/dns/docs
-  tags: cloud,devops,gcp,gcloud,dns,gcp-cloud-config
+  tags: cloud,devops,gcp,gcloud,dns,gcp-cloud-config,discovery

 flow: |
  code(1)
--- a/cloud/gcp/dns/gcloud-dns-dnssec-unenabled.yaml
+++ b/cloud/gcp/dns/gcloud-dns-dnssec-unenabled.yaml
@@ -12,7 +12,7 @@ info:
    Enable DNSSEC for each Google Cloud DNS managed zone through the Google Cloud Console or using the `gcloud dns managed-zones update` command with the `--dnssec-state=on` flag.
  reference:
    - https://cloud.google.com/dns/docs/dnssec
-  tags: cloud,devops,gcp,gcloud,dns,gcp-cloud-config
+  tags: cloud,devops,gcp,gcloud,dns,gcp-cloud-config,discovery

 flow: |
  code(1)
--- a/cloud/gcp/dns/gcloud-dnssec-keysigning-rsasha1.yaml
+++ b/cloud/gcp/dns/gcloud-dnssec-keysigning-rsasha1.yaml
@@ -12,7 +12,7 @@ info:
    Update the DNSSEC configuration for each DNS managed zone to use more secure algorithms like RSASHA256 or ECDSAP256SHA256 for the Key-Signing Key (KSK).
  reference:
    - https://cloud.google.com/dns/docs/dnssec-config
-  tags: cloud,devops,gcp,gcloud,dns,dnssec,gcp-cloud-config
+  tags: cloud,devops,gcp,gcloud,dns,dnssec,gcp-cloud-config,discovery

 flow: |
  code(1)
--- a/cloud/gcp/dns/gcloud-dnssec-zonesigning-rsasha1.yaml
+++ b/cloud/gcp/dns/gcloud-dnssec-zonesigning-rsasha1.yaml
@@ -12,7 +12,7 @@ info:
    Update the DNSSEC configuration to use a stronger, more secure signing algorithm like RSASHA256 or ECDSAP256SHA256 for your DNS managed zones.
  reference:
    - https://cloud.google.com/dns/docs/dnssec-configuring
-  tags: cloud,devops,gcp,gcloud,dns,dnssec,gcp-cloud-config
+  tags: cloud,devops,gcp,gcloud,dns,dnssec,gcp-cloud-config,discovery

