v10.0.0 — infrastructure scanning: Dockerfile, Terraform, Kubernetes
[10.0.0] - 2026-04-21
Caspian graduates from "code scanner" to "code + infrastructure scanner" — and earns its major-version bump.
The major-version marker reflects a new scanning domain. Everything Caspian did before is preserved and improved; we added a parallel surface (Dockerfile, Terraform/HCL, Kubernetes YAML) that's as thorough as the existing 9.x code rules.
Added — Infrastructure-as-code
- Dockerfile rules (
DOCKER001–DOCKER008).:latest/ unpinned base images, missing non-rootUSER, secrets baked intoENV/ARG/RUN,ADDfrom a URL,curl | sh, package-install without--no-install-recommends/ pinned versions,HEALTHCHECK NONE. Fires onDockerfile,Containerfile,*.dockerfile. - Terraform / HCL rules (
TF001–TF010).0.0.0.0/0ingress, public S3 ACLs / missing public-access blocks, wildcard IAMAction/Resource(HCL lowercase and JSON forms),publicly_accessible = trueRDS, missing at-rest encryption on S3 / EBS / RDS, hardcodedmaster_password, disabled CloudTrail,AdministratorAccessattached to task/function roles, HTTP-without-HTTPS-redirect load balancers, KMSkms:*to account root. Fires on.tf,.tfvars,.hcl. - Kubernetes manifest rules (
K8S001–K8S008).privileged: true,hostNetwork/hostPID/hostIPC: true,runAsUser: 0/allowPrivilegeEscalation: true,hostPathvolumes, dangerous Linux capabilities (SYS_ADMIN,NET_ADMIN,SYS_PTRACE,BPF), wildcard RBAC verbs / resources,LoadBalancerwithoutloadBalancerSourceRanges. Fires on*.yaml/*.yml; excludes GitHub Actions workflows anddocker-compose.yaml.
Added — Quality gate
- Vulnerable-corpus regression suite (
src/__tests__/vulnerableCorpus.test.ts+src/__tests__/fixtures/vulnerable-corpus/). Small synthetic fixture tree containing intentional vulnerabilities across every rule family. Each fixture has a minimum set of rule codes it MUST detect — any rule that stops firing breaks the build. Ratchet-style (new detections are fine; removed detections fail). No external repo downloads, CI-viable. - Caught two real regressions during development:
JWT002regex rejected string-literal secrets;TF003regex missed HCL's lowercaseactions/resources. Both fixed in the same commit that added the test.
Changed — CLI / file walker
- The CLI now scans
*.yaml,*.yml,*.tf,*.tfvars,*.hclby default, and special-cases filenamesDockerfile,Containerfile,dockerfile. Rules usefilePatterns.includeto scope per file type — Dockerfile rules don't fire on.tf, etc. - New
resolveLanguage()helper maps filename + extension to Caspian'slanguageIdfor downstream file-gated rules.
Stats
- Rule totals: 270+ → 295+. Test suite: 880 → 961 (+81). Two new test suites (
vulnerableCorpus, plus the 26 new rules contribute toredosGuard). - Lint clean, compile clean, self-scan strict-mode clean.
Upgrade notes
- No setting changes. No rule renames. Old code rules fire identically; new IaC rules only activate on matching file types.
- Users who keep
caspianSecurity.enabledLanguageslocked to code-only languages won't see IaC findings inside VS Code — the CLI still scans them in CI.