Containers Endpoint Check at each Path.bcheck

metadata:
    language: v2-beta
    name: "Containers Endpoint Check at each Path"
    description: "Containers endpoints that have been exposed"
    author: "Kaustubh"
    tags: "Path", "Container Exposed"

# Path-level check
run for each:
    potential_path =
        "/Dockerrun.aws.json",
        "/v1.24/containers/json",
        "/v1.24/images/json",
        "/v1.24/version",
        "/Dockerfile",
        "/docker-compose.yml",
        "/api/v1/nodes",
        "/pods",
        "/metrics",
        "/api/v1/namespaces/kube-system/services/kubernetes-dashboard:/proxy/",
        "/ecs-agent/v1/metadata",
        "/ecs-agent/v1/tasks",
        "/computeMetadata/v1/",
        "/computeMetadata/v1/instance",
        "/computeMetadata/v1/project",
        "/metadata/instance",
        "/etc/hosts",
        "/etc/resolv.conf",
        "/etc/environment",
        "/var/log/",
        "/proc/self/cgroup",
        "/sys/fs/cgroup",
        "/etc/passwd",
        "/etc/shadow",
        "/root/.ssh/",
        "/var/lib/docker/",
        "/run/secrets/"

given path then
    if not({base.response.status_code} is "404") then
        send request called check:
            replacing path: {regex_replace({base.response.url.path}, "(.)/?$", `$1{potential_path}`)}

        if {check.response.status_code} is "200" then
            send request called garbage:
                replacing path: {regex_replace({base.response.url.path}, "(.)/?$", `$1.{random_str(10)}`)}

            if {garbage} differs from {check} then
                report issue and continue:
                    severity: info
                    confidence: firm
                    detail: `Sensitive endpoint found at {check.request.url}`
                    remediation: "Ensure your sensitive endpoints are not exposed."
            end if
        end if
    end if