Add container debug evidence gates

[yZangEren]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: container-security
Skill path: skills/cloud/container-security/

Fixes #1191.

What Was Wrong

The skill mentioned init, sidecar, and ephemeral containers as a common pitfall, but the main review flow and benchmark checklist did not force reviewers to prove which pod container arrays were checked.

That leaves a gap where a workload can look Restricted-compliant because spec.containers is hardened, while a runtime debug path or spec.ephemeralContainers entry can still introduce a privileged root debug container with added capabilities.

What This PR Fixes

This PR adds explicit ephemeral/debug-container evidence gates:

• records whether spec.containers, spec.initContainers, and spec.ephemeralContainers were evaluated;
• requires Pod Security Standards checks across regular, init, and ephemeral containers;
• adds a privileged ephemeral container failure example;
• adds runtime pods/ephemeralcontainers evidence for RBAC, admission, audit, image policy, and runtime controls;
• updates the final PSS compliance matrix to show container coverage and ephemeral debug evidence status;
• maps the new checks into the NIST 800-190 orchestrator/container countermeasure tables.

Evidence

Before:

spec:
  containers:
    - name: app
      securityContext:
        runAsNonRoot: true
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]
        seccompProfile:
          type: RuntimeDefault

A reviewer could stop after the app container and miss a debug subresource path.

After:

Also record the workload container arrays that were actually evaluated:

- `spec.containers`
- `spec.initContainers`
- `spec.ephemeralContainers`

and:

| Evidence | Pass condition | Fail condition |
|----------|----------------|----------------|
| RBAC | Only approved break-glass groups can create/update pods/ephemeralcontainers | Developers or broad service accounts can add ephemeral containers in production |

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing checks still pass

Validation performed:

• git diff --check
• frontmatter required-field check matching .github/workflows/lint-skills.yml
• prompt-injection pattern scan with workflow-equivalent filters
• marker checks for spec.ephemeralContainers, pods/ephemeralcontainers, debug-container evidence, privileged ephemeral debug container, CM-10a, and CM-16

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Crypto; payment details can be provided privately after maintainer acceptance.