deltarq-scan 0.1.0

package/src/output/terminal.js

@@ -0,0 +1,218 @@
+/**
+ * Terminal Reporter — Rich chalk-based terminal output
+ * Renders the branded DELTARQ scan report with colors, tables, and icons
+ */
+
+import chalk from 'chalk';
+import Table from 'cli-table3';
+import { getRule, SEVERITY_ORDER } from '../rules/index.js';
+import { getComplianceGapCount, estimateRemediationEffort } from '../engine/aggregator.js';
+
+// Color scheme
+const COLORS = {
+  brand: chalk.hex('#6C5CE7'),        // DELTARQ purple
+  brandBold: chalk.hex('#6C5CE7').bold,
+  critical: chalk.red.bold,
+  high: chalk.hex('#FF6B35').bold,     // Orange
+  medium: chalk.yellow.bold,
+  drift: chalk.blue.bold,
+  pass: chalk.green.bold,
+  dim: chalk.dim,
+  white: chalk.white,
+  whiteBold: chalk.white.bold,
+  score: {
+    excellent: chalk.green.bold,
+    acceptable: chalk.green,
+    atRisk: chalk.yellow.bold,
+    vulnerable: chalk.hex('#FF6B35').bold,
+    critical: chalk.red.bold,
+  },
+};
+
+const SEVERITY_ICONS = {
+  CRITICAL: '🔴',
+  HIGH: '🟠',
+  MEDIUM: '🟡',
+  DRIFT: '🔵',
+};
+
+const SEVERITY_COLORS = {
+  CRITICAL: COLORS.critical,
+  HIGH: COLORS.high,
+  MEDIUM: COLORS.medium,
+  DRIFT: COLORS.drift,
+};
+
+/**
+ * Print the branded header banner
+ */
+export function printBanner(targetDir) {
+  const line = COLORS.brand('─'.repeat(56));
+  console.log();
+  console.log(line);
+  console.log(COLORS.brandBold('   DELTARQ Security Scanner') + COLORS.dim(' v0.1.0'));
+  console.log(COLORS.dim(`   Scanning: ${targetDir}`));
+  console.log(line);
+  console.log();
+}
+
+/**
+ * Print a scan phase result line
+ * @param {string} label - Phase description
+ * @param {string} result - Result text
+ * @param {'ok'|'warning'|'error'|'skip'} status - Result status
+ */
+export function printScanPhase(label, result, status = 'ok') {
+  const icons = {
+    ok: chalk.green('✓'),
+    warning: chalk.yellow('⚠'),
+    error: chalk.red('✗'),
+    skip: chalk.dim('○'),
+  };
+
+  const icon = icons[status] || icons.ok;
+  const labelPadded = label.padEnd(35);
+  const resultColor = status === 'error' ? COLORS.critical :
+                      status === 'warning' ? COLORS.medium :
+                      status === 'skip' ? COLORS.dim :
+                      COLORS.pass;
+
+  console.log(`   ${icon} ${COLORS.white(labelPadded)} ${resultColor(result)}`);
+}
+
+/**
+ * Print the full scan report
+ */
+export function printReport(findings, scoreResult, projectInfo) {
+  const line = COLORS.brand('─'.repeat(56));
+  const failedFindings = findings.filter(f => !f.passed);
+
+  // Deduplicate by rule ID for display
+  const seenRules = new Set();
+  const uniqueFindings = [];
+  for (const f of failedFindings) {
+    if (!seenRules.has(f.rule)) {
+      seenRules.add(f.rule);
+      uniqueFindings.push(f);
+    }
+  }
+
+  // Sort by severity
+  uniqueFindings.sort((a, b) => {
+    return SEVERITY_ORDER.indexOf(a.severity) - SEVERITY_ORDER.indexOf(b.severity);
+  });
+
+  console.log();
+  console.log(line);
+
+  // Score display
+  const scoreColor = getScoreColor(scoreResult.score);
+  console.log(
+    `   YOUR SECURITY SCORE: ${scoreColor(`${scoreResult.score}/100`)}   ` +
+    `[${scoreColor(`${scoreResult.grade} — ${scoreResult.label}`)}]`
+  );
