NordCoderd
diff --git a/‎CHANGELOG.md‎
Lines changed: 13 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 16 additions & 16 deletions b/‎README.md‎
Lines changed: 16 additions & 16 deletions
diff --git a/‎gradle.properties‎
Lines changed: 2 additions & 2 deletions b/‎gradle.properties‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/main/kotlin/dev/protsenko/securityLinter/kubernetes/NonRootContainerInspection.kt‎
Lines changed: 147 additions & 0 deletions b/‎src/main/kotlin/dev/protsenko/securityLinter/kubernetes/NonRootContainerInspection.kt‎
Lines changed: 147 additions & 0 deletions
diff --git a/‎src/main/kotlin/dev/protsenko/securityLinter/utils/YamlPath.kt‎
Lines changed: 42 additions & 0 deletions b/‎src/main/kotlin/dev/protsenko/securityLinter/utils/YamlPath.kt‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎src/main/resources/META-INF/dev.protsenko.security-linter-yaml.xml‎
Lines changed: 6 additions & 1 deletion b/‎src/main/resources/META-INF/dev.protsenko.security-linter-yaml.xml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎src/main/resources/META-INF/plugin.xml‎
Lines changed: 2 additions & 2 deletions b/‎src/main/resources/META-INF/plugin.xml‎
Lines changed: 2 additions & 2 deletions
@@ -1,6 +1,18 @@
 <!-- Keep a Changelog guide -> https://keepachangelog.com -->
 
-# Infrastructure as Code (IaC) Security Linter Changelog
+# Cloud (IaC) Security Changelog
+
+## [2.0.0] 11-07-2025
+
+This version marks a major step in the plugin’s lifecycle.  
+In this release, I have begun implementing Kubernetes rules and completed the rebranding.
+
+### Added
+- Kubernetes: Detect non-root containers to align with the NSA Kubernetes Hardening Guide
+
+### Updated
+- Plugin name made more concise
+- New branded logo featuring the dog “Jessica”
 
 ## [1.1.8] 08-06-2025
 
 
@@ -1,46 +1,46 @@
-# Infrastructure as Code (IaC) Security Linter
+# Cloud (IaC) Security
 
 [![CI](https://github.com/NordCoderd/infrastructure-security/actions/workflows/gradle.yml/badge.svg)](https://github.com/NordCoderd/infrastructure-security/actions/workflows/gradle.yml)
 [![JetBrains Plugin Version](https://img.shields.io/jetbrains/plugin/v/dev.protsenko.security-linter)](https://plugins.jetbrains.com/plugin/25413-infrastructure-security)
 [![JetBrains Plugin Downloads](https://img.shields.io/jetbrains/plugin/d/dev.protsenko.security-linter)](https://plugins.jetbrains.com/plugin/25413-infrastructure-security)
 
 <!-- Plugin description -->
-Infrastructure as Code (IaC) Security Linter for JetBrains IDEs (e.g., IntelliJ IDEA, PyCharm, WebStorm, and more).
+Cloud (IaC) Security Linter for JetBrains IDEs (e.g., IntelliJ IDEA, PyCharm, WebStorm, and more).
 
-Scan Docker and Infrastructure as Code (IaC) files for security vulnerabilities and misconfigurations directly in your JetBrains IDE.
+Scan Docker, Kubernetes, and other Infrastructure-as-Code (IaC) files for security vulnerabilities and misconfigurations directly within your JetBrains IDE.
 
 ## Why this plugin?
 
-- Seamless integration into IDE without installing external tools.
-- Verifies your files on the fly and highlight problems earlier and that make shift left happens.
-- Quick-fixes for problems are available for some inspections that could help fix problem faster.
+- Seamless integration into the IDE without installing external tools.
+- Verifies your files on the fly and highlight problems earlier, and that make shift left happens.
+- Quick-fixes for problems are available for some inspections that could help fix problems faster.
 - Supports complicated verifications, such as tracking variables and arguments as sources of issues.
 - Pure Kotlin implementation, leveraging the power of IDEs.
-- Because I made it with love, [read about my experience creating the plugin.](https://protsenko.dev/2025/03/24/how-i-made-docker-linter-for-intellij-idea-and-other-jetbrains-ide/)
 
 ## What does the plugin offer?
 
 - **Dockerfile Analysis**: Detect security vulnerabilities and optimize Docker images with over 40 checks.
 - **Docker Compose**: Detect security vulnerabilities and misconfigurations.
+- **Kubernetes**: Detect security issues to align with the NSA Kubernetes Hardening Guide [wip].
 - **Quick Fixes**: Resolve issues faster using built-in quick fixes.
 
