getdoorman 1.0.0

package/src/rules/deployment/index.js

@@ -0,0 +1,2050 @@
+const CI_EXTENSIONS = ['.yml', '.yaml'];
+const CI_PATHS = ['.github/workflows', '.gitlab-ci', '.circleci', 'Jenkinsfile', '.travis'];
+
+function isCIFile(f) {
+  return CI_EXTENSIONS.some(ext => f.endsWith(ext)) &&
+    CI_PATHS.some(p => f.includes(p));
+}
+
+function isTestFile(f) {
+  const lower = f.toLowerCase();
+  return lower.includes('.test.') || lower.includes('.spec.') ||
+    lower.includes('__tests__') || lower.includes('/test/') ||
+    lower.includes('/tests/');
+}
+
+const rules = [
+  // DEPLOY-001: No CI/CD pipeline found
+  {
+    id: 'DEPLOY-001',
+    category: 'deployment',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No CI/CD Pipeline Found',
+    check({ files }) {
+      const findings = [];
+      const ciIndicators = [
+        '.github/workflows', '.gitlab-ci.yml', '.gitlab-ci.yaml',
+        '.circleci/config.yml', 'Jenkinsfile', '.travis.yml', '.travis.yaml',
+        'bitbucket-pipelines.yml', 'azure-pipelines.yml', '.buildkite',
+      ];
+
+      const hasCIPipeline = [...files.keys()].some(f =>
+        ciIndicators.some(indicator => f.includes(indicator))
+      );
+
+      if (!hasCIPipeline) {
+        findings.push({
+          ruleId: 'DEPLOY-001', category: 'deployment', severity: 'high',
+          title: 'No CI/CD pipeline configuration detected',
+          description: 'Add a CI/CD pipeline (.github/workflows, .gitlab-ci.yml, etc.) to automate testing and deployment.',
+          file: null, line: null, fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-002: CI pipeline missing test step
+  {
+    id: 'DEPLOY-002',
+    category: 'deployment',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'CI Pipeline Missing Test Step',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isCIFile(filepath)) continue;
+
+        const hasTestStep = content.includes('npm test') ||
+          content.includes('yarn test') ||
+          content.includes('pnpm test') ||
+          content.includes('npx jest') ||
+          content.includes('npx vitest') ||
+          content.includes('pytest') ||
+          content.includes('run: test') ||
+          /name:\s*['"]?.*test/i.test(content);
+
+        if (!hasTestStep) {
+          findings.push({
+            ruleId: 'DEPLOY-002', category: 'deployment', severity: 'high',
+            title: 'CI pipeline has no test step',
+            description: 'Add a test step to your CI pipeline to catch regressions before deployment.',
+            file: filepath, line: null, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-003: CI pipeline missing lint step
+  {
+    id: 'DEPLOY-003',
+    category: 'deployment',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'CI Pipeline Missing Lint Step',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isCIFile(filepath)) continue;
+
+        const hasLintStep = content.includes('npm run lint') ||
+          content.includes('yarn lint') ||
+          content.includes('pnpm lint') ||
+          content.includes('npx eslint') ||
+          content.includes('eslint') ||
+          content.includes('prettier --check') ||
+          content.includes('biome check') ||
+          /name:\s*['"]?.*lint/i.test(content);
+
+        if (!hasLintStep) {
+          findings.push({
+            ruleId: 'DEPLOY-003', category: 'deployment', severity: 'medium',
+            title: 'CI pipeline has no lint step',
+            description: 'Add a linting step to your CI pipeline to enforce code quality standards.',
+            file: filepath, line: null, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-004: No branch protection (main/master pushed directly in CI)
+  {
+    id: 'DEPLOY-004',
+    category: 'deployment',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Branch Protection',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isCIFile(filepath)) continue;
+
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.match(/git\s+push\b/) &&
+              (line.includes('main') || line.includes('master')) &&
+              !line.includes('--tags') &&
+              !line.includes('pull_request')) {
+            findings.push({
+              ruleId: 'DEPLOY-004', category: 'deployment', severity: 'high',
+              title: 'CI config pushes directly to main/master branch',
+              description: 'Avoid pushing directly to protected branches. Use pull requests with required reviews and status checks.',
+              file: filepath, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-005: Secrets in CI config not using secrets manager
+  {
+    id: 'DEPLOY-005',
+    category: 'deployment',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Hardcoded Secrets in CI Config',
+    check({ files }) {
+      const findings = [];
+      const secretPatterns = [
+        /(?:password|passwd|secret|token|api_key|apikey|api-key|private_key)\s*[:=]\s*['"][^${}'"]+['"]/i,
+        /(?:AWS_SECRET_ACCESS_KEY|AWS_ACCESS_KEY_ID)\s*[:=]\s*['"](?!\$\{\{)[^'"]+['"]/i,
+      ];
+
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isCIFile(filepath)) continue;
+
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('#')) continue;
+
+          for (const pattern of secretPatterns) {
+            if (pattern.test(line)) {
+              findings.push({
+                ruleId: 'DEPLOY-005', category: 'deployment', severity: 'critical',
+                title: 'Possible hardcoded secret in CI configuration',
+                description: 'Use a secrets manager (${{ secrets.MY_SECRET }} in GitHub Actions, CI/CD variables in GitLab) instead of hardcoding credentials.',