+  console.log(line);
+  console.log();
+
+  // Findings
+  if (uniqueFindings.length === 0) {
+    console.log(COLORS.pass('   ✓ No security issues detected! Your project looks solid.'));
+    console.log();
+  } else {
+    for (const finding of uniqueFindings) {
+      const icon = SEVERITY_ICONS[finding.severity] || '⚪';
+      const sevColor = SEVERITY_COLORS[finding.severity] || COLORS.dim;
+      const rule = getRule(finding.rule);
+      const ruleName = rule ? rule.name : finding.rule;
+      const ruleDesc = rule ? rule.description : finding.detail;
+
+      console.log(
+        `   ${icon} ${sevColor(finding.severity.padEnd(10))} ${COLORS.whiteBold(finding.rule)}  ${COLORS.white(ruleName)}`
+      );
+      console.log(
+        `   ${' '.repeat(3)} ${' '.repeat(10)} ${COLORS.dim('→')} ${COLORS.dim(ruleDesc)}`
+      );
+      console.log();
+    }
+  }
+
+  // Footer stats
+  console.log(line);
+  const gapCount = getComplianceGapCount(findings);
+  const effort = estimateRemediationEffort(findings);
+
+  const readyIcon = scoreResult.enterpriseReady ? COLORS.pass('✓') : COLORS.critical('✗');
+  const readyLabel = scoreResult.enterpriseReady
+    ? COLORS.pass('Ready')
+    : COLORS.critical('Not Ready');
+
+  console.log(`   ENTERPRISE READINESS: ${readyIcon} ${readyLabel}`);
+  console.log(`   SOC 2 Gap Count: ${COLORS.whiteBold(String(gapCount) + ' controls failing')}`);
+  console.log(`   Estimated remediation effort: ${COLORS.whiteBold(effort)}`);
+  console.log(line);
+  console.log();
+}
+
+/**
+ * Print the summary table (alternative compact view)
+ */
+export function printSummaryTable(findings) {
+  const failedFindings = findings.filter(f => !f.passed);
+  const seenRules = new Set();
+  const unique = [];
+  for (const f of failedFindings) {
+    if (!seenRules.has(f.rule)) {
+      seenRules.add(f.rule);
+      unique.push(f);
+    }
+  }
+
+  if (unique.length === 0) return;
+
+  const table = new Table({
+    head: [
+      chalk.white.bold('Severity'),
+      chalk.white.bold('Rule'),
+      chalk.white.bold('Issue'),
+      chalk.white.bold('Status'),
+    ],
+    colWidths: [12, 12, 40, 10],
+    style: {
+      head: [],
+      border: ['dim'],
+    },
+    chars: {
+      'top': '─', 'top-mid': '┬', 'top-left': '┌', 'top-right': '┐',
+      'bottom': '─', 'bottom-mid': '┴', 'bottom-left': '└', 'bottom-right': '┘',
+      'left': '│', 'left-mid': '├', 'mid': '─', 'mid-mid': '┼',
+      'right': '│', 'right-mid': '┤', 'middle': '│',
+    },
+  });
+
+  for (const f of unique) {
+    const rule = getRule(f.rule);
+    const sevColor = SEVERITY_COLORS[f.severity] || COLORS.dim;
+    const icon = SEVERITY_ICONS[f.severity] || '⚪';
+
+    table.push([
+      `${icon} ${sevColor(f.severity)}`,
+      COLORS.whiteBold(f.rule),
+      COLORS.white(rule ? rule.name : f.detail),
+      COLORS.critical('FAIL'),
+    ]);
+  }
+
+  console.log(table.toString());
+  console.log();
+}
+
+/**
+ * Get the color function for a score value
+ */
+function getScoreColor(score) {
+  if (score >= 90) return COLORS.score.excellent;
+  if (score >= 80) return COLORS.score.acceptable;
+  if (score >= 60) return COLORS.score.atRisk;
+  if (score >= 40) return COLORS.score.vulnerable;
+  return COLORS.score.critical;
+}