-## What problems could find that plugin?
+## What problems can the plugin detect?
 
-You could find more information about detected problems:
+You can find more information about detected problems:
 
-- [Documentation](https://protsenko.dev/infrastructure-security)
-- In IDE popup messages with problem. Problem messages have a link to dedicated article in the documentation.
+- [Documentation site](https://protsenko.dev/infrastructure-security)
+- [Exciting story about creating the plugin](https://protsenko.dev/2025/03/24/how-i-made-docker-linter-for-intellij-idea-and-other-jetbrains-ide/)
+- In-IDE pop-up messages describing each issue, each of which links to a dedicated article in the documentation
 
 ## Planned features
 
-- **Extended support for Dockerfile and docker-compose files**
-- **Kubernetes Files**: Analyzing Kubernetes YAML files to comply with best practices and security standards.
+- **Kubernetes**: Implementing rules to align with the NSA Kubernetes Hardening Guide.
 - **and more**: Expanding support for other IaC tools and formats to comprehensively protect and optimize your infrastructure configurations.
 
-Detailed list of planned features are available on [GitHub issues](https://github.com/NordCoderd/infrastructure-security/labels/enhancement)
-
 ## Thanks
+
 - My mother, who supported me every step of the way and who is no longer with us.
-- [Trivy-checks](https://github.com/aquasecurity/trivy-checks/tree/main) for good source of rules.
+- [Trivy-checks](https://github.com/aquasecurity/trivy-checks/tree/main) for a good source of rules.
 - [Hadolint](https://github.com/hadolint/hadolint) for yet another docker rule set.
+- [Kubescape regorules](https://github.com/kubescape/regolibrary) for a good source of Kubernetes rules.
 <!-- Plugin description end -->
@@ -1,7 +1,7 @@
 pluginGroup = dev.protsenko.securityLinter
-pluginName = Infrastructure as Code (IaC) Security Linter
+pluginName = Cloud (IaC) Security
 pluginRepositoryUrl = https://github.com/NordCoderd/infrastructure-security
-pluginVersion = 1.1.8
+pluginVersion = 2.0.0
 
 # Supported build number ranges and IntelliJ Platform versions -> https://plugins.jetbrains.com/docs/intellij/build-number-ranges.html
 pluginSinceBuild = 231
 
