getdoorman 1.0.0

package/src/rules/compliance/frameworks.js

@@ -0,0 +1,507 @@
+function isSourceFile(f) { return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.go', '.java', '.cs', '.php'].some(e => f.endsWith(e)); }
+
+const rules = [
+  // === NIST 800-53 / Cybersecurity Framework Rules ===
+
+  {
+    id: 'COMP-NIST-001',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Access Control Policy',
+    check({ files }) {
+      const findings = [];
+      const accessControlPattern = /(?:rbac|role[_\-.]?based|acl|access[_\-.]?control|permission[_\-.]?model|policy[_\-.]?engine|authorize|checkPermission|requireRole|can(?:Access|Read|Write|Delete)|guard|protect)/i;
+      const hasAuth = [...files.entries()].some(([f, c]) => isSourceFile(f) && /(?:endpoint|route|api|handler|controller|app|server)/i.test(c));
+      if (!hasAuth) return findings;
+      const hasAccessControl = [...files.entries()].some(([f, c]) => isSourceFile(f) && accessControlPattern.test(c));
+      if (!hasAccessControl) {
+        findings.push({
+          ruleId: 'COMP-NIST-001', category: 'compliance', severity: 'high',
+          title: 'No RBAC/ACL/permission model detected',
+          description: 'NIST 800-53 AC-1 requires an access control policy and procedures. Implement role-based access control (RBAC), access control lists (ACLs), or a permission model to enforce least privilege.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-NIST-002',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Missing Multi-Factor Authentication',
+    check({ files }) {
+      const findings = [];
+      const authPattern = /(?:login|signin|sign[_\-.]?in|authenticate|auth[_\-.]?handler|passport|auth0|cognito|firebase[_\-.]?auth)/i;
+      const mfaPattern = /(?:mfa|multi[_\-.]?factor|two[_\-.]?factor|2fa|totp|otp|authenticator[_\-.]?app|sms[_\-.]?verif|second[_\-.]?factor|u2f|webauthn|fido)/i;
+      const hasAuth = [...files.entries()].some(([f, c]) => isSourceFile(f) && authPattern.test(c));
+      if (!hasAuth) return findings;
+      const hasMfa = [...files.entries()].some(([f, c]) => isSourceFile(f) && mfaPattern.test(c));
+      if (!hasMfa) {
+        findings.push({
+          ruleId: 'COMP-NIST-002', category: 'compliance', severity: 'high',
+          title: 'Authentication without multi-factor authentication support',
+          description: 'NIST 800-53 IA-2 requires multi-factor authentication for privileged and network access. Implement MFA/2FA using TOTP, WebAuthn, or SMS verification.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-NIST-003',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Continuous Monitoring',
+    check({ files }) {
+      const findings = [];
+      const monitoringPattern = /(?:monitoring|health[_\-.]?check|alerting|prometheus|grafana|datadog|newrelic|cloudwatch|sentry|pagerduty|opsgenie|status[_\-.]?page|uptime|heartbeat)/i;
+      const hasApp = [...files.entries()].some(([f, c]) => isSourceFile(f) && /(?:server|app|service|handler)/i.test(c));
+      if (!hasApp) return findings;
+      const hasMonitoring = [...files.entries()].some(([f, c]) => monitoringPattern.test(c) || f.match(/monitor|health|alert/i));
+      if (!hasMonitoring) {
+        findings.push({
+          ruleId: 'COMP-NIST-003', category: 'compliance', severity: 'medium',
+          title: 'No continuous monitoring or health checks detected',
+          description: 'NIST 800-53 CA-7 requires continuous monitoring of information systems. Implement health checks, alerting, and monitoring using tools like Prometheus, Datadog, or CloudWatch.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-NIST-004',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Incident Response Plan',
+    check({ files }) {
+      const findings = [];
+      const incidentPattern = /(?:incident[_\-.]?response|incident[_\-.]?plan|security[_\-.]?incident|breach[_\-.]?notification|playbook|escalation[_\-.]?procedure|runbook|on[_\-.]?call|incident[_\-.]?management)/i;
+      const hasApp = [...files.entries()].some(([f, c]) => isSourceFile(f) && /(?:server|app|service|handler)/i.test(c));
+      if (!hasApp) return findings;
+      const hasIncident = [...files.entries()].some(([f, c]) => incidentPattern.test(c) || f.match(/incident|playbook|runbook/i));
+      if (!hasIncident) {
+        findings.push({
+          ruleId: 'COMP-NIST-004', category: 'compliance', severity: 'medium',
+          title: 'No incident response plan or playbook references',
