@indicated/vibeguard 1.5.2 → 1.7.0

package/src/scanner/rules/definitions.ts

@@ -354,6 +354,175 @@ export const securityRules: SecurityRule[] = [
     fix: 'Always specify allowed algorithms explicitly and never include "none"',
   },
 
+  // CRITICAL (Free tier) - New rules
+  {
+    id: 'insecure-randomness',
+    name: 'Insecure Randomness for Security',
+    description: 'Using Math.random() or random module for security-sensitive operations (tokens, IDs, passwords) is predictable',
+    severity: 'critical',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // JS: Math.random() used for token/key/secret/session/id generation
+      /(?:token|key|secret|session|nonce|salt|otp|password|uuid|id)\s*(?:=|:)\s*(?:.*)?Math\.random\s*\(/i,
+      /Math\.random\s*\(\s*\)\.toString\s*\(\s*(?:16|36)\s*\)/,
+      // Python: random module for security
+      /(?:token|key|secret|session|nonce|salt|otp|password)\s*=\s*.*random\.(?:random|randint|choice|randrange|getrandbits)\s*\(/i,
+    ],
+    fix: 'Use crypto.randomBytes()/crypto.randomUUID() in Node.js or secrets module in Python',
+  },
+  {
+    id: 'weak-cryptography',
+    name: 'Weak Cryptographic Algorithm',
+    description: 'MD5 and SHA1 are cryptographically broken and should not be used for security purposes',
+    severity: 'critical',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // JS: crypto.createHash with weak algo
+      /crypto\.createHash\s*\(\s*['"`](?:md5|sha1|md4|ripemd160)['"`]\s*\)/i,
+      // Python: hashlib with weak algo
+      /hashlib\.(?:md5|sha1|new\s*\(\s*['"`](?:md5|sha1)['"`])\s*\(/,
+      // Direct MD5/SHA1 imports in Python
+      /from\s+hashlib\s+import\s+(?:md5|sha1)/,
+    ],
+    fix: 'Use SHA-256+ for hashing, bcrypt/scrypt/argon2 for passwords. Replace MD5/SHA1 with stronger alternatives',
+  },
+  {
+    id: 'nosql-injection',
+    name: 'NoSQL Injection Vulnerability',
+    description: 'User input passed directly to NoSQL queries can allow query manipulation via operators like $gt, $ne',
+    severity: 'critical',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // MongoDB find/update with req.body directly
+      /\.(?:find|findOne|findOneAndUpdate|updateOne|updateMany|deleteOne|deleteMany)\s*\(\s*(?:req\.body|req\.query|req\.params)/,
+      // MongoDB where clause with user input
+      /\$where\s*:\s*(?:req\.|params\.|query\.|body\.)/,
+      // Direct user input in MongoDB query object
+      /\.(?:find|findOne)\s*\(\s*\{[^}]*:\s*(?:req\.body|req\.query|req\.params)\s*\./,
+    ],
+    fix: 'Sanitize user input with mongo-sanitize, validate types explicitly, never pass req.body directly to queries',
+  },
+
+  // HIGH (Free tier) - New rules
+  {
+    id: 'disabled-tls-verification',
+    name: 'TLS Certificate Verification Disabled',
+    description: 'Disabling SSL/TLS certificate verification makes connections vulnerable to man-in-the-middle attacks',
+    severity: 'high',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // Node.js
+      /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"`]0['"`]/,
+      /rejectUnauthorized\s*:\s*false/,
+      // Python requests
+      /requests\.(?:get|post|put|delete|patch|head)\s*\([^)]*verify\s*=\s*False/,
+      // Python urllib3
+      /urllib3\.disable_warnings/,
+      /ssl\._create_unverified_context/,
+      // Generic SSL verification disable
+      /VERIFY_SSL\s*[=:]\s*(?:false|False|0)/i,
+    ],
+    fix: 'Never disable TLS certificate verification in production. Use proper certificates instead',
+  },
+  {