package/src/output/uploader.js

@@ -0,0 +1,122 @@
+/**
+ * Uploader — Handles anonymous scan data upload to DELTARQ dashboard
+ * Includes consent prompt and transparent preview before any data leaves
+ */
+
+import readline from 'readline';
+import chalk from 'chalk';
+import { validateNoSecrets } from '../engine/anonymizer.js';
+
+const DELTARQ_API_URL = process.env.DELTARQ_API_URL || 'https://deltarq-scan.vercel.app/v1/scans';
+const DELTARQ_DASHBOARD_URL = process.env.DELTARQ_DASHBOARD_URL || 'https://deltarq-scan.vercel.app';
+
+/**
+ * Prompt the user for consent and upload anonymous scan results
+ * @param {Object} anonymousPayload - The anonymized scan JSON
+ * @param {{ noUpload: boolean }} options - CLI options
+ * @returns {Promise<{ uploaded: boolean, reportUrl?: string }>}
+ */
+export async function uploadWithConsent(anonymousPayload, options = {}) {
+  if (options.noUpload) {
+    return { uploaded: false };
+  }
+
+  console.log();
+  console.log(chalk.hex('#6C5CE7').bold('  Would you like to see your full report on the DELTARQ dashboard?'));
+  console.log(chalk.dim('  (No sensitive data is uploaded — only boolean pass/fail metadata)'));
+  console.log();
+
+  // Show preview of what will be uploaded
+  if (options.verbose) {
+    console.log(chalk.dim('  Preview of upload payload:'));
+    console.log(chalk.dim('  ' + JSON.stringify(anonymousPayload, null, 2).split('\n').join('\n  ')));
+    console.log();
+  }
+
+  const consent = await askYesNo('  [Y/n]: ');
+
+  if (!consent) {
+    console.log();
+    console.log(chalk.dim('  Skipped upload. Your scan results are only on this machine.'));
+    return { uploaded: false };
+  }
+
+  // Safety check before upload
+  try {
+    validateNoSecrets(anonymousPayload);
+  } catch (err) {
+    console.log();
+    console.log(chalk.red.bold(`  ✗ ${err.message}`));
+    return { uploaded: false, error: err.message };
+  }
+
+  // Perform the upload
+  console.log();
+  process.stdout.write(chalk.dim('  Uploading anonymous scan metadata...  '));
+
+  try {
+    const response = await fetch(DELTARQ_API_URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'User-Agent': `deltarq-scan/${anonymousPayload.scanner_version}`,
+      },
+      body: JSON.stringify(anonymousPayload),
+    });
+
+    if (!response.ok) {
+      // Non-critical failure — the scan still ran successfully
+      console.log(chalk.yellow('⚠ Upload failed (non-critical)'));
+      console.log(chalk.dim(`  Server responded with status ${response.status}`));
+      return { uploaded: false };
+    }
+
+    const result = await response.json();
+    const reportUrl = result.report_url || `${DELTARQ_DASHBOARD_URL}/report/${anonymousPayload.scan_id}`;
+
+    console.log(chalk.green('✓ Done'));
+    console.log();
+    console.log(chalk.white('  Your report is live at:'));
+    console.log(chalk.hex('#6C5CE7').bold(`  ${reportUrl}`));
+    console.log();
+    console.log(chalk.white('  Book a 20-min call to fix these gaps with a DELTARQ engineer:'));
+    console.log(chalk.hex('#6C5CE7').bold('  → https://calendar.app.google/ExhxfcYvbV5PKMs36'));
+    console.log();
+
+    return { uploaded: true, reportUrl };
+
+  } catch (err) {
+    // Network error — API might be down or no internet
+    console.log(chalk.yellow('⚠ Upload failed'));
+    console.log(chalk.dim(`  ${err.message}`));
+    console.log(chalk.dim('  Your scan results are still available locally.'));
+    console.log();
+
+    // Still show the CTA
+    console.log(chalk.white('  Book a 20-min call to fix these gaps with a DELTARQ engineer:'));
+    console.log(chalk.hex('#6C5CE7').bold('  → https://calendar.app.google/ExhxfcYvbV5PKMs36'));
+    console.log();
+
+    return { uploaded: false };
+  }
+}
+
+/**
+ * Ask a yes/no question in the terminal
+ * @param {string} prompt - The prompt text
+ * @returns {Promise<boolean>}
+ */
+function askYesNo(prompt) {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout,
+    });
+
+    rl.question(prompt, (answer) => {
+      rl.close();
+      const normalized = answer.trim().toLowerCase();
+      resolve(normalized === '' || normalized === 'y' || normalized === 'yes');
+    });
+  });
+}