@@ -0,0 +1,147 @@
+package dev.protsenko.securityLinter.kubernetes
+
+import com.intellij.codeInspection.LocalInspectionTool
+import com.intellij.codeInspection.ProblemHighlightType
+import com.intellij.codeInspection.ProblemsHolder
+import com.intellij.psi.PsiElement
+import com.intellij.psi.PsiElementVisitor
+import com.intellij.psi.PsiFile
+import dev.protsenko.securityLinter.core.HtmlProblemDescriptor
+import dev.protsenko.securityLinter.core.SecurityPluginBundle
+import dev.protsenko.securityLinter.utils.YamlPath
+import org.jetbrains.yaml.YAMLUtil
+import org.jetbrains.yaml.psi.YAMLFile
+import org.jetbrains.yaml.psi.YAMLMapping
+import org.jetbrains.yaml.psi.YAMLScalar
+import org.jetbrains.yaml.psi.YAMLSequence
+
+class NonRootContainerInspection : LocalInspectionTool() {
+
+    override fun buildVisitor(holder: ProblemsHolder, isOnTheFly: Boolean): PsiElementVisitor {
+        return object : PsiElementVisitor() {
+            override fun visitFile(file: PsiFile) {
+                if (file !is YAMLFile) return
+
+                val documents = file.documents
+
+                for (document in documents) {
+                    val kind = YAMLUtil.getQualifiedKeyInDocument(document, listOf("kind")) ?: return
+                    val kindValue = kind.valueText
+                    if (kindValue !in supportedKinds) return
+
+                    val specPrefix = evaluateSpecPrefix(kindValue)
+
+                    val isRunAsNonRoot = YamlPath.findByYamlPath("${specPrefix}spec.$RUN_AS_NON_ROOT", document)
+                    val isAllowedRunAsNonRoot = !highlightIfValueNotTrue(isRunAsNonRoot, holder)
+
+                    val isRunAsUser = YamlPath.findByYamlPath("${specPrefix}spec.$RUN_AS_USER", document)
+                    val isRunAsGroup = YamlPath.findByYamlPath("${specPrefix}spec.$RUN_AS_GROUP", document)
+                    highlightIfValueZero(isRunAsUser, holder)
+                    highlightIfValueZero(isRunAsGroup, holder)
+
+                    // container level
+                    var allContainersAreNonRoot = true
+
+                    for (containerType in containerTypes) {
+                        val containers =
+                            YamlPath.findByYamlPath("${specPrefix}$containerType", document) as? YAMLSequence ?: continue
+
+                        for (containerItem in containers.items) {
+                            val containerYaml = containerItem.value as? YAMLMapping ?: continue
+
+                            val isRunAsUser =
+                                YamlPath.findByYamlPath(RUN_AS_USER, containerYaml)
+
+                            val isRunAsGroup =
+                                YamlPath.findByYamlPath(RUN_AS_GROUP, containerYaml)
+
+                            highlightIfValueZero(isRunAsUser, holder)
+                            highlightIfValueZero(isRunAsGroup, holder)
+
+                            val isRunAsNonRootContainer =
+                                YamlPath.findByYamlPath(RUN_AS_NON_ROOT, containerYaml)
+
+                            //The container fields may be undefined/nil if the
+                            // pod-level spec.securityContext.runAsNonRoot is set to true.
+
+                            // global and container level isn't set
+                            if (isRunAsNonRoot == null && isRunAsNonRootContainer == null){
+                                allContainersAreNonRoot = false
+                            }
+
+                            val isRestrictedValue = highlightIfValueNotTrue(isRunAsNonRootContainer, holder)
+                            if (isRestrictedValue) {
+                                allContainersAreNonRoot = false
+                            }
+                        }
+                    }
+
+                    if (isRunAsNonRoot == null && !allContainersAreNonRoot) {
+                        val descriptor = HtmlProblemDescriptor(
+                            kind,
+                            SecurityPluginBundle.message("kube001.documentation"),
+                            SecurityPluginBundle.message("kube001.non-root-containers"),
+                            ProblemHighlightType.ERROR, emptyArray()
+                        )
+
+                        holder.registerProblem(descriptor)
+                    }
+                }
+
+                super.visitFile(file)
+            }
+        }
+    }
+
+    private fun evaluateSpecPrefix(kind: String): String {
+        if (kind == "Pod") return ""
+        if (kind == "CronJob") return "spec.jobTemplate.spec.template."
+        if (kind in specInTemplateKindTypes) return "spec.template."
+        return ""
+    }
+
+    private fun highlightIfValueNotTrue(element: PsiElement?, holder: ProblemsHolder): Boolean {