+                file: filepath, line: i + 1, fix: null,
+              });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-006: No staging/preview environment
+  {
+    id: 'DEPLOY-006',
+    category: 'deployment',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Staging/Preview Environment',
+    check({ files }) {
+      const findings = [];
+      const ciFiles = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (isCIFile(filepath)) {
+          ciFiles.push({ filepath, content });
+        }
+      }
+
+      if (ciFiles.length === 0) return findings;
+
+      const hasProduction = ciFiles.some(({ content }) =>
+        content.includes('production') || content.includes('prod') ||
+        content.includes('deploy')
+      );
+
+      const hasStaging = ciFiles.some(({ content }) =>
+        content.includes('staging') || content.includes('preview') ||
+        content.includes('canary') || content.includes('pre-prod') ||
+        content.includes('preprod') || content.includes('development') ||
+        content.includes('dev-deploy')
+      );
+
+      if (hasProduction && !hasStaging) {
+        findings.push({
+          ruleId: 'DEPLOY-006', category: 'deployment', severity: 'medium',
+          title: 'No staging or preview environment detected in CI config',
+          description: 'Add a staging/preview deployment step to validate changes before production. Use preview deployments for pull requests.',
+          file: ciFiles[0].filepath, line: null, fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-007: Missing build step in deployment
+  {
+    id: 'DEPLOY-007',
+    category: 'deployment',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Missing Build Step in Deployment',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isCIFile(filepath)) continue;
+
+        const hasDeploy = content.includes('deploy') || content.includes('publish') ||
+          content.includes('release');
+
+        const hasBuild = content.includes('npm run build') ||
+          content.includes('yarn build') ||
+          content.includes('pnpm build') ||
+          content.includes('docker build') ||
+          content.includes('make build') ||
+          /name:\s*['"]?.*build/i.test(content);
+
+        if (hasDeploy && !hasBuild) {
+          findings.push({
+            ruleId: 'DEPLOY-007', category: 'deployment', severity: 'high',
+            title: 'CI pipeline deploys without a build step',
+            description: 'Add a build step before deployment to compile, bundle, or containerize the application.',
+            file: filepath, line: null, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-008: No rollback strategy
+  {
+    id: 'DEPLOY-008',
+    category: 'deployment',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'No Rollback Strategy',
+    check({ files }) {
+      const findings = [];
+      const ciFiles = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (isCIFile(filepath) || filepath.endsWith('Dockerfile') || filepath.endsWith('docker-compose.yml')) {
+          ciFiles.push({ filepath, content });
+        }
+      }
+
+      if (ciFiles.length === 0) return findings;
+
+      const hasDeploy = ciFiles.some(({ content }) =>
+        content.includes('deploy') || content.includes('publish')
+      );
+
+      const hasRollback = ciFiles.some(({ content }) =>
+        content.includes('rollback') || content.includes('roll-back') ||
+        content.includes('previous') || content.includes('revert') ||
+        content.includes('--revision') || content.includes('image:') &&
+        (content.includes('${{ github.sha }}') || content.includes('${CI_COMMIT_SHA}')) ||
+        content.includes(':$TAG') || content.includes(':$VERSION') ||
+        content.includes('blue-green') || content.includes('blue_green')
+      );
+
+      if (hasDeploy && !hasRollback) {
+        findings.push({
+          ruleId: 'DEPLOY-008', category: 'deployment', severity: 'high',
+          title: 'No rollback strategy detected in deployment config',
+          description: 'Pin deployments to versioned images/artifacts (e.g., git SHA tags) and document a rollback procedure. Consider blue-green or canary deployments.',
+          file: ciFiles[0].filepath, line: null, fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-009: Deploy without health check verification
+  {
+    id: 'DEPLOY-009',
+    category: 'deployment',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Deploy Without Health Check Verification',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isCIFile(filepath)) continue;
+
+        const hasDeploy = content.includes('deploy') || content.includes('publish');
+
+        const hasHealthCheck = content.includes('health') ||
+          content.includes('healthz') ||
+          content.includes('readiness') ||
+          content.includes('liveness') ||
+          content.includes('smoke-test') ||
+          content.includes('smoke_test') ||
+          content.includes('curl') && (content.includes('/health') || content.includes('status')) ||
+          content.includes('wait-for') || content.includes('verify');
+
+        if (hasDeploy && !hasHealthCheck) {
+          findings.push({
+            ruleId: 'DEPLOY-009', category: 'deployment', severity: 'high',
+            title: 'Deployment has no health check or smoke test verification',
+            description: 'Add a post-deploy health check or smoke test to verify the service is running correctly after deployment.',
+            file: filepath, line: null, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-010: Hardcoded production URLs in CI config