+    id: 'unsafe-regex-construction',
+    name: 'Unsafe Regex from User Input',
+    description: 'Constructing RegExp from user input can cause ReDoS (Regular Expression Denial of Service)',
+    severity: 'high',
+    tier: 'free',
+    languages: ['javascript', 'typescript'],
+    patterns: [
+      /new\s+RegExp\s*\(\s*(?:req\.(?:body|query|params)|params\.|query\.|body\.)/,
+      /new\s+RegExp\s*\(\s*(?:searchTerm|userInput|input|pattern|filter|search|term|keyword)/i,
+    ],
+    fix: 'Escape user input before using in RegExp, or use a fixed set of allowed patterns',
+  },
+  {
+    id: 'postmessage-no-origin',
+    name: 'postMessage Without Origin Validation',
+    description: 'Listening to postMessage events without checking origin accepts messages from any domain',
+    severity: 'high',
+    tier: 'free',
+    languages: ['javascript', 'typescript'],
+    patterns: [
+      // addEventListener for message without origin check nearby
+      /addEventListener\s*\(\s*['"`]message['"`]\s*,\s*(?:function|\([^)]*\)\s*=>|\w+\s*=>)\s*\{(?![^}]{0,200}(?:origin|source))/,
+      /\.on\s*\(\s*['"`]message['"`]\s*,\s*(?:function|\([^)]*\)\s*=>)\s*\{(?![^}]{0,200}(?:origin|source))/,
+    ],
+    fix: 'Always validate event.origin against a whitelist of trusted domains',
+  },
+  {
+    id: 'hardcoded-db-credentials',
+    name: 'Hardcoded Database Connection String',
+    description: 'Database connection strings with embedded credentials can be extracted from source code',
+    severity: 'high',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // MongoDB connection string with credentials
+      /['"`]mongodb(?:\+srv)?:\/\/[^:]+:[^@]+@[^'"`]+['"`]/,
+      // PostgreSQL connection string with credentials
+      /['"`]postgres(?:ql)?:\/\/[^:]+:[^@]+@[^'"`]+['"`]/,
+      // MySQL connection string with credentials
+      /['"`]mysql:\/\/[^:]+:[^@]+@[^'"`]+['"`]/,
+      // Redis with password
+      /['"`]redis:\/\/[^:]*:[^@]+@[^'"`]+['"`]/,
+    ],
+    fix: 'Use environment variables for database connection strings. Never embed credentials in code',
+  },
+  {
+    id: 'ssti-vulnerability',
+    name: 'Server-Side Template Injection (SSTI)',
+    description: 'Rendering user-supplied template strings can lead to remote code execution',
+    severity: 'high',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // Python: render_template_string with user input
+      /render_template_string\s*\(\s*(?:request\.|req\.|data\[)/,
+      // Python: Jinja2 Template from user input
+      /Template\s*\(\s*(?:request\.|req\.|data\[|user_input)/,
+      // JS: ejs/pug render with user-controlled template
+      /(?:ejs|pug)\.render\s*\(\s*(?:req\.(?:body|query|params)|body\.|params\.)/,
+      // Generic template rendering with user input
+      /\.render(?:String)?\s*\(\s*(?:req\.body|req\.query|req\.params)\./,
+    ],
+    fix: 'Never render user-supplied template strings. Use pre-defined templates with variable substitution only',
+  },
+
+  // MEDIUM (Free tier) - New rules
+  {
+    id: 'insecure-websocket',
+    name: 'Insecure WebSocket Connection (ws://)',
+    description: 'Unencrypted WebSocket connections can be intercepted, similar to HTTP vs HTTPS',
+    severity: 'medium',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      /['"`]ws:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)[^'"`]+['"`]/,
+      /WebSocket\s*\(\s*['"`]ws:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)/,
+    ],
+    fix: 'Use wss:// for encrypted WebSocket connections',
+  },
