chore: add 'vuln','discovery' tags to new templates

cloud/kubernetes/security-compliance/k8s-apiserver-anonymous-access.yaml

@@ -1,45 +1,45 @@
-id: k8s-apiserver-anonymous-access
-
-info:
-  name: Ensure kube-apiserver --anonymous-auth is explicitly disabled
-  author: songyaeji
-  severity: high
-  description: Checks whether kube-apiserver explicitly sets --anonymous-auth=false in its startup arguments.
-  impact: |
-    If --anonymous-auth is not explicitly disabled, anonymous unauthenticated requests might be allowed,
-    enabling unauthenticated access to cluster resources.
-  remediation: |
-    Edit the kube-apiserver manifest (e.g., /etc/kubernetes/manifests/kube-apiserver.yaml) or startup flags
-    and ensure "--anonymous-auth=false" is present in the apiserver arguments.
-  reference:
-    - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
-  tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
-
-variables:
-  argument: "--anonymous-auth=false"
-
-self-contained: true
-code:
-  - engine:
-      - sh
-      - bash
-    source: |
-      kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" 2>/dev/null || \
-      kubectl get pods -n kube-system -l k8s-app=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" 2>/dev/null || \
-      kubectl get pods -n kube-system -o jsonpath="{.items[?(@.metadata.name.indexOf('kube-apiserver')>=0)].spec.containers[*].command}" 2>/dev/null || \
-      echo ""
-    matchers-condition: and
-    matchers:
-      - type: word
-        words:
-          - 'kube-apiserver'
-      - type: word
-        words:
-          - "{{argument}}"
-        negative: true
-
-    extractors:
-      - type: dsl
-        dsl:
+id: k8s-apiserver-anonymous-access
+
+info:
+  name: Ensure kube-apiserver --anonymous-auth is explicitly disabled
+  author: songyaeji
+  severity: high
+  description: Checks whether kube-apiserver explicitly sets --anonymous-auth=false in its startup arguments.
+  impact: |
+    If --anonymous-auth is not explicitly disabled, anonymous unauthenticated requests might be allowed,
+    enabling unauthenticated access to cluster resources.
+  remediation: |
+    Edit the kube-apiserver manifest (e.g., /etc/kubernetes/manifests/kube-apiserver.yaml) or startup flags
+    and ensure "--anonymous-auth=false" is present in the apiserver arguments.
+  reference:
+    - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
+  tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security,vuln
+
+variables:
+  argument: "--anonymous-auth=false"
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" 2>/dev/null || \
+      kubectl get pods -n kube-system -l k8s-app=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" 2>/dev/null || \
+      kubectl get pods -n kube-system -o jsonpath="{.items[?(@.metadata.name.indexOf('kube-apiserver')>=0)].spec.containers[*].command}" 2>/dev/null || \
+      echo ""
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'kube-apiserver'
+      - type: word
+        words:
+          - "{{argument}}"
+        negative: true
+
+    extractors:
+      - type: dsl
+        dsl:
           - '"kube-apiserver configuration does not explicitly set " + argument + ". This may allow anonymous access."'
 # digest: 4b0a00483046022100fe7b6017299371487169b66b4e188679450b8189bdff8025e09071dafa3f436a022100c5777c8156bd0f6fc7a6ad02caf36293bc8187a4d6e1cc08c4937645ba60acb2:922c64590222798bb761d5b6d8e72950