+  {
+    id: 'DEPLOY-010',
+    category: 'deployment',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Hardcoded Production URLs in CI Config',
+    check({ files }) {
+      const findings = [];
+      const urlPatterns = [
+        /https?:\/\/(?:www\.)?[a-zA-Z0-9-]+\.(?:com|io|org|net|app|dev)(?:\/[^\s'"]*)?/,
+        /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/,
+      ];
+      const allowedUrls = [
+        'github.com', 'gitlab.com', 'registry.npmjs.org', 'docker.io',
+        'hub.docker.com', 'ghcr.io', 'gcr.io', 'amazonaws.com/ecr',
+        'codecov.io', 'coveralls.io', 'sonarcloud.io',
+      ];
+
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isCIFile(filepath)) continue;
+
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('#')) continue;
+
+          for (const pattern of urlPatterns) {
+            const match = line.match(pattern);
+            if (match) {
+              const url = match[0];
+              const isAllowed = allowedUrls.some(allowed => url.includes(allowed));
+              const usesVariable = /\$\{\{/.test(line) || /\$\{/.test(line) || /\$[A-Z_]/.test(line);
+
+              if (!isAllowed && !usesVariable) {
+                findings.push({
+                  ruleId: 'DEPLOY-010', category: 'deployment', severity: 'medium',
+                  title: 'Hardcoded URL found in CI configuration',
+                  description: 'Use environment variables or CI/CD secrets for deployment URLs instead of hardcoding them. This makes it easier to manage multiple environments.',
+                  file: filepath, line: i + 1, fix: null,
+                });
+                break;
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-SEC-001: GitHub Actions not pinned to SHA
+  { id: 'DEPLOY-SEC-001', category: 'deployment', severity: 'high', confidence: 'likely', title: 'GitHub Actions Not Pinned to Commit SHA',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/uses:\s+\S+@(?:main|master|latest|v\d+)$/) && !lines[i].includes('@sha256')) {
+            findings.push({ ruleId: 'DEPLOY-SEC-001', category: 'deployment', severity: 'high',
+              title: 'GitHub Action pinned to mutable tag/branch instead of commit SHA',
+              description: 'Pin third-party actions to a full commit SHA (uses: actions/checkout@abc123...) to prevent supply chain attacks. Mutable tags can be changed by the action maintainer.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-SEC-002: pull_request_target with checkout
+  { id: 'DEPLOY-SEC-002', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'pull_request_target With Untrusted Code Checkout',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        if (c.includes('pull_request_target') && c.match(/actions\/checkout/) && c.match(/ref.*head|head\.ref/)) {
+          findings.push({ ruleId: 'DEPLOY-SEC-002', category: 'deployment', severity: 'critical',
+            title: 'pull_request_target workflow checks out untrusted PR code with write permissions',
+            description: 'This is a known GitHub Actions attack vector (PWNING.md). Never checkout PR branch code in pull_request_target context.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-SEC-003: Workflow injection via PR title/body
+  { id: 'DEPLOY-SEC-003', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'Workflow Injection via PR Title/Body',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        if (c.match(/\$\{\{\s*github\.event\.(?:pull_request\.|issue\.)(?:title|body|head\.ref)/) &&
+            c.match(/run:\s*\S/)) {
+          findings.push({ ruleId: 'DEPLOY-SEC-003', category: 'deployment', severity: 'critical',
+            title: 'User-controlled GitHub context value used in run: step — command injection risk',
+            description: "Don't use ${{ github.event.pull_request.title }} directly in run:. Assign to environment variable first and use that instead.", file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-SEC-004: Secrets in CI logs
+  { id: 'DEPLOY-SEC-004', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'Secrets Potentially Exposed in CI Logs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/echo\s+\$\{\{.*secrets\.|print\s+\$\{\{.*secrets\./)) {
+            findings.push({ ruleId: 'DEPLOY-SEC-004', category: 'deployment', severity: 'critical',
+              title: 'Secret value echoed/printed in CI — visible in build logs',
+              description: 'Never echo secrets in CI. Use add-mask or ensure secrets are only passed as env vars to steps that need them.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-SEC-005: Long-lived cloud credentials in CI
+  { id: 'DEPLOY-SEC-005', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Long-Lived Cloud Credentials in CI',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        if ((c.includes('AWS_ACCESS_KEY_ID') || c.includes('AWS_SECRET_ACCESS_KEY') || c.includes('GOOGLE_CREDENTIALS')) &&
+            !c.includes('aws-actions/configure-aws-credentials') && !c.match(/id-token.*write|oidc/i)) {
+          findings.push({ ruleId: 'DEPLOY-SEC-005', category: 'deployment', severity: 'high',
+            title: 'Using long-lived cloud credentials instead of OIDC',
+            description: 'Use GitHub Actions OIDC with aws-actions/configure-aws-credentials for short-lived tokens. Long-lived keys are a leak risk.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-REL-001: No semantic versioning
+  { id: 'DEPLOY-REL-001', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'No Semantic Versioning',
