[Suggestion] Add heuristic patterns for Docker/K8s sandbox escape attempts

[Protocol-zero-0]

Context\nAs agentic workloads increasingly run in containerized environments, detecting attempts to break isolation (e.g., mounting sensitive host paths, capability probing) becomes critical.\n\n### Proposal\nExtend the scanning ruleset to include:\n1. Capability Probing: Detection of commands like capsh --print, cat /proc/self/status (checking for CapEff).\n2. Mount Inspection: Patterns looking for mount | grep docker, ls -la /var/run/docker.sock.\n3. Kernel Version Checks: Excessive checking of uname -a combined with exploit search queries.\n\nThis would enhance the scanner's utility for defending against rogue agents attempting lateral movement.