cloud/kubernetes/security-compliance/k8s-apiserver-token-auth-file.yaml

@@ -1,43 +1,43 @@
-id: k8s-apiserver-token-auth-file
-
-info:
-  name: Detect kube-apiserver --token-auth-file usage
-  author: songyaeji
-  severity: high
-  description: Detects whether kube-apiserver includes the --token-auth-file startup argument.
-  impact: |
-    If the API server is started with --token-auth-file, static token file authentication may be allowed, which can enable long-lived or poorly managed tokens and weaken cluster authentication posture.
-  remediation: |
-    Remove the --token-auth-file argument from the kube-apiserver startup flags (e.g., edit
-    /etc/kubernetes/manifests/kube-apiserver.yaml) or ensure any tokens in that file are rotated
-    and managed securely. Prefer dynamic, short-lived service account tokens and RBAC.
-  reference:
-    - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
-  tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
-
-variables:
-  argument: "--token-auth-file"
-
-self-contained: true
-code:
-  - engine:
-      - sh
-      - bash
-    source: |
-      kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
-
-    matchers-condition: and
-    matchers:
-      - type: word
-        words:
-          - 'kube-apiserver'
-
-      - type: word
-        words:
-          - "{{argument}}"
-
-    extractors:
-      - type: dsl
-        dsl:
+id: k8s-apiserver-token-auth-file
+
+info:
+  name: Detect kube-apiserver --token-auth-file usage
+  author: songyaeji
+  severity: high
+  description: Detects whether kube-apiserver includes the --token-auth-file startup argument.
+  impact: |
+    If the API server is started with --token-auth-file, static token file authentication may be allowed, which can enable long-lived or poorly managed tokens and weaken cluster authentication posture.
+  remediation: |
+    Remove the --token-auth-file argument from the kube-apiserver startup flags (e.g., edit
+    /etc/kubernetes/manifests/kube-apiserver.yaml) or ensure any tokens in that file are rotated
+    and managed securely. Prefer dynamic, short-lived service account tokens and RBAC.
+  reference:
+    - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
+  tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security,vuln
+
+variables:
+  argument: "--token-auth-file"
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'kube-apiserver'
+
+      - type: word
+        words:
+          - "{{argument}}"
+
+    extractors:
+      - type: dsl
+        dsl:
           - '"kube-apiserver is configured with " + argument + ". Review and remove if unnecessary."'
 # digest: 4a0a004730450220570c31f832b4f552d4a3638204241b460d3ed793f5873d3f76e1c5962c20c626022100f2ae478f1ab12d1a905c0a34a802a6edd1605a4d6b38e12096e68fb5dbe1c5f3:922c64590222798bb761d5b6d8e72950

http/cves/2021/CVE-2021-30116.yaml

@@ -27,7 +27,7 @@ info:
     vendor: kaseya
     product: virtual_system_administrator
     shodan-query: http.favicon.hash:-1445519482
-  tags: cve,cve2021,kaseya,virtual_system_administrator,kev,vkev
+  tags: cve,cve2021,kaseya,virtual_system_administrator,kev,vkev,vuln
 
 flow: |
   http(1)

http/cves/2022/CVE-2022-48323.yaml

@@ -24,7 +24,7 @@ info:
     max-request: 2
     vendor: sunlogin
     product: sunflower
-  tags: cve,cve2022,sunflower,rce,vkev
+  tags: cve,cve2022,sunflower,rce,vkev,vuln
 
 http:
   - raw:

http/cves/2023/CVE-2023-3519.yaml

@@ -25,7 +25,7 @@ info:
       - title="netscaler aaa"
       - title="citrix gateway" || title:"netscaler gateway"
     shodan-query: http.title:"citrix gateway" || title:"netscaler gateway"
-  tags: cve,cve2025,citrix,saml,rce,kev,passive,vkev
+  tags: cve,cve2025,citrix,saml,rce,kev,passive,vkev,vuln
 
 http:
   - raw:

http/cves/2023/CVE-2023-6655.yaml

@@ -22,7 +22,7 @@ info:
     vendor: hrp2000
     product: e-hr
     fofa-query: title="人力资源信息管理系统"
-  tags: cve,cve2023,hjsoft,management-system,sqli,vkev
+  tags: cve,cve2023,hjsoft,management-system,sqli,vkev,vuln
 
 flow: http(1) && http(2)
 

http/cves/2024/CVE-2024-13979.yaml

@@ -25,7 +25,7 @@ info:
     verified: false
     max-request: 1
     fofa-query: "圣乔ERP系统"
-  tags: cve,cve2024,erp,sqli,vkev
+  tags: cve,cve2024,erp,sqli,vkev,vuln
 
 http:
   - raw:

http/cves/2025/CVE-2025-11750.yaml

@@ -17,7 +17,7 @@ info:
     product: dify
     shodan-query: http.favicon.hash:"97378986"
     fofa-query: icon_hash="97378986"
-  tags: cve,cve2025,langgenius,dify,user-enum
+  tags: cve,cve2025,langgenius,dify,user-enum,vuln
 
 variables:
   fake_email: "{{to_lower(rand_text_alphanumeric(16))}}@{{to_lower(rand_text_alphanumeric(16))}}.com"