package/src/rules/data.js

@@ -0,0 +1,24 @@
+/**
+ * Data & Database security rules
+ * Checks database configuration for encryption, access, and resilience
+ */
+
+export const DB_001 = {
+  id: 'DB-001',
+  name: 'Postgres No SSL + Public Endpoint',
+  severity: 'CRITICAL',
+  category: 'Data',
+  description: 'Your DB connection is unencrypted on a public-reachable host. MITM attack can dump your entire user table in transit.',
+  remediation: 'Enable sslmode=require in your DATABASE_URL and ensure the host is not publicly accessible.',
+  sopLink: 'https://www.postgresql.org/docs/current/ssl-tcp.html',
+};
+
+export const DB_002 = {
+  id: 'DB-002',
+  name: 'Connection Pool — No Max Limit',
+  severity: 'MEDIUM',
+  category: 'Data',
+  description: 'Unbounded connection pools under load = DB crash. Also a common DoS attack vector.',
+  remediation: 'Set a pool.max or pool.size limit in your database configuration (recommended: 10-20 for small apps).',
+  sopLink: 'https://node-postgres.com/apis/pool',
+};

package/src/rules/git.js

@@ -0,0 +1,14 @@
+/**
+ * Git Configuration & Secret Exposure rules
+ * Checks for gitignore configuration and git history leaks
+ */
+
+export const GIT_001 = {
+  id: 'GIT-001',
+  name: 'Git Secret & Config Exposure',
+  severity: 'MEDIUM',
+  category: 'Git Configuration',
+  description: 'Secrets or sensitive files are tracked in git or not excluded in .gitignore, exposing credentials in repository history.',
+  remediation: 'Add .env and credential files to .gitignore and purge any existing secrets from git history using git-filter-repo.',
+  sopLink: 'https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning',
+};

package/src/rules/identity.js

@@ -0,0 +1,34 @@
+/**
+ * Identity & Access Management rules
+ * Checks IAM policies and credential management
+ */
+
+export const IAM_001 = {
+  id: 'IAM-001',
+  name: 'Wildcard IAM Policy',
+  severity: 'CRITICAL',
+  category: 'Identity',
+  description: 'Your IAM policy grants God-mode access. Any compromised Lambda = full account takeover.',
+  remediation: 'Apply least-privilege IAM policies. Replace "Action": "*" with specific service actions.',
+  sopLink: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege',
+};
+
+export const IAM_002 = {
+  id: 'IAM-002',
+  name: 'Hardcoded Cloud/API Secrets',
+  severity: 'HIGH',
+  category: 'Identity',
+  description: 'Hardcoded API tokens or cloud keys with no rotation = one git leak away from a massive breach or financial loss.',
+  remediation: 'Use IAM roles, environment-based credentials, or secret managers (like AWS Secrets Manager or Vault) instead of hardcoding keys.',
+  sopLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html',
+};
+
+export const IAM_003 = {
+  id: 'IAM-003',
+  name: 'No MFA on Root Account',
+  severity: 'MEDIUM',
+  category: 'Identity',
+  description: 'Your AWS root account has no MFA. This is the master key to your entire infrastructure.',
+  remediation: 'Enable MFA on the AWS root account immediately.',
+  sopLink: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa',
+};

package/src/rules/index.js

@@ -0,0 +1,53 @@
+/**
+ * Rule Registry — Central index of all scan rules
+ * Import and re-export all rules for the scanner engine
+ */
+
+import { INFRA_001, INFRA_002, INFRA_003, INFRA_004 } from './infrastructure.js';
+import { IAM_001, IAM_002, IAM_003 } from './identity.js';
+import { DB_001, DB_002 } from './data.js';
+import { LOG_001 } from './logging.js';
+import { GIT_001 } from './git.js';
+
+/**
+ * All registered rules, indexed by ID
+ */
+export const RULES = {
+  'INFRA-001': INFRA_001,
+  'INFRA-002': INFRA_002,
+  'INFRA-003': INFRA_003,
+  'INFRA-004': INFRA_004,
+  'IAM-001': IAM_001,
+  'IAM-002': IAM_002,
+  'IAM-003': IAM_003,
+  'DB-001': DB_001,
+  'DB-002': DB_002,
+  'LOG-001': LOG_001,
+  'GIT-001': GIT_001,
+};
+
+/**
+ * Get all rules as an array
+ */
+export function getAllRules() {
+  return Object.values(RULES);
+}
+
+/**
+ * Get a rule by its ID
+ */
+export function getRule(id) {
+  return RULES[id] || null;
+}
+
+/**
+ * Get rules filtered by severity
+ */
+export function getRulesBySeverity(severity) {
+  return getAllRules().filter(r => r.severity === severity);
+}
+
+/**
+ * Severity levels in order of priority
+ */
+export const SEVERITY_ORDER = ['CRITICAL', 'HIGH', 'MEDIUM', 'DRIFT'];