+    check({ files, stack }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        if (!json.version || json.version === '1.0.0' || json.version === '0.0.1') {
+          findings.push({ ruleId: 'DEPLOY-REL-001', category: 'deployment', severity: 'low',
+            title: 'Package version not updated from default', description: 'Increment the version using semantic versioning (major.minor.patch) with each release. Use npm version commands.', fix: null });
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // DEPLOY-REL-002: No automated smoke tests post-deploy
+  { id: 'DEPLOY-REL-002', category: 'deployment', severity: 'high', confidence: 'likely', title: 'No Post-Deployment Smoke Tests',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/deploy|release|production/i)) {
+          if (!c.match(/smoke|health.*check|post.deploy|after.deploy|curl.*health/i)) {
+            findings.push({ ruleId: 'DEPLOY-REL-002', category: 'deployment', severity: 'high',
+              title: 'No smoke tests after deployment', description: 'Add a post-deploy step that pings /health and runs critical path smoke tests. Catch broken deployments before users do.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-REL-003: No blue-green or canary deployment
+  { id: 'DEPLOY-REL-003', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Zero-Downtime Deployment Strategy',
+    check({ files }) {
+      const has = [...files.values()].some(c => c.match(/blue.green|canary|rolling.*update|traffic.*split|feature.*flag/i));
+      if (!has && [...files.values()].some(c => c.match(/deploy|release/i))) {
+        return [{ ruleId: 'DEPLOY-REL-003', category: 'deployment', severity: 'medium',
+          title: 'No blue-green, canary, or rolling deployment strategy detected',
+          description: 'Direct deployments cause downtime. Use rolling updates, blue-green, or canary deployments for zero-downtime releases.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // DEPLOY-REL-004: DB migrations not automated
+  { id: 'DEPLOY-REL-004', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Database Migrations Not Automated in Deploy',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/deploy|production/i) && !c.match(/migrate|prisma.*db.*push|knex.*migrate|sequelize.*migrate/i)) {
+          const hasMigrations = [...files.keys()].some(f => f.includes('migration') || f.includes('migrate'));
+          if (hasMigrations) {
+            findings.push({ ruleId: 'DEPLOY-REL-004', category: 'deployment', severity: 'high',
+              title: 'Database migrations not automated in deployment pipeline', description: 'Add a migration step (prisma migrate deploy, knex migrate:latest) to your CI/CD pipeline before starting the new app version.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-REL-005: No rollback strategy
+  { id: 'DEPLOY-REL-005', category: 'deployment', severity: 'high', confidence: 'suggestion', title: 'No Rollback Strategy',
+    check({ files }) {
+      const has = [...files.values()].some(c => c.match(/rollback|revert.*deploy|previous.*version|undo.*deploy/i));
+      if (!has && [...files.values()].some(c => c.match(/deploy/i))) {
+        return [{ ruleId: 'DEPLOY-REL-005', category: 'deployment', severity: 'high',
+          title: 'No rollback strategy documented or configured', description: 'Define a rollback procedure: redeploy previous image tag, feature flags to disable, DB migration rollback plan.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // DEPLOY-ENV-001: Shared database between environments
+  { id: 'DEPLOY-ENV-001', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'Shared Database Between Environments',
+    check({ files }) {
+      const findings = [];
+      const prodDbUrl = [...files.values()].some(c => c.match(/DATABASE_URL.*prod|production.*DATABASE_URL/i));
+      const hasStagingEnv = [...files.keys()].some(f => f.match(/\.env\.staging|\.env\.test/));
+      if (prodDbUrl && hasStagingEnv) {
+        const stagingContent = [...files.entries()].filter(([f]) => f.match(/\.env\.staging|\.env\.test/)).map(([, c]) => c).join('');
+        if (stagingContent.match(/DATABASE_URL.*prod|production/i)) {
+          findings.push({ ruleId: 'DEPLOY-ENV-001', category: 'deployment', severity: 'critical',
+            title: 'Staging environment may share production database', description: 'Each environment must have its own isolated database. Staging using prod DB can corrupt production data.', fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-ENV-002: No environment parity
+  { id: 'DEPLOY-ENV-002', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Staging Environment',
+    check({ files }) {
+      const has = [...files.values()].some(c => c.match(/staging|stage|preview.*env|pre.?prod/i)) ||
+        [...files.keys()].some(f => f.match(/staging|\.env\.staging/));
+      if (!has && [...files.values()].some(c => c.match(/production|prod/i))) {
+        return [{ ruleId: 'DEPLOY-ENV-002', category: 'deployment', severity: 'medium',
+          title: 'No staging environment detected — deploying directly to production',
+          description: 'Add a staging environment that mirrors production. Test deployments there before promoting to production.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // DEPLOY-ENV-003: Environment-specific code paths
+  { id: 'DEPLOY-ENV-003', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Environment-Specific Code Paths',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(js|ts)$/) || fp.includes('config') || fp.includes('test')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/if.*NODE_ENV.*===.*['"]production['"]|process\.env\.NODE_ENV.*production/) &&