+          description: 'NIST 800-53 IR-1 requires an incident response policy and plan. Document and reference incident response procedures, escalation paths, and playbooks.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-NIST-005',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Configuration Management',
+    check({ files }) {
+      const findings = [];
+      const configMgmtPattern = /(?:config[_\-.]?validat|config[_\-.]?schema|joi|zod|yup|ajv|json[_\-.]?schema|env[_\-.]?validat|config[_\-.]?check|baseline[_\-.]?config|hardening)/i;
+      const hasConfig = [...files.entries()].some(([f, c]) =>
+        isSourceFile(f) && /(?:config|settings|environment|env)/i.test(f)
+      );
+      if (!hasConfig) return findings;
+      const hasValidation = [...files.entries()].some(([f, c]) => isSourceFile(f) && configMgmtPattern.test(c));
+      if (!hasValidation) {
+        findings.push({
+          ruleId: 'COMP-NIST-005', category: 'compliance', severity: 'medium',
+          title: 'Configuration files without validation or schema enforcement',
+          description: 'NIST 800-53 CM-1 requires configuration management policies. Validate configuration values using schemas (Joi, Zod, JSON Schema) to prevent misconfigurations.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-NIST-006',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing System Integrity',
+    check({ files }) {
+      const findings = [];
+      const integrityPattern = /(?:integrity|checksum|hmac|digital[_\-.]?signature|code[_\-.]?signing|hash[_\-.]?verif|subresource[_\-.]?integrity|sri|tamper[_\-.]?detect|file[_\-.]?integrity)/i;
+      const hasApp = [...files.entries()].some(([f, c]) => isSourceFile(f) && /(?:server|app|service|handler)/i.test(c));
+      if (!hasApp) return findings;
+      const hasIntegrity = [...files.entries()].some(([f, c]) => isSourceFile(f) && integrityPattern.test(c));
+      if (!hasIntegrity) {
+        findings.push({
+          ruleId: 'COMP-NIST-006', category: 'compliance', severity: 'medium',
+          title: 'No integrity checking mechanisms detected',
+          description: 'NIST 800-53 SI-7 requires software and information integrity verification. Implement checksums, HMAC verification, code signing, or subresource integrity (SRI) checks.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-NIST-007',
+    category: 'compliance',
+    severity: 'low',
+    confidence: 'likely',
+    title: 'No Personnel Security',
+    check({ files }) {
+      const findings = [];
+      const personnelPattern = /(?:offboard|deprovisio|access[_\-.]?review|employee[_\-.]?term|revoke[_\-.]?access|disable[_\-.]?account|personnel[_\-.]?security|background[_\-.]?check|clearance)/i;
+      const hasUserMgmt = [...files.entries()].some(([f, c]) =>
+        isSourceFile(f) && /(?:user[_\-.]?management|admin|employee|staff|personnel)/i.test(c)
+      );
+      if (!hasUserMgmt) return findings;
+      const hasPersonnel = [...files.entries()].some(([f, c]) => personnelPattern.test(c));
+      if (!hasPersonnel) {
+        findings.push({
+          ruleId: 'COMP-NIST-007', category: 'compliance', severity: 'low',
+          title: 'No employee access review or offboarding process',
+          description: 'NIST 800-53 PS-4 requires personnel termination procedures including revoking access. Implement access review and offboarding automation for departing employees.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-NIST-008',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Media Protection',
+    check({ files }) {
+      const findings = [];
+      const mediaPattern = /(?:disk[_\-.]?encrypt|volume[_\-.]?encrypt|luks|bitlocker|filevault|secure[_\-.]?delet|wipe|shred|degauss|media[_\-.]?sanitiz|data[_\-.]?destruct)/i;
+      const infraPattern = /(?:terraform|ansible|cloudformation|kubernetes|docker|infrastructure|deploy)/i;
+      const hasInfra = [...files.entries()].some(([f, c]) => infraPattern.test(f) || infraPattern.test(c));
+      if (!hasInfra) return findings;
+      const hasMediaProtection = [...files.entries()].some(([f, c]) => mediaPattern.test(c));
+      if (!hasMediaProtection) {
+        findings.push({
+          ruleId: 'COMP-NIST-008', category: 'compliance', severity: 'medium',
+          title: 'No disk encryption or secure deletion references',
+          description: 'NIST 800-53 MP-4/MP-6 requires media protection including encryption of storage media and secure sanitization. Configure disk encryption and implement secure data deletion.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-NIST-009',