http/cves/2025/CVE-2025-34038.yaml

@@ -19,7 +19,7 @@ info:
   metadata:
     max-request: 1
     fofa-query: app="泛微-协同办公OA"
-  tags: cve,cve2025,ecology,sqli,vkev
+  tags: cve,cve2025,ecology,sqli,vkev,vuln
 
 http:
   - method: GET

http/cves/2025/CVE-2025-53771.yaml

@@ -27,7 +27,7 @@ info:
     verified: true
     max-request: 1
     shodan-query: http.component:"sharepoint"
-  tags: cve,cve2025,sharepoint,auth-bypass,microsoft,toolshell,vkev
+  tags: cve,cve2025,sharepoint,auth-bypass,microsoft,toolshell,vkev,vuln
 
 variables:
   dataset_gadget_b64: 'AAEAAAD/////AQAAAAAAAAAMAgAAAE5TeXN0ZW0uRGF0YSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAABNTeXN0ZW0uRGF0YS5EYXRhU2V0AgAAAAlYbWxTY2hlbWELWG1sRGlmZkdyYW0BAQIAAAAGAwAAAKEKPHhzOnNjaGVtYSB4bWxucz0iIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOm1zZGF0YT0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp4bWwtbXNkYXRhIiBpZD0ic29tZWRhdGFzZXQiPg0KICAgICAgICAgICAgICAgIDx4czplbGVtZW50IG5hbWU9InNvbWVkYXRhc2V0IiBtc2RhdGE6SXNEYXRhU2V0PSJ0cnVlIiBtc2RhdGE6VXNlQ3VycmVudExvY2FsZT0idHJ1ZSI+DQogICAgICAgICAgICAgICAgICAgIDx4czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgIDx4czpjaG9pY2UgbWluT2NjdXJzPSIwIiBtYXhPY2N1cnM9InVuYm91bmRlZCI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgPHhzOmVsZW1lbnQgbmFtZT0iaGVoZSI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx4czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx4czpzZXF1ZW5jZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8eHM6ZWxlbWVudCBuYW1lPSJwd24iIG1zZGF0YTpEYXRhVHlwZT0iU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuTGlzdGAxW1tTeXN0ZW0uRGF0YS5TZXJ2aWNlcy5JbnRlcm5hbC5FeHBhbmRlZFdyYXBwZXJgMltbU3lzdGVtLldlYi5VSS5Mb3NGb3JtYXR0ZXIsIFN5c3RlbS5XZWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iMDNmNWY3ZjExZDUwYTNhXSxbU3lzdGVtLldpbmRvd3MuRGF0YS5PYmplY3REYXRhUHJvdmlkZXIsIFByZXNlbnRhdGlvbkZyYW1ld29yaywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzVdXSwgU3lzdGVtLkRhdGEuU2VydmljZXMsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0iIHR5cGU9InhzOmFueVR5cGUiIG1pbk9jY3Vycz0iMCIvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC94czpzZXF1ZW5jZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC94czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3hzOmVsZW1lbnQ+DQogICAgICAgICAgICAgICAgICAgICAgICA8L3hzOmNob2ljZT4NCiAgICAgICAgICAgICAgICAgICAgPC94czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICA8L3hzOmVsZW1lbnQ+DQogICAgICAgICAgICA8L3hzOnNjaGVtYT4GBAAAAMtHPGRpZmZncjpkaWZmZ3JhbSB4bWxuczptc2RhdGE9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206eG1sLW1zZGF0YSIgeG1sbnM6ZGlmZmdyPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOnhtbC1kaWZmZ3JhbS12MSI+DQogICAgICAgICAgICAgICAgPHNvbWVkYXRhc2V0Pg0KICAgICAgICAgICAgICAgICAgICA8aGVoZSBkaWZmZ3I6aWQ9IlRhYmxlIiBtc2RhdGE6cm93T3JkZXI9IjAiIGRpZmZncjpoYXNDaGFuZ2VzPSJpbnNlcnRlZCI+DQogICAgICAgICAgICAgICAgICAgICAgICA8cHduIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxFeHBhbmRlZFdyYXBwZXJPZkxvc0Zvcm1hdHRlck9iamVjdERhdGFQcm92aWRlciB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiA+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxFeHBhbmRlZEVsZW1lbnQvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8UHJvamVjdGVkUHJvcGVydHkwPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPE1ldGhvZE5hbWU+RGVzZXJpYWxpemU8L01ldGhvZE5hbWU+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8TWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8YW55VHlwZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4c2k6dHlwZT0ieHNkOnN0cmluZyI+SEFYPC9hbnlUeXBlPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9NZXRob2RQYXJhbWV0ZXJzPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPE9iamVjdEluc3RhbmNlIHhzaTp0eXBlPSJMb3NGb3JtYXR0ZXIiPjwvT2JqZWN0SW5zdGFuY2U+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvUHJvamVjdGVkUHJvcGVydHkwPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvRXhwYW5kZWRXcmFwcGVyT2ZMb3NGb3JtYXR0ZXJPYmplY3REYXRhUHJvdmlkZXI+DQogICAgICAgICAgICAgICAgICAgICAgICA8L3B3bj4NCiAgICAgICAgICAgICAgICAgICAgPC9oZWhlPg0KICAgICAgICAgICAgICAgIDwvc29tZWRhdGFzZXQ+DQogICAgICAgICAgICA8L2RpZmZncjpkaWZmZ3JhbT4L'