+  {
+    id: 'timing-attack',
+    name: 'Timing Attack on Secret Comparison',
+    description: 'Using === to compare secrets allows timing attacks that can leak token values byte by byte',
+    severity: 'medium',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // JS: direct comparison of tokens/secrets
+      /(?:token|secret|apiKey|api_key|password|hash|signature|hmac|digest)\s*(?:===|!==)\s*(?:req\.|body\.|params\.|query\.|expected|stored|saved)/i,
+      /(?:req\.|body\.|params\.|query\.)\w*(?:token|secret|key|password|hash|signature)\s*(?:===|!==)/i,
+    ],
+    fix: 'Use crypto.timingSafeEqual() in Node.js or hmac.compare_digest() in Python for constant-time comparison',
+  },
+
   // LOW (Free tier)
   {
     id: 'verbose-errors',
@@ -691,6 +860,319 @@ export const securityRules: SecurityRule[] = [
     ],
     fix: 'Configure session with secure options: { cookie: { secure: true, httpOnly: true, sameSite: "strict" } }',
   },
+
+  // --- Flask ---
+  {
+    id: 'flask-secret-key-exposed',
+    name: 'Flask SECRET_KEY Hardcoded',
+    description: 'Hardcoded Flask SECRET_KEY can be used to forge session cookies and CSRF tokens',
+    severity: 'critical',
+    tier: 'pro',
+    languages: ['python'],
+    patterns: [
+      /app\.secret_key\s*=\s*['"`][^'"`]{8,}['"`]/,
+      /SECRET_KEY\s*=\s*['"`][^'"`]{8,}['"`](?!.*(?:os\.environ|os\.getenv|env\())/,
+    ],
+    fix: 'Load SECRET_KEY from environment variable: app.secret_key = os.environ.get("SECRET_KEY")',
+  },
+
+  // --- Prisma ---
+  {
+    id: 'prisma-raw-query',
+    name: 'Prisma Raw Query with User Input',
+    description: 'Raw SQL in Prisma with template literals can lead to SQL injection',
+    severity: 'high',
+    tier: 'pro',
+    languages: ['javascript', 'typescript'],
+    patterns: [
+      /\$queryRaw\s*`[^`]*\$\{/,
+      /\$executeRaw\s*`[^`]*\$\{/,
+      /\$queryRawUnsafe\s*\(/,
+      /\$executeRawUnsafe\s*\(/,
+    ],
+    fix: 'Use Prisma.$queryRaw with Prisma.sql tagged template or parameterized queries',
+  },
+
+  // --- Electron ---
+  {
+    id: 'electron-insecure-config',
+    name: 'Electron Insecure Configuration',
+    description: 'Insecure Electron settings can allow remote code execution via web content',
+    severity: 'high',
+    tier: 'pro',
+    languages: ['javascript', 'typescript'],
+    patterns: [
+      /nodeIntegration\s*:\s*true/,
+      /contextIsolation\s*:\s*false/,
+      /webSecurity\s*:\s*false/,
+      /allowRunningInsecureContent\s*:\s*true/,
+    ],
+    fix: 'Keep nodeIntegration: false, contextIsolation: true, webSecurity: true in BrowserWindow options',
+  },
+
+  // --- GraphQL ---
+  {
+    id: 'graphql-introspection-enabled',
+    name: 'GraphQL Introspection Enabled',
+    description: 'GraphQL introspection exposes your entire API schema, aiding attackers in discovering endpoints',
+    severity: 'medium',
+    tier: 'pro',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      /introspection\s*:\s*true/,
+      // Apollo server without explicitly disabling introspection in production
+      /new\s+ApolloServer\s*\(\s*\{(?![^}]*introspection\s*:\s*false)/,
+    ],
+    fix: 'Disable introspection in production: introspection: process.env.NODE_ENV !== "production"',
+  },
+
+  // --- Python-specific ---
+  {
+    id: 'python-assert-security',
+    name: 'Python Assert for Security Check',
+    description: 'Assert statements are stripped with -O flag, making security checks ineffective in optimized mode',
+    severity: 'medium',
+    tier: 'pro',