 flow: |
  code(1)
--- a/cloud/kubernetes/security-compliance/k8s-apiserver-anonymous-access.yaml
+++ b/cloud/kubernetes/security-compliance/k8s-apiserver-anonymous-access.yaml
@@ -1,45 +1,45 @@
-id: k8s-apiserver-anonymous-access
-
-info:
-  name: Ensure kube-apiserver --anonymous-auth is explicitly disabled
-  author: songyaeji
-  severity: high
-  description: Checks whether kube-apiserver explicitly sets --anonymous-auth=false in its startup arguments.
-  impact: |
-    If --anonymous-auth is not explicitly disabled, anonymous unauthenticated requests might be allowed,
-    enabling unauthenticated access to cluster resources.
-  remediation: |
-    Edit the kube-apiserver manifest (e.g., /etc/kubernetes/manifests/kube-apiserver.yaml) or startup flags
-    and ensure "--anonymous-auth=false" is present in the apiserver arguments.
-  reference:
-    - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
-  tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
-
-variables:
-  argument: "--anonymous-auth=false"
-
-self-contained: true
-code:
-  - engine:
-      - sh
-      - bash
-    source: |
-      kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" 2>/dev/null || \
-      kubectl get pods -n kube-system -l k8s-app=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" 2>/dev/null || \
-      kubectl get pods -n kube-system -o jsonpath="{.items[?(@.metadata.name.indexOf('kube-apiserver')>=0)].spec.containers[*].command}" 2>/dev/null || \
-      echo ""
-    matchers-condition: and
-    matchers:
-      - type: word
-        words:
-          - 'kube-apiserver'
-      - type: word
-        words:
-          - "{{argument}}"
-        negative: true
-
-    extractors:
-      - type: dsl
-        dsl:
+id: k8s-apiserver-anonymous-access
+
+info:
+  name: Ensure kube-apiserver --anonymous-auth is explicitly disabled
+  author: songyaeji
+  severity: high
+  description: Checks whether kube-apiserver explicitly sets --anonymous-auth=false in its startup arguments.
+  impact: |
+    If --anonymous-auth is not explicitly disabled, anonymous unauthenticated requests might be allowed,
+    enabling unauthenticated access to cluster resources.
+  remediation: |
+    Edit the kube-apiserver manifest (e.g., /etc/kubernetes/manifests/kube-apiserver.yaml) or startup flags
+    and ensure "--anonymous-auth=false" is present in the apiserver arguments.
+  reference:
+    - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
+  tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
+
+variables:
+  argument: "--anonymous-auth=false"
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" 2>/dev/null || \
+      kubectl get pods -n kube-system -l k8s-app=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" 2>/dev/null || \
+      kubectl get pods -n kube-system -o jsonpath="{.items[?(@.metadata.name.indexOf('kube-apiserver')>=0)].spec.containers[*].command}" 2>/dev/null || \
+      echo ""
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'kube-apiserver'
+      - type: word
+        words:
+          - "{{argument}}"
+        negative: true
+
+    extractors:
+      - type: dsl
+        dsl:
          - '"kube-apiserver configuration does not explicitly set " + argument + ". This may allow anonymous access."'
 # digest: 490a004630440220400b5c65f92d20c1e43c6fd1832b52f91802eec0b70ab33eb9fb354f0a6d22d102200af5a11e626932f53faab18840f6ede44a22390a9525461c393917ef94c10310:922c64590222798bb761d5b6d8e72950
--- a/cloud/kubernetes/security-compliance/k8s-apiserver-token-auth-file.yaml
+++ b/cloud/kubernetes/security-compliance/k8s-apiserver-token-auth-file.yaml
@@ -1,43 +1,43 @@
-id: k8s-apiserver-token-auth-file
-
-info:
-  name: Detect kube-apiserver --token-auth-file usage
-  author: songyaeji
-  severity: high
-  description: Detects whether kube-apiserver includes the --token-auth-file startup argument.
-  impact: |
-    If the API server is started with --token-auth-file, static token file authentication may be allowed, which can enable long-lived or poorly managed tokens and weaken cluster authentication posture.
-  remediation: |
-    Remove the --token-auth-file argument from the kube-apiserver startup flags (e.g., edit
-    /etc/kubernetes/manifests/kube-apiserver.yaml) or ensure any tokens in that file are rotated
-    and managed securely. Prefer dynamic, short-lived service account tokens and RBAC.
-  reference:
-    - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
-  tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
-
-variables:
-  argument: "--token-auth-file"
-
-self-contained: true
-code:
-  - engine:
-      - sh
-      - bash
-    source: |
-      kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
-
-    matchers-condition: and
-    matchers:
-      - type: word
-        words:
-          - 'kube-apiserver'
-
-      - type: word
-        words:
-          - "{{argument}}"
-
-    extractors:
-      - type: dsl
-        dsl:
+id: k8s-apiserver-token-auth-file
+
+info:
+  name: Detect kube-apiserver --token-auth-file usage
+  author: songyaeji
+  severity: high
+  description: Detects whether kube-apiserver includes the --token-auth-file startup argument.
+  impact: |
+    If the API server is started with --token-auth-file, static token file authentication may be allowed, which can enable long-lived or poorly managed tokens and weaken cluster authentication posture.
+  remediation: |
+    Remove the --token-auth-file argument from the kube-apiserver startup flags (e.g., edit
+    /etc/kubernetes/manifests/kube-apiserver.yaml) or ensure any tokens in that file are rotated
+    and managed securely. Prefer dynamic, short-lived service account tokens and RBAC.
+  reference:
+    - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
+  tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
+
+variables:
+  argument: "--token-auth-file"
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'kube-apiserver'
+
+      - type: word
+        words:
+          - "{{argument}}"
+
+    extractors:
+      - type: dsl
+        dsl:
          - '"kube-apiserver is configured with " + argument + ". Review and remove if unnecessary."'
 # digest: 4a0a004730450220737e6128e9ff73a79b9b129d67e1148aaa730c68bb86d1c658e4306efcaf23bd022100ab19022ce7f606c83065496afdb5d6ed7666bbb6928e8fd580a0825345496fc1:922c64590222798bb761d5b6d8e72950