+              lines[i].match(/skip|disable|bypass|mock/i)) {
+            findings.push({ ruleId: 'DEPLOY-ENV-003', category: 'deployment', severity: 'medium',
+              title: 'Business logic branching on NODE_ENV — diverging from production behavior',
+              description: 'Use feature flags or configuration instead of NODE_ENV branching in business logic. Production-only code paths are not tested in staging.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-REG-001: Docker image not scanned before push
+  { id: 'DEPLOY-REG-001', category: 'deployment', severity: 'high', confidence: 'likely', title: 'No Container Vulnerability Scan Before Push',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/docker.*push|push.*docker|ecr.*push/i)) {
+          if (!c.match(/trivy|grype|snyk.*container|docker.*scan|anchore|clair/i)) {
+            findings.push({ ruleId: 'DEPLOY-REG-001', category: 'deployment', severity: 'high',
+              title: 'Docker image pushed without vulnerability scan', description: 'Add Trivy or Grype to scan images before pushing. Container vulnerabilities are a major attack surface.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-SEC-010: CI workflow with excessive permissions
+  { id: 'DEPLOY-SEC-010', category: 'deployment', severity: 'high', confidence: 'likely', title: 'CI Workflow With Excessive Permissions',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/permissions:\s*write-all|permissions:\s*\n\s+contents:\s*write/) && !c.match(/\/\/ minimal/i)) {
+          findings.push({ ruleId: 'DEPLOY-SEC-010', category: 'deployment', severity: 'high', title: 'GitHub Actions workflow with write-all permissions', description: 'Use minimal permissions: permissions: { contents: read }. write-all gives workflows ability to modify any repo resource.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-SEC-011: Artifact not signed
+  { id: 'DEPLOY-SEC-011', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Release Artifacts Not Signed',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        const hasRelease = c.match(/release|publish|deploy|npm\s+publish/i);
+        const hasSigning = c.match(/gpg|cosign|sigstore|sign|checksum|sha256|SLSA/i);
+        if (hasRelease && !hasSigning) {
+          findings.push({ ruleId: 'DEPLOY-SEC-011', category: 'deployment', severity: 'medium', title: 'Release pipeline without artifact signing', description: 'Sign artifacts with GPG or Sigstore/Cosign. Signed artifacts enable consumers to verify they downloaded untampered code.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-SEC-012: Production secrets in CI environment variables (not in vault)
+  { id: 'DEPLOY-SEC-012', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Secrets Set Directly in CI (Not From Vault)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/env:|environment:/i)) {
+            const block = lines.slice(i, i + 20).join('\n');
+            if (block.match(/PASSWORD\s*:|SECRET\s*:|API_KEY\s*:|PRIVATE_KEY\s*:/i) && !block.match(/\$\{\{|secrets\.|vault\.|aws.*secrets/i)) {
+              findings.push({ ruleId: 'DEPLOY-SEC-012', category: 'deployment', severity: 'high', title: 'Secret in CI env block without using secrets manager', description: 'Use ${{ secrets.MY_SECRET }} (GitHub) or vault references. Hardcoded secrets in workflow files are committed to the repository.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-001: No database migration strategy
+  { id: 'DEPLOY-PROC-001', category: 'deployment', severity: 'high', confidence: 'likely', title: 'No Database Migration Strategy in Deployment',
+    check({ files }) {
+      const findings = [];
+      const hasMigrations = [...files.values()].some(c => c.match(/migrate|knex.*migrate|sequelize.*migrate|prisma.*migrate|flyway|liquibase/i));
+      const hasDeployScript = [...files.values()].some(c => c.match(/deploy|release|ship/i));
+      if (hasDeployScript && !hasMigrations) {
+        findings.push({ ruleId: 'DEPLOY-PROC-001', category: 'deployment', severity: 'high', title: 'Deployment pipeline without database migration step', description: 'Add migration step before app deploy: npm run db:migrate. Deploying app before migrations causes errors if code expects new schema.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-002: Deployment without health check
+  { id: 'DEPLOY-PROC-002', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Deployment Without Post-Deploy Health Check',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/deploy|kubectl.*apply|helm.*upgrade|eb.*deploy/i)) {
+          if (!c.match(/health.*check|curl.*health|wait.*healthy|readiness|smoke.*test/i)) {
+            findings.push({ ruleId: 'DEPLOY-PROC-002', category: 'deployment', severity: 'high', title: 'Deployment without post-deploy health check — broken deploys go undetected', description: 'Add health check after deploy: curl -f https://api.example.com/health. Failed health checks should trigger automatic rollback.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-003: Manual approval missing for production
+  { id: 'DEPLOY-PROC-003', category: 'deployment', severity: 'high', confidence: 'likely', title: 'No Manual Approval Gate for Production Deploy',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/production|prod\b/i) && c.match(/deploy|release/i)) {
+          if (!c.match(/approval|reviewers|manual.*trigger|workflow_dispatch|environment.*production/i)) {