+    languages: ['python'],
+    patterns: [
+      /assert\s+(?:request\.user|current_user|user)\.(?:is_admin|is_authenticated|is_staff|is_superuser|has_perm)/,
+      /assert\s+(?:is_authenticated|is_authorized|has_permission|check_permission)\s*\(/,
+    ],
+    fix: 'Use if/raise instead of assert for security checks: if not user.is_admin: raise PermissionError()',
+  },
+  {
+    id: 'unsafe-tempfile',
+    name: 'Unsafe Temporary File Creation',
+    description: 'tempfile.mktemp() is vulnerable to race conditions (TOCTOU). An attacker can create a file at the path between creation and use',
+    severity: 'medium',
+    tier: 'pro',
+    languages: ['python'],
+    patterns: [
+      /tempfile\.mktemp\s*\(/,
+    ],
+    fix: 'Use tempfile.mkstemp() or tempfile.NamedTemporaryFile() instead',
+  },
+
+  // --- Mass Assignment ---
+  {
+    id: 'mass-assignment',
+    name: 'Mass Assignment / Over-posting Vulnerability',
+    description: 'Passing user input directly to ORM create/update allows attackers to set unintended fields (e.g., isAdmin)',
+    severity: 'medium',
+    tier: 'pro',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // Sequelize/Mongoose/Prisma create with req.body
+      /\.create\s*\(\s*(?:req\.body|request\.data|request\.POST)\s*\)/,
+      /\.update\s*\(\s*(?:req\.body|request\.data|request\.POST)\s*\)/,
+      // Spread into create/update (also risky)
+      /\.create\s*\(\s*\{\s*\.\.\.(?:req\.body|request\.data)\s*\}/,
+      /\.update\s*\(\s*\{\s*\.\.\.(?:req\.body|request\.data)\s*\}/,
+    ],
+    fix: 'Explicitly whitelist allowed fields instead of passing user input directly to ORM operations',
+  },
+
+  // --- File Upload ---
+  {
+    id: 'unvalidated-file-upload',
+    name: 'Unvalidated File Upload',
+    description: 'Accepting file uploads without type/size validation can lead to arbitrary file upload attacks',
+    severity: 'high',
+    tier: 'pro',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // Multer without file filter or limits
+      /multer\s*\(\s*\{\s*(?:dest|storage)\s*:[^}]*\}\s*\)(?![^;]*(?:fileFilter|limits))/,
+      // Express file upload without checks
+      /upload\.(?:single|array|fields)\s*\([^)]*\)\s*(?:,|\))\s*(?:async\s*)?\([^)]*\)\s*(?:=>|\{)(?![^}]{0,300}(?:mimetype|type|size|extension|ext))/,
+    ],
+    fix: 'Validate file type (MIME type), size, and extension. Store uploads outside the webroot',
+  },
+
+  // --- Log Injection ---
+  {
+    id: 'log-injection',
+    name: 'Log Injection / CRLF Injection',
+    description: 'User input written directly to logs can forge log entries or inject malicious content',
+    severity: 'medium',
+    tier: 'pro',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // Logger with user input that could contain newlines
+      /(?:logger|log)\.(?:info|warn|error|debug)\s*\(\s*(?:`[^`]*\$\{(?:req\.|body\.|params\.|query\.)|['"][^'"]*['"\s]*\+\s*(?:req\.|body\.|params\.|query\.))/,
+      /(?:console|logging)\.(?:log|info|warn|error|debug)\s*\(\s*f?['"`][^'"`]*\{(?:request\.|req\.)/,
+    ],
+    fix: 'Sanitize user input before logging: strip newlines, control characters, and limit length',
+  },
+
+  // ============================================
+  // NEW RULES - Security Gaps Backlog
+  // ============================================
+
+  // --- JWT Hardening ---
+  {
+    id: 'jwt-missing-exp',
+    name: 'JWT Token Without Expiration',
+    description: 'JWT tokens signed without an expiration claim can be used indefinitely if compromised',