+    category: 'compliance',
+    severity: 'low',
+    confidence: 'likely',
+    title: 'No Physical Security Reference',
+    check({ files }) {
+      const findings = [];
+      const physicalPattern = /(?:physical[_\-.]?access|badge|keycard|biometric[_\-.]?access|datacenter|data[_\-.]?center|server[_\-.]?room|colo(?:cation)?|facility[_\-.]?security|cctv|surveillance)/i;
+      const infraPattern = /(?:terraform|ansible|cloudformation|kubernetes|infrastructure)/i;
+      const hasInfra = [...files.entries()].some(([f, c]) => infraPattern.test(f) || infraPattern.test(c));
+      if (!hasInfra) return findings;
+      const hasPhysical = [...files.entries()].some(([f, c]) => physicalPattern.test(c));
+      if (!hasPhysical) {
+        findings.push({
+          ruleId: 'COMP-NIST-009', category: 'compliance', severity: 'low',
+          title: 'No physical access controls in infrastructure code',
+          description: 'NIST 800-53 PE-1 requires physical security policies. Reference physical access controls, datacenter security, or cloud provider physical security certifications in infrastructure documentation.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-NIST-010',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Contingency Planning',
+    check({ files }) {
+      const findings = [];
+      const contingencyPattern = /(?:failover|redundan|disaster[_\-.]?recovery|dr[_\-.]?plan|business[_\-.]?continuity|bcp|backup[_\-.]?strateg|high[_\-.]?availability|ha[_\-.]?cluster|multi[_\-.]?az|multi[_\-.]?region|replica)/i;
+      const hasApp = [...files.entries()].some(([f, c]) => isSourceFile(f) && /(?:server|app|service|handler|database)/i.test(c));
+      if (!hasApp) return findings;
+      const hasContingency = [...files.entries()].some(([f, c]) => contingencyPattern.test(c) || f.match(/disaster|recovery|backup|continuity/i));
+      if (!hasContingency) {
+        findings.push({
+          ruleId: 'COMP-NIST-010', category: 'compliance', severity: 'medium',
+          title: 'No failover, redundancy, or disaster recovery references',
+          description: 'NIST 800-53 CP-1 requires contingency planning. Implement failover mechanisms, redundancy, and disaster recovery procedures to ensure system availability.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-NIST-011',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Risk Assessment',
+    check({ files }) {
+      const findings = [];
+      const riskPattern = /(?:risk[_\-.]?assessment|threat[_\-.]?model|vulnerability[_\-.]?assessment|security[_\-.]?audit|pentest|penetration[_\-.]?test|risk[_\-.]?analysis|stride|dread|attack[_\-.]?surface)/i;
+      const hasApp = [...files.entries()].some(([f, c]) => isSourceFile(f) && /(?:server|app|service|handler)/i.test(c));
+      if (!hasApp) return findings;
+      const hasRisk = [...files.entries()].some(([f, c]) => riskPattern.test(c) || f.match(/threat|risk[_\-.]?assess/i));
+      if (!hasRisk) {
+        findings.push({
+          ruleId: 'COMP-NIST-011', category: 'compliance', severity: 'medium',
+          title: 'No risk assessment or threat model references',
+          description: 'NIST 800-53 RA-3 requires risk assessments. Document threat models, conduct vulnerability assessments, and reference risk analysis processes (e.g., STRIDE, DREAD).',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-NIST-012',
+    category: 'compliance',
+    severity: 'low',
+    confidence: 'likely',
+    title: 'Missing Security Training Reference',
+    check({ files }) {
+      const findings = [];
+      const trainingPattern = /(?:security[_\-.]?(?:training|awareness|education)|phishing[_\-.]?(?:training|simulation)|secure[_\-.]?coding[_\-.]?training|awareness[_\-.]?program|training[_\-.]?complet|onboarding[_\-.]?security)/i;
+      const hasApp = [...files.entries()].some(([f, c]) => isSourceFile(f) && /(?:server|app|service|handler)/i.test(c));
+      if (!hasApp) return findings;
+      const hasTraining = [...files.entries()].some(([f, c]) => trainingPattern.test(c));
+      if (!hasTraining) {
+        findings.push({
+          ruleId: 'COMP-NIST-012', category: 'compliance', severity: 'low',
+          title: 'No security awareness or training references',
+          description: 'NIST 800-53 AT-1 requires security awareness and training policies. Reference security training programs, awareness campaigns, or secure coding guidelines.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // === ISO 27001 Rules ===