+        if (element !is YAMLScalar) return false
+        val isRunAsNonRoot = element.textValue.toBooleanStrictOrNull()
+
+        if (isRunAsNonRoot != true) {
+            val descriptor = HtmlProblemDescriptor(
+                element,
+                SecurityPluginBundle.message("kube001.documentation"),
+                SecurityPluginBundle.message("kube001.non-root-containers"),
+                ProblemHighlightType.ERROR, emptyArray()
+            )
+
+            holder.registerProblem(descriptor)
+            return true
+        }
+        return false
+    }
+
+    // Running as Non-root user (v1.23+)
+    private fun highlightIfValueZero(element: PsiElement?, holder: ProblemsHolder) {
+        if (element !is YAMLScalar) return
+        val isRunAsUser = element.textValue.toIntOrNull() ?: return
+
+        if (isRunAsUser == 0) {
+            val descriptor = HtmlProblemDescriptor(
+                element,
+                SecurityPluginBundle.message("kube001.documentation"),
+                SecurityPluginBundle.message("kube001.non-root-containers"),
+                ProblemHighlightType.ERROR, emptyArray()
+            )
+
+            holder.registerProblem(descriptor)
+        }
+    }
+
+}
+
+private val specInTemplateKindTypes = setOf("Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job")
+private val supportedKinds = specInTemplateKindTypes + setOf("Pod", "CronJob")
+
+private val containerTypes = listOf("spec.containers", "spec.initContainers", "spec.ephemeralContainers")
+
+private const val RUN_AS_NON_ROOT = "securityContext.runAsNonRoot"
+private const val RUN_AS_USER = "securityContext.runAsUser"
+private const val RUN_AS_GROUP = "securityContext.runAsGroup"
@@ -0,0 +1,42 @@
+package dev.protsenko.securityLinter.utils
+
+import com.intellij.psi.PsiElement
+import org.jetbrains.yaml.psi.YAMLDocument
+import org.jetbrains.yaml.psi.YAMLMapping
+import org.jetbrains.yaml.psi.YAMLSequence
+
+object YamlPath {
+
+    fun findByYamlPath(path: String, document: YAMLDocument): PsiElement? {
+        val matchedElement: YAMLMapping = document.children[0] as? YAMLMapping ?: return null
+
+        return findByYamlPath(path, matchedElement)
+    }
+
+    fun findByYamlPath(path: String, matchedElement: YAMLMapping): PsiElement? {
+        val searchTokens = path.split(".")
+        var startElement: PsiElement? = matchedElement
+
+        var countMatches = 0
+
+        for (token in searchTokens) {
+            if (token.endsWith("]")) {
+                val yamlKey = token.substringBefore("[")
+                val sequence =
+                    (startElement as? YAMLMapping)?.getKeyValueByKey(yamlKey)?.value as? YAMLSequence ?: break
+                val index = token.substringAfter("[").substringBefore("]").toIntOrNull() ?: break
+
+                startElement = sequence.items.getOrNull(index)?.value as? YAMLMapping
+                countMatches++
+            } else {
+                startElement = (startElement as? YAMLMapping)?.getKeyValueByKey(token)?.value ?: break
+                countMatches++
+            }
+        }
+
+        if (countMatches == searchTokens.size) {
+            return startElement
+        }
+        return null
+    }
+}
@@ -12,8 +12,13 @@
     <extensions defaultExtensionNs="com.intellij">
         <localInspection
                 implementationClass="dev.protsenko.securityLinter.docker_compose.DockerComposeInspection"
-                displayName="Docker Compose best practices"
+                displayName="Docker Compose Best Practices"
                 groupPathKey="common.group-key" groupKey="common.docker-compose-group-key"
                 enabledByDefault="true" language="yaml"/>
+        <localInspection
+                implementationClass="dev.protsenko.securityLinter.kubernetes.NonRootContainerInspection"
+                displayName="Non Root Containers"
+                groupPathKey="common.group-key" groupKey="common.kubernetes-group-key"
+                enabledByDefault="true" language="yaml"/>
     </extensions>
 </idea-plugin>
@@ -5,10 +5,10 @@
 
     <!-- Public plugin name should be written in Title Case.
          Guidelines: https://plugins.jetbrains.com/docs/marketplace/plugin-overview-page.html#plugin-name -->
-    <name>Infrastructure as Code (IaC) Security Linter</name>
+    <name>Cloud (IaC) Security</name>
 
     <!-- A displayed Vendor name or Organization ID displayed on the Plugins Page. -->
-    <vendor email="tech@protsenko.dev" url="https://protsenko.dev">Dmitrii Protsenko</vendor>
+    <vendor email="tech@protsenko.dev" url="https://protsenko.dev">Dmitry Protsenko</vendor>
 
     <!-- Product and plugin compatibility requirements.
          Read more: https://plugins.jetbrains.com/docs/intellij/plugin-compatibility.html -->