mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-04 03:45:08 -07:00
1e47b6547e
modules/recon/terraform-state-exposure.yaml flags an exposed terraform state file on the terraform_version key paired with a state structure key, then extracts the version. the structure key keeps a document that merely mentions terraform_version from matching. modules/recon/kubeconfig-exposure.yaml flags an exposed kubeconfig on the kind: Config marker paired with a cluster or credential key, then extracts the cluster api endpoint. it catches an exec auth kubeconfig with no embedded key since the cluster block alone is a leak. modules/recon/docker-compose-exposure.yaml flags an exposed compose file on the services key paired with a service definition key, then extracts the first image reference to surface the stack and its versions. each module pairs a unique marker with a structure key and rejects an html body, so a page that only names the marker is not a leak. internal/modules/infra_config_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: a bare terraform_version mention, a bare kind: Config mention, a bare services key, an html page carrying the markers, a plain 200 body and a 404, none of which may match. verify: go test ./internal/modules, each marker, structure gate, guard and extractor proven to bite (break -> red, restore -> green).