+    severity: 'high',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // JS: jwt.sign() without expiresIn option
+      /jwt\.sign\s*\(\s*(?:\{[^}]*\}|\w+)\s*,\s*(?:[^,)]+)\s*\)(?!\s*;?\s*\/\/\s*has\s*exp)/,
+      // JS: jwt.sign with options object but no expiresIn
+      /jwt\.sign\s*\(\s*(?:\{[^}]*\}|\w+)\s*,\s*[^,)]+\s*,\s*\{(?![^}]*expiresIn)[^}]*\}\s*\)/,
+    ],
+    fix: 'Always set an expiration: jwt.sign(payload, secret, { expiresIn: "1h" }) or include exp claim in payload',
+  },
+  {
+    id: 'jwt-weak-secret',
+    name: 'JWT Signed with Weak/Short Secret',
+    description: 'JWT signing with a short hardcoded secret makes tokens easy to brute-force',
+    severity: 'high',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // JS: jwt.sign with short string literal secret (< 16 chars)
+      /jwt\.sign\s*\([^,]+,\s*['"`][^'"`]{1,15}['"`]/,
+      // JS: jwt.verify with short string literal secret
+      /jwt\.verify\s*\([^,]+,\s*['"`][^'"`]{1,15}['"`]/,
+    ],
+    fix: 'Use a strong secret (32+ characters) from environment variables: jwt.sign(payload, process.env.JWT_SECRET)',
+  },
+
+  // --- Security Headers ---
+  {
+    id: 'missing-security-headers',
+    name: 'Express App Without Security Headers',
+    description: 'Express apps without security headers (CSP, HSTS, X-Frame-Options) are vulnerable to various attacks',
+    severity: 'medium',
+    tier: 'free',
+    languages: ['javascript', 'typescript'],
+    patterns: [
+      // Express app created without helmet or manual header setup in same file
+      /const\s+\w+\s*=\s*express\s*\(\s*\)(?![^]*(?:helmet|Content-Security-Policy|X-Frame-Options|Strict-Transport-Security))/,
+    ],
+    fix: 'Use helmet middleware: app.use(helmet()) or set security headers manually (CSP, HSTS, X-Frame-Options)',
+  },
+  {
+    id: 'csp-unsafe-inline',
+    name: 'CSP Allows unsafe-inline or unsafe-eval',
+    description: 'Content Security Policy with unsafe-inline or unsafe-eval defeats the purpose of CSP and allows XSS',
+    severity: 'medium',
+    tier: 'pro',
+    languages: ['javascript', 'typescript'],
+    patterns: [
+      /Content-Security-Policy[^'"]*['"`][^'"`]*unsafe-inline[^'"`]*['"`]/,
+      /Content-Security-Policy[^'"]*['"`][^'"`]*unsafe-eval[^'"`]*['"`]/,
+      /contentSecurityPolicy[^}]*['"`][^'"`]*unsafe-inline[^'"`]*['"`]/,
+      /contentSecurityPolicy[^}]*['"`][^'"`]*unsafe-eval[^'"`]*['"`]/,
+    ],
+    fix: 'Remove unsafe-inline/unsafe-eval from CSP. Use nonces or hashes for inline scripts instead',
+  },
+
+  // --- CORS with Credentials ---
+  {
+    id: 'cors-credentials-wildcard',
+    name: 'CORS Wildcard Origin with Credentials',
+    description: 'Allowing all origins with credentials enabled lets any site make authenticated requests on behalf of users',
+    severity: 'high',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // Express: cors({ origin: '*', credentials: true }) or cors({ origin: true, credentials: true })
+      /cors\s*\(\s*\{[^}]*origin\s*:\s*(?:['"`]\*['"`]|true)[^}]*credentials\s*:\s*true[^}]*\}/,
+      /cors\s*\(\s*\{[^}]*credentials\s*:\s*true[^}]*origin\s*:\s*(?:['"`]\*['"`]|true)[^}]*\}/,
+    ],
+    fix: 'Specify allowed origins explicitly instead of using wildcard when credentials are enabled',
+  },
+
+  // --- Password Hashing ---
+  {
+    id: 'password-hash-weak',
+    name: 'Weak Password Hashing Algorithm',
+    description: 'Using MD5, SHA1, or raw SHA256 without salt/KDF for passwords allows fast brute-force attacks',