+
+  {
+    id: 'COMP-ISO27001-001',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Information Security Policy',
+    check({ files }) {
+      const findings = [];
+      const policyPattern = /(?:security[_\-.]?policy|infosec[_\-.]?policy|information[_\-.]?security[_\-.]?policy|isms|iso[_\-.]?27001|security[_\-.]?governance|security[_\-.]?standard)/i;
+      const hasApp = [...files.entries()].some(([f, c]) => isSourceFile(f) && /(?:server|app|service|handler)/i.test(c));
+      if (!hasApp) return findings;
+      const hasPolicy = [...files.entries()].some(([f, c]) => policyPattern.test(c) || f.match(/security[_\-.]?policy/i));
+      if (!hasPolicy) {
+        findings.push({
+          ruleId: 'COMP-ISO27001-001', category: 'compliance', severity: 'medium',
+          title: 'No information security policy document reference',
+          description: 'ISO 27001 A.5.1 requires an information security policy approved by management. Reference your organization\'s security policy in the codebase or documentation.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-ISO27001-002',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Asset Inventory',
+    check({ files }) {
+      const findings = [];
+      const assetPattern = /(?:asset[_\-.]?(?:inventory|register|tracking|catalog|management)|cmdb|configuration[_\-.]?management[_\-.]?database|service[_\-.]?catalog|resource[_\-.]?inventory)/i;
+      const hasInfra = [...files.entries()].some(([f, c]) =>
+        /(?:terraform|ansible|cloudformation|kubernetes|docker|infrastructure|deploy)/i.test(f) ||
+        /(?:terraform|ansible|cloudformation|kubernetes|docker)/i.test(c)
+      );
+      if (!hasInfra) return findings;
+      const hasAsset = [...files.entries()].some(([f, c]) => assetPattern.test(c) || f.match(/asset|inventory|cmdb/i));
+      if (!hasAsset) {
+        findings.push({
+          ruleId: 'COMP-ISO27001-002', category: 'compliance', severity: 'medium',
+          title: 'No asset tracking or inventory management detected',
+          description: 'ISO 27001 A.8.1 requires identification and inventory of information assets. Maintain an asset inventory or CMDB to track systems, services, and data stores.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-ISO27001-003',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Access Control Review',
+    check({ files }) {
+      const findings = [];
+      const reviewPattern = /(?:access[_\-.]?review|periodic[_\-.]?review|recertif|access[_\-.]?audit|permission[_\-.]?review|entitlement[_\-.]?review|quarterly[_\-.]?review|annual[_\-.]?review|user[_\-.]?access[_\-.]?review)/i;
+      const hasAuth = [...files.entries()].some(([f, c]) =>
+        isSourceFile(f) && /(?:auth|login|permission|role|user[_\-.]?management)/i.test(c)
+      );
+      if (!hasAuth) return findings;
+      const hasReview = [...files.entries()].some(([f, c]) => reviewPattern.test(c));
+      if (!hasReview) {
+        findings.push({
+          ruleId: 'COMP-ISO27001-003', category: 'compliance', severity: 'medium',
+          title: 'No periodic access review process detected',
+          description: 'ISO 27001 A.9.2.5 requires regular review of user access rights. Implement periodic access recertification reviews to ensure access remains appropriate.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-ISO27001-004',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Cryptographic Controls',
+    check({ files }) {
+      const findings = [];
+      const cryptoPolicyPattern = /(?:crypto(?:graphic)?[_\-.]?policy|key[_\-.]?management|key[_\-.]?rotation|kms|key[_\-.]?vault|certificate[_\-.]?management|pki|key[_\-.]?lifecycle|crypto[_\-.]?standard)/i;
+      const hasCrypto = [...files.entries()].some(([f, c]) =>
+        isSourceFile(f) && /(?:encrypt|decrypt|cipher|hash|sign|verify|crypto|tls|ssl)/i.test(c)
+      );
+      if (!hasCrypto) return findings;
+      const hasCryptoPolicy = [...files.entries()].some(([f, c]) => cryptoPolicyPattern.test(c));
+      if (!hasCryptoPolicy) {
+        findings.push({
+          ruleId: 'COMP-ISO27001-004', category: 'compliance', severity: 'medium',
+          title: 'Cryptographic operations without key management policy',
+          description: 'ISO 27001 A.10.1 requires a cryptographic controls policy including key management. Implement key rotation, use KMS/Key Vault, and document cryptographic standards.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-ISO27001-005',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Supplier Security',