http/cves/2025/CVE-2025-55748.yaml

@@ -25,7 +25,7 @@ info:
     verified: true
     max-request: 1
     fofa-query: app="XWIKI-Platform"
-  tags: cve,cve2025,xwiki,lfi
+  tags: cve,cve2025,xwiki,lfi,vuln
 
 http:
   - method: GET

http/cves/2025/CVE-2025-57808.yaml

@@ -18,7 +18,7 @@ info:
     verified: true
     max-request: 1
     shodan-query: http.title:"ESPHome"
-  tags: cve,cve2025,auth-bypass,esphome
+  tags: cve,cve2025,auth-bypass,esphome,vuln
 
 http:
   - method: GET

http/exposed-panels/ictbroadcast-panel.yaml

@@ -12,7 +12,7 @@ info:
     verified: true
     max-request: 1
     shodan-query: http.favicon.hash:-60395993
-  tags: panel,ictbroadcast,login
+  tags: panel,ictbroadcast,login,discovery
 
 http:
   - method: GET

http/exposures/configs/nextjs-vite-public-env.yaml

@@ -12,7 +12,7 @@ info:
     - https://supabase.com/docs/guides/api#api-keys
   metadata:
     verified: true
-  tags: exposure,env,nextjs,vite,supabase
+  tags: exposure,env,nextjs,vite,supabase,vuln
 
 http:
   - method: GET

http/misconfiguration/innovatrics-smartface-panel.yaml

@@ -11,7 +11,7 @@ info:
   metadata:
     max-request: 1
     shodan-query: http.favicon.hash:-1410437493
-  tags: panel,smartface,login,detect
+  tags: panel,smartface,login,detect,vuln
 
 flow: http(1) && http(2)
 

http/takeovers/redirect-pizza-takeover.yaml

@@ -11,7 +11,7 @@ info:
     max-request: 1
     shodan-query: html:"redirect.pizza"
     fofa-query: body="redirect.pizza"
-  tags: takeover,redirect-pizza
+  tags: takeover,redirect-pizza,vuln
 
 http:
   - method: GET

http/technologies/backdrop-cms-detect.yaml

@@ -10,7 +10,7 @@ info:
     max-request: 1
     verified: true
     shodan-query: html:"Backdrop CMS"
-  tags: tech,backdrop,cms,detect
+  tags: tech,backdrop,cms,detect,discovery
 
 http:
   - method: GET

http/technologies/enigma-nms-detect.yaml

@@ -10,7 +10,7 @@ info:
     verified: true
     max-request: 1
     shodan-query: 'http.title:"ENIGMA NMS"'
-  tags: tech,enigma,nms,detection
+  tags: tech,enigma,nms,detection,discovery
 
 http:
   - method: GET

javascript/udp/misconfiguration/mdns-enum.yaml

@@ -9,7 +9,7 @@ info:
   metadata:
     verified: true
     shodan-query: port:5353
-  tags: dns,udp,mdns,enum,js
+  tags: dns,udp,mdns,enum,js,enum
 
 javascript:
   - pre-condition: |