+            findings.push({ ruleId: 'DEPLOY-PROC-003', category: 'deployment', severity: 'high', title: 'Production deployment without manual approval gate', description: 'Use GitHub Environments with required reviewers or workflow_dispatch for prod deploys. Automated prod deploys from CI can deploy broken code.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-004: No staging environment
+  { id: 'DEPLOY-PROC-004', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Staging Environment in Pipeline',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/production|prod\b/i) && c.match(/deploy/i)) {
+          if (!c.match(/staging|stage\b|preview|uat|preprod/i)) {
+            findings.push({ ruleId: 'DEPLOY-PROC-004', category: 'deployment', severity: 'medium', title: 'Pipeline deploys directly to production without staging environment', description: 'Add a staging environment that mirrors production. Catch environment-specific bugs before they reach production customers.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-005: No SAST in CI pipeline
+  { id: 'DEPLOY-PROC-005', category: 'deployment', severity: 'high', confidence: 'likely', title: 'No Static Application Security Testing (SAST) in CI',
+    check({ files }) {
+      const findings = [];
+      const hasSAST = [...files.values()].some(c => c.match(/semgrep|codeql|bandit|sonarqube|checkmarx|fortify|eslint.*security|tslint.*security/i));
+      if (!hasSAST) {
+        findings.push({ ruleId: 'DEPLOY-PROC-005', category: 'deployment', severity: 'high', title: 'No SAST tool in CI pipeline — security vulnerabilities not caught before deployment', description: 'Add Semgrep or CodeQL to CI. SAST tools catch injection, XSS, and other vulnerabilities automatically in pull requests.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-006: No DAST in pipeline
+  { id: 'DEPLOY-PROC-006', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Dynamic Application Security Testing (DAST)',
+    check({ files }) {
+      const findings = [];
+      const hasDAST = [...files.values()].some(c => c.match(/owasp.*zap|nuclei|burp.*suite|nikto|arachni/i));
+      if (!hasDAST) {
+        findings.push({ ruleId: 'DEPLOY-PROC-006', category: 'deployment', severity: 'medium', title: 'No DAST tool configured — runtime security vulnerabilities not tested', description: 'Add OWASP ZAP or Nuclei to your staging pipeline. DAST tests the running application and finds vulnerabilities SAST misses (auth bypasses, etc.).', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-007: No Infrastructure drift detection
+  { id: 'DEPLOY-PROC-007', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Infrastructure Drift Detection',
+    check({ files }) {
+      const findings = [];
+      const hasTerraform = [...files.keys()].some(f => f.match(/\.tf$/));
+      const hasDrift = [...files.values()].some(c => c.match(/terraform.*plan|driftctl|infracost.*plan|checkov|tfsec/i));
+      if (hasTerraform && !hasDrift) {
+        findings.push({ ruleId: 'DEPLOY-PROC-007', category: 'deployment', severity: 'medium', title: 'No Terraform drift detection in CI — manual changes go undetected', description: 'Run terraform plan in CI and alert on drift. Manual console changes create drift that causes the next terraform apply to fail unexpectedly.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-008: Feature flags not used for risky changes
+  { id: 'DEPLOY-PROC-008', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'No Feature Flag System',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasFlags = ['launchdarkly-node-client-sdk', '@launchdarkly/node-server-sdk', 'unleash-client', 'flagsmith', 'posthog-node', '@growthbook/growthbook'].some(d => d in allDeps);
+      if (!hasFlags && Object.keys(allDeps).length > 30) {
+        findings.push({ ruleId: 'DEPLOY-PROC-008', category: 'deployment', severity: 'low', title: 'No feature flag system — cannot do gradual rollouts or kill-switch deployments', description: 'Add LaunchDarkly, Unleash, or Flagsmith. Feature flags enable canary releases, instant rollback without redeployment, and A/B testing.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-009: Deployment without notify/changelog
+  { id: 'DEPLOY-PROC-009', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'Deployment Without Notification',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/production|prod\b/i) && c.match(/deploy/i)) {
+          if (!c.match(/slack|teams|discord|pagerduty|webhook|notify|notification/i)) {
+            findings.push({ ruleId: 'DEPLOY-PROC-009', category: 'deployment', severity: 'low', title: 'Production deployment without notifications', description: 'Send deployment notifications to Slack/Teams. Teams need to know when prod changes so they can correlate with user reports.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-010: No dependency license check in CI
+  { id: 'DEPLOY-PROC-010', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No License Compliance Check in CI',
+    check({ files }) {
+      const findings = [];
+      const hasLicenseCheck = [...files.values()].some(c => c.match(/license-checker|fossa|snyk.*license|licensee/i));
+      if (!hasLicenseCheck) {
+        findings.push({ ruleId: 'DEPLOY-PROC-010', category: 'deployment', severity: 'medium', title: 'No license compliance check in CI pipeline', description: 'Add license-checker or FOSSA to block GPL/AGPL dependencies in CI. GPL in production may require open-sourcing your application.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-011: Deployment script with --force or unsafe flags
