feat(checks): Add checks to detect suspicious Kubernetes URL annotations

[simar7]

Annotations in Kubernetes are widely used across many different resources. As seen in aquasecurity/trivy-checks#374 they can be misused.

We can write a check that checks all resources and their annotations for suspicious and unexpected values. As a part of this check, we can also improve the regex (or take a different approach) as was done here.

[nikpivkin]

@simar7 Any examples of what suspicious annotations might look like?

[simar7]

@simar7 Any examples of what suspicious annotations might look like?

@nikpivkin I actually missed an important detail, we should start off with annotations like auth_url or any other url* type annotation first as they're straightforward to define being URLs. If they are no URLs we should flag them.

So something like [-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*) taken off of here.

[nikpivkin]

The ingress-nginx repository uses a fairly simple regular expression.

[nikpivkin]

Can we add checks for all annotations as the issue says? I have seen that some annotations allow characters that might be considered suspicious in some cases, such as line breaks.

[simar7]

Can we add checks for all annotations as the issue says? I have seen that some annotations allow characters that might be considered suspicious in some cases, such as line breaks.

Sure, but what else would you consider suspicious? With URLs it's easy to determine but with plain text annotation fields, detection of something like injection comes to mind.

[simar7]

The ingress-nginx repository uses a fairly simple regular expression.

Yes I saw it, I'm not sure why it's this simplified. Then again it maybe enough to cover all cases.