+    severity: 'high',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // JS: crypto.createHash with password variable
+      /crypto\.createHash\s*\(\s*['"`](?:md5|sha1|sha256)['"`]\s*\)\.update\s*\(\s*(?:password|passwd|pass|pwd)/i,
+      // Generic: hash(password) without bcrypt/scrypt/argon2
+      /(?:md5|sha1|sha256)\s*\(\s*(?:password|passwd|pass|pwd)\s*\)/i,
+    ],
+    fix: 'Use bcrypt, scrypt, or argon2 for password hashing: await bcrypt.hash(password, 12)',
+  },
+  {
+    id: 'password-plaintext-storage',
+    name: 'Password Stored Without Hashing',
+    description: 'Storing passwords directly in the database without hashing exposes all users if the database is compromised',
+    severity: 'critical',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // ORM create/insert with password from request body directly
+      /\.create\s*\(\s*\{[^}]*password\s*:\s*(?:req\.body\.password|request\.(?:data|POST)\[?['"`]?password)/,
+      /\.insert\s*\(\s*\{[^}]*password\s*:\s*(?:req\.body\.password|request\.(?:data|POST)\[?['"`]?password)/,
+      // Direct DB insert with password field from user input
+      /\.(?:insertOne|save)\s*\(\s*\{[^}]*password\s*:\s*(?:req\.body|data|body)\.password/,
+    ],
+    fix: 'Always hash passwords before storage: const hashed = await bcrypt.hash(req.body.password, 12)',
+  },
+
+  // --- Zip Slip ---
+  {
+    id: 'zip-slip',
+    name: 'Archive Extraction Without Path Validation (Zip Slip)',
+    description: 'Extracting archives without validating file paths allows attackers to write files outside the target directory',
+    severity: 'high',
+    tier: 'pro',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // JS: extract/unzip without path validation
+      /\.extract\s*\(\s*(?:req\.|body\.|params\.|query\.|upload|file|input)/,
+      /tar\.(?:x|extract)\s*\(\s*\{[^}]*(?:file|cwd)\s*:[^}]*(?:req\.|body\.|params\.|upload|input)/,
+      /unzipper\.Extract\s*\(/,
+      /adm-zip.*extractAllTo\s*\(/,
+    ],
+    fix: 'Validate extracted file paths: ensure path.resolve(dest, entry) starts with path.resolve(dest)',
+  },
+
+  // --- HTTP Client Timeout ---
+  {
+    id: 'http-client-no-timeout',
+    name: 'HTTP Client Without Timeout',
+    description: 'Outbound HTTP requests without a timeout can hang indefinitely, causing resource exhaustion',
+    severity: 'medium',
+    tier: 'free',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // Python: requests without timeout
+      /requests\.(?:get|post|put|delete|patch|head)\s*\([^)]*\)(?<![^)]*timeout)/,
+    ],
+    fix: 'Always set a timeout: requests.get(url, timeout=10) or use AbortController with fetch',
+  },
+
+  // --- S3 Public Access ---
+  {
+    id: 's3-public-read',
+    name: 'S3 Bucket with Public Access',
+    description: 'S3 bucket policies granting public access can expose sensitive data to the internet',
+    severity: 'high',
+    tier: 'pro',
+    languages: ['javascript', 'typescript', 'python'],
+    patterns: [
+      // S3 ACL set to public-read
+      /ACL\s*:\s*['"`]public-read(?:-write)?['"`]/,
+      /acl\s*=\s*['"`]public-read(?:-write)?['"`]/,
+      // S3 policy with Principal: *
+      /Principal['"`:]\s*['"`]\*['"`][\s\S]{0,200}s3:(?:GetObject|\*)/,
+      // Public bucket configuration
+      /BlockPublicAcls\s*:\s*false/,
+      /BlockPublicPolicy\s*:\s*false/,
+    ],
+    fix: 'Remove public access. Use BlockPublicAccess, restrict bucket policies to specific IAM roles/accounts',
+  },
 ];
 
 export function getRuleById(id: string): SecurityRule | undefined {