+  { id: 'DEPLOY-PROC-011', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Deployment Using --force Flags',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp) && !fp.match(/deploy|release|Makefile/i)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/git push.*--force|kubectl.*--force|helm.*--force-upgrade|npm.*--force/i)) {
+            findings.push({ ruleId: 'DEPLOY-PROC-011', category: 'deployment', severity: 'high', title: `--force flag in deployment script — bypasses safety checks`, description: 'Remove --force from deployment commands. Force operations bypass safety mechanisms and can cause irreversible damage.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-012: No automated E2E tests in staging pipeline
+  { id: 'DEPLOY-PROC-012', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Automated E2E Tests in Staging Pipeline',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasE2E = ['cypress', 'playwright', '@playwright/test', 'puppeteer', 'testcafe', 'nightwatch'].some(d => d in allDeps);
+      const hasE2EInCI = [...files.values()].some(c => c.match(/cypress|playwright|puppeteer|e2e.*test|integration.*test/i));
+      if (!hasE2E && !hasE2EInCI && Object.keys(allDeps).length > 10) {
+        findings.push({ ruleId: 'DEPLOY-PROC-012', category: 'deployment', severity: 'medium', title: 'No E2E test framework — critical user journeys not automatically tested before deploy', description: 'Add Playwright or Cypress for E2E tests. Automated E2E tests catch regressions that unit tests miss.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-SEC-013: Reusable workflow with no input validation
+  { id: 'DEPLOY-SEC-013', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Reusable Workflow Without Input Validation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/workflow_call:/i) && c.match(/inputs:/i)) {
+          if (!c.match(/required:\s*true|type:\s*string|type:\s*boolean/i)) {
+            findings.push({ ruleId: 'DEPLOY-SEC-013', category: 'deployment', severity: 'medium', title: 'Reusable GitHub Actions workflow with untyped inputs', description: 'Add type: and required: to workflow_call inputs. Untyped inputs can receive unexpected values causing security issues or failures.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-SEC-014: NPM publish without provenance
+  { id: 'DEPLOY-SEC-014', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'npm publish Without Provenance',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/npm\s+publish/i) && !c.match(/--provenance|provenance.*true/i)) {
+          findings.push({ ruleId: 'DEPLOY-SEC-014', category: 'deployment', severity: 'medium', title: 'npm publish without --provenance flag — published package not linked to source', description: 'Add --provenance flag: npm publish --provenance. Provenance links packages to their source repo via OIDC, allowing users to verify origin.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-013: No rollback tested in pipeline
+  { id: 'DEPLOY-PROC-013', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Rollback Strategy Not Automated',
+    check({ files }) {
+      const findings = [];
+      const hasRollback = [...files.values()].some(c => c.match(/rollback|roll-back|revert.*deploy|deploy.*revert|previous.*version|downgrade/i));
+      if (!hasRollback) {
+        findings.push({ ruleId: 'DEPLOY-PROC-013', category: 'deployment', severity: 'medium', title: 'No automated rollback strategy — manual recovery from failed deploys', description: 'Implement automated rollback on health check failure. Use Helm rollback, ECS revert, or Kubernetes rollout undo. Mean time to recovery depends on fast rollback.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-014: Build artifact not reused across environments
+  { id: 'DEPLOY-PROC-014', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Build Artifact Not Promoted Across Environments',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/build.*production|npm.*build.*prod/i)) {
+          if (!c.match(/artifact|promote|registry|ecr|pull.*same.*image|image.*sha/i)) {
+            findings.push({ ruleId: 'DEPLOY-PROC-014', category: 'deployment', severity: 'medium', title: 'Build executed per environment instead of promoting artifacts', description: 'Build once, promote the same artifact: build → staging → production. Rebuilding per environment means staging tests a different binary than production.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-015: No dependency pinning in Dockerfile
+  { id: 'DEPLOY-PROC-015', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Dockerfile Installs Unpinned System Packages',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\./)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/apt-get install|apk add|yum install/i) && !lines[i].match(/=\d|--no-install-recommends.*[=\d]/)) {
+            findings.push({ ruleId: 'DEPLOY-PROC-015', category: 'deployment', severity: 'medium', title: 'System package installed without version pinning — non-reproducible builds', description: 'Pin package versions: apt-get install curl=7.88.1. Unpinned packages produce different images on each build, making rollback unreliable.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-016: No GitOps for K8s deployments
+  { id: 'DEPLOY-PROC-016', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'Kubernetes Without GitOps',
+    check({ files }) {
+      const findings = [];
+      const hasK8s = [...files.values()].some(c => c.match(/kind:\s*Deployment|kubectl.*apply/i));
+      const hasGitOps = [...files.values()].some(c => c.match(/argocd|flux\b|gitops|FluxCD|ArgoCD/i));
+      if (hasK8s && !hasGitOps) {