package/src/rules/infrastructure.js

@@ -0,0 +1,44 @@
+/**
+ * Infrastructure security rules
+ * Checks Docker and container configuration for security gaps
+ */
+
+export const INFRA_001 = {
+  id: 'INFRA-001',
+  name: 'Docker Running as Root',
+  severity: 'CRITICAL',
+  category: 'Infrastructure',
+  description: 'Your containers run as root. Container escape = full host compromise.',
+  remediation: 'Add a USER directive in your Dockerfile to run as a non-root user.',
+  sopLink: 'https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user',
+};
+
+export const INFRA_002 = {
+  id: 'INFRA-002',
+  name: 'Database Port Exposed to All Interfaces',
+  severity: 'HIGH',
+  category: 'Infrastructure',
+  description: 'Your Postgres port is exposed to the open internet via Docker. Shodan already knows about hosts like yours.',
+  remediation: 'Bind database ports to 127.0.0.1 only (e.g., "127.0.0.1:5432:5432").',
+  sopLink: 'https://docs.docker.com/compose/networking/',
+};
+
+export const INFRA_003 = {
+  id: 'INFRA-003',
+  name: 'Missing Lockfile (Supply Chain)',
+  severity: 'HIGH',
+  category: 'Infrastructure',
+  description: 'No package-lock.json or yarn.lock found. This violates SOC 2 requirements for deterministic, reproducible builds and leaves you vulnerable to dependency hijacking.',
+  remediation: 'Generate and commit a lockfile using your package manager (e.g., run npm install).',
+  sopLink: 'https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json',
+};
+
+export const INFRA_004 = {
+  id: 'INFRA-004',
+  name: 'Insecure CI/CD Pipeline',
+  severity: 'CRITICAL',
+  category: 'Infrastructure',
+  description: 'Your GitHub Actions workflow uses dangerous triggers (like pull_request_target). Malicious PRs could steal your repository secrets or tamper with your releases.',
+  remediation: 'Remove the pull_request_target trigger, or carefully gate access using environment protection rules.',
+  sopLink: 'https://securitylab.github.com/research/github-actions-preventing-pwn-requests/',
+};

package/src/rules/logging.js

@@ -0,0 +1,14 @@
+/**
+ * Logging & Audit Trail rules
+ * Checks for structured logging and audit capabilities
+ */
+
+export const LOG_001 = {
+  id: 'LOG-001',
+  name: 'No Structured Audit Trail',
+  severity: 'HIGH',
+  category: 'Logging',
+  description: 'You have no audit trail. If you\'re breached, you won\'t know who accessed what or when. SOC 2 Type II requires this.',
+  remediation: 'Implement structured logging with a library like Winston, Pino, or Morgan for access/auth events.',
+  sopLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html',
+};