+    check({ files }) {
+      const findings = [];
+      const supplierPattern = /(?:vendor[_\-.]?(?:security|assessment|review|audit)|supplier[_\-.]?(?:security|assessment|review)|third[_\-.]?party[_\-.]?(?:security|risk|assessment)|supply[_\-.]?chain[_\-.]?security|sbom|software[_\-.]?bill)/i;
+      const hasThirdParty = [...files.entries()].some(([f, c]) =>
+        isSourceFile(f) && /(?:vendor|supplier|third[_\-.]?party|external[_\-.]?(?:api|service))/i.test(c)
+      );
+      if (!hasThirdParty) return findings;
+      const hasSupplierSecurity = [...files.entries()].some(([f, c]) => supplierPattern.test(c) || f.match(/vendor[_\-.]?security|sbom/i));
+      if (!hasSupplierSecurity) {
+        findings.push({
+          ruleId: 'COMP-ISO27001-005', category: 'compliance', severity: 'medium',
+          title: 'No vendor/supplier security assessment process',
+          description: 'ISO 27001 A.15.1 requires information security in supplier relationships. Conduct vendor security assessments, maintain SBOMs, and document supplier security requirements.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-ISO27001-006',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Incident Management',
+    check({ files }) {
+      const findings = [];
+      const incidentMgmtPattern = /(?:incident[_\-.]?classif|incident[_\-.]?categor|incident[_\-.]?escalat|severity[_\-.]?level|priority[_\-.]?matrix|triage|incident[_\-.]?workflow|sev[_\-.]?[0-4]|p[0-4][_\-.]?incident)/i;
+      const hasIncident = [...files.entries()].some(([f, c]) =>
+        isSourceFile(f) && /(?:incident|alert|error[_\-.]?handler|exception)/i.test(c)
+      );
+      if (!hasIncident) return findings;
+      const hasIncidentMgmt = [...files.entries()].some(([f, c]) => incidentMgmtPattern.test(c));
+      if (!hasIncidentMgmt) {
+        findings.push({
+          ruleId: 'COMP-ISO27001-006', category: 'compliance', severity: 'medium',
+          title: 'No incident classification or escalation process',
+          description: 'ISO 27001 A.16.1 requires incident management procedures including classification and escalation. Define severity levels, triage procedures, and escalation paths.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-ISO27001-007',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Business Continuity',
+    check({ files }) {
+      const findings = [];
+      const bcpPattern = /(?:business[_\-.]?continuity|bcp|continuity[_\-.]?plan|disaster[_\-.]?recovery|dr[_\-.]?plan|failover|high[_\-.]?availability|rpo|rto|recovery[_\-.]?time|recovery[_\-.]?point)/i;
+      const hasApp = [...files.entries()].some(([f, c]) => isSourceFile(f) && /(?:server|app|service|handler|database)/i.test(c));
+      if (!hasApp) return findings;
+      const hasBcp = [...files.entries()].some(([f, c]) => bcpPattern.test(c) || f.match(/continuity|disaster|recovery/i));
+      if (!hasBcp) {
+        findings.push({
+          ruleId: 'COMP-ISO27001-007', category: 'compliance', severity: 'medium',
+          title: 'No business continuity plan (BCP) reference',
+          description: 'ISO 27001 A.17.1 requires business continuity planning. Document BCP procedures, define RPO/RTO targets, and implement disaster recovery mechanisms.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-ISO27001-008',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Compliance Audit',
+    check({ files }) {
+      const findings = [];
+      const auditPattern = /(?:compliance[_\-.]?audit|audit[_\-.]?schedule|internal[_\-.]?audit|external[_\-.]?audit|compliance[_\-.]?review|compliance[_\-.]?check|audit[_\-.]?program|audit[_\-.]?plan|sox[_\-.]?audit|pci[_\-.]?audit|iso[_\-.]?audit)/i;
+      const hasApp = [...files.entries()].some(([f, c]) => isSourceFile(f) && /(?:server|app|service|handler)/i.test(c));
+      if (!hasApp) return findings;
+      const hasAudit = [...files.entries()].some(([f, c]) => auditPattern.test(c) || f.match(/audit[_\-.]?(?:plan|schedule)/i));
+      if (!hasAudit) {
+        findings.push({
+          ruleId: 'COMP-ISO27001-008', category: 'compliance', severity: 'medium',
+          title: 'No compliance audit schedule or review process',
+          description: 'ISO 27001 A.18.2 requires compliance reviews and internal audits. Establish an audit schedule, conduct periodic compliance reviews, and document findings.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;