+        findings.push({ ruleId: 'DEPLOY-PROC-016', category: 'deployment', severity: 'low', title: 'Kubernetes without GitOps (ArgoCD/Flux) — cluster state not version controlled', description: 'Use ArgoCD or FluxCD for declarative GitOps deployments. kubectl apply in CI is fragile; GitOps ensures cluster state matches git.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-PROC-017: No dependabot/renovate for CI dependencies
+  { id: 'DEPLOY-PROC-017', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'GitHub Actions Not Auto-Updated',
+    check({ files }) {
+      const findings = [];
+      const hasDependabot = [...files.keys()].some(f => f.match(/dependabot\.ya?ml|renovate\.json/));
+      const hasActions = [...files.keys()].some(f => f.match(/\.github\/workflows/));
+      if (hasActions && !hasDependabot) {
+        findings.push({ ruleId: 'DEPLOY-PROC-017', category: 'deployment', severity: 'medium', title: 'No Dependabot/Renovate for GitHub Actions — action vulnerabilities not auto-patched', description: 'Add .github/dependabot.yml with package-ecosystem: github-actions. GitHub Actions have CVEs too and need automated updates.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPLOY-SEC-006: Untrusted input in GitHub Actions run step
+  { id: 'DEPLOY-SEC-006', category: 'deployment', severity: 'high', confidence: 'likely', title: 'GitHub Actions run Step With Untrusted Input',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/run:\s/) && lines.slice(i, i + 5).join('\n').match(/\$\{\{\s*(?:github\.event\.|inputs\.|env\.|matrix\.)/)) {
+            findings.push({ ruleId: 'DEPLOY-SEC-006', category: 'deployment', severity: 'high', title: 'GitHub Actions run step with expression from external context', description: 'Assign to env var first: env: TITLE: ${{ github.event.pull_request.title }}. Then use $TITLE in run:. Direct interpolation in run: enables script injection.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-018: No canary deployment strategy
+  { id: 'DEPLOY-PROC-018', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'No Canary or Progressive Delivery',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasCanary = allCode.match(/canary|blue.*green|progressive.*delivery|flagger|argo.*rollouts|weighted.*traffic/i);
+      if (!hasCanary) {
+        findings.push({ ruleId: 'DEPLOY-PROC-018', category: 'deployment', severity: 'low', title: 'No canary deployment or progressive delivery strategy', description: 'Use canary releases or blue-green deployments. Roll out to 5% of traffic first, validate, then increase. Reduces blast radius of bad deploys.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-019: No semantic-release or conventional commits
+  { id: 'DEPLOY-PROC-019', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'No Conventional Commit Messages',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasConventional = ['semantic-release', '@commitlint/cli', 'commitizen', 'standard-version', 'release-please'].some(d => d in allDeps);
+      if (!hasConventional) {
+        findings.push({ ruleId: 'DEPLOY-PROC-019', category: 'deployment', severity: 'low', title: 'No commit message convention enforced', description: 'Add commitlint + semantic-release. Conventional commits enable auto-generated changelogs and semantic versioning based on commit messages.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-020: No infrastructure cost estimation in CI
+  { id: 'DEPLOY-PROC-020', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'No Infrastructure Cost Estimation in PRs',
+    check({ files }) {
+      const findings = [];
+      const hasTerraform = [...files.keys()].some(f => f.match(/\.tf$/));
+      const hasCostEstimate = [...files.values()].some(c => c.match(/infracost|cost.*estimate|terraform.*cost/i));
+      if (hasTerraform && !hasCostEstimate) {
+        findings.push({ ruleId: 'DEPLOY-PROC-020', category: 'deployment', severity: 'low', title: 'Terraform without Infracost — no cost visibility in pull requests', description: 'Add Infracost to CI to show cost changes in PRs. Prevents accidental addition of expensive resources (NAT Gateway, data transfer) without review.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-021: Build without reproducibility
+  { id: 'DEPLOY-PROC-021', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Non-Reproducible Builds',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\./)) continue;
+        if (c.match(/apt-get install|apk add/i) && !c.match(/apt-get install.*=\d|apk add.*=\d/i)) {
+          findings.push({ ruleId: 'DEPLOY-PROC-021', category: 'deployment', severity: 'medium', title: 'Dockerfile installs unpinned system packages — builds not reproducible', description: 'Pin all apt/apk packages with exact versions. Unpinned packages produce different binaries on each build, making rollback verification unreliable.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-SEC-007: GitHub Actions workflow with excessive permissions
+  { id: 'DEPLOY-SEC-007', category: 'deployment', severity: 'high', confidence: 'likely', title: 'GitHub Actions Workflow with Top-Level write-all Permissions',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/permissions:\s*write-all/) || (c.match(/permissions:/) && c.match(/:\s*write-all/))) {
+          findings.push({ ruleId: 'DEPLOY-SEC-007', category: 'deployment', severity: 'high', title: 'Workflow has write-all permissions — follows least-privilege principle', description: 'Specify minimum required permissions per job. write-all grants the workflow token access to modify all repository resources, increasing blast radius of a compromised