package/src/scanner/awsScanner.js

@@ -0,0 +1,138 @@
+/**
+ * AWS Scanner — Checks AWS IAM configuration for security issues
+ * Uses locally configured ~/.aws/credentials (read-only)
+ * 
+ * Day 1-2: Local file checks only
+ * Day 3: AWS SDK integration for live API checks (MFA, CloudTrail, IAM drift)
+ */
+
+import path from 'path';
+import os from 'os';
+import { readFileSafe, findFiles } from '../utils/fileUtils.js';
+
+/**
+ * Run AWS-related security scans
+ * @param {string} targetDir - The project root directory
+ * @returns {Promise<{ findings: Array, awsConfigured: boolean }>}
+ */
+export async function runAwsScanner(targetDir) {
+  const findings = [];
+
+  // Check if AWS credentials exist locally
+  const awsDir = path.join(os.homedir(), '.aws');
+  const credentialsFile = readFileSafe(path.join(awsDir, 'credentials'));
+  const configFile = readFileSafe(path.join(awsDir, 'config'));
+
+  const awsConfigured = !!(credentialsFile || configFile);
+
+  // IAM-001: Scan for wildcard IAM policies in the project
+  const policyFindings = await scanIAMPolicies(targetDir);
+  findings.push(...policyFindings);
+
+  // --- Day 3: AWS SDK Live Checks (stubbed for now) ---
+  // IAM-003: MFA on root account
+  // DRIFT-001: New IAM users without MFA
+  // DRIFT-002: CloudTrail status
+
+  if (awsConfigured) {
+    // Placeholder for live AWS API checks
+    // These will use AWS SDK v3 when integrated
+    /*
+    try {
+      const mfaFinding = await checkRootMFA();
+      if (mfaFinding) findings.push(mfaFinding);
+      
+      const driftFindings = await checkIAMDrift();
+      findings.push(...driftFindings);
+      
+      const trailFinding = await checkCloudTrail();
+      if (trailFinding) findings.push(trailFinding);
+    } catch (err) {
+      // AWS API call failed — permissions might be insufficient
+    }
+    */
+  }
+
+  return { findings, awsConfigured };
+}
+
+/**
+ * Scan project files for IAM policy documents with overly permissive rules
+ */
+async function scanIAMPolicies(targetDir) {
+  const findings = [];
+
+  // Look for IAM policy JSON files
+  const policyFiles = await findFiles(targetDir, [
+    '**/*policy*.json',
+    '**/*iam*.json',
+    '**/trust-policy*.json',
+    '**/role*.json',
+    '**/*permissions*.json',
+    '**/serverless.yml',
+    '**/serverless.yaml',
+    '**/template.yml',
+    '**/template.yaml',
+    '**/sam.yml',
+    '**/sam.yaml',
+  ]);
+
+  for (const policyFile of policyFiles) {
+    const content = readFileSafe(policyFile);
+    if (!content) continue;
+
+    const relPath = path.relative(targetDir, policyFile);
+
+    // Check JSON policy files
+    if (policyFile.endsWith('.json')) {
+      try {
+        const policy = JSON.parse(content);
+        const statements = policy.Statement || (policy.PolicyDocument && policy.PolicyDocument.Statement) || [];
+
+        for (const stmt of statements) {
+          const actions = Array.isArray(stmt.Action) ? stmt.Action : [stmt.Action];
+          const resources = Array.isArray(stmt.Resource) ? stmt.Resource : [stmt.Resource];
+
+          const hasWildcardAction = actions.some(a => a === '*');
+          const hasWildcardResource = resources.some(r => r === '*');
+
+          if (hasWildcardAction && hasWildcardResource && stmt.Effect === 'Allow') {
+            findings.push({
+              rule: 'IAM-001',
+              severity: 'CRITICAL',
+              passed: false,
+              detail: `Wildcard IAM policy (Action:* + Resource:*) found in ${relPath}`,
+              file: relPath,
+            });
+            break; // One finding per file is enough
+          }
+        }
+      } catch {
+        // Not valid JSON or unexpected structure
+      }
+    }
+
+    // Check YAML serverless/SAM templates for wildcard policies
+    if (policyFile.endsWith('.yml') || policyFile.endsWith('.yaml')) {
+      if (content.includes('"*"') || content.includes("'*'")) {
+        // Rough check — look for Action: "*" and Resource: "*" patterns
+        const hasWildcardAction = content.includes('Action') && 
+                                  (content.includes("'*'") || content.includes('"*"'));
+        const hasWildcardResource = content.includes('Resource') && 
+                                    (content.includes("'*'") || content.includes('"*"'));
+
+        if (hasWildcardAction && hasWildcardResource) {
+          findings.push({
+            rule: 'IAM-001',
+            severity: 'CRITICAL',
+            passed: false,
+            detail: `Wildcard IAM policy detected in ${relPath} (serverless/SAM template)`,
+            file: relPath,
+          });
+        }
+      }
+    }
+  }
+
+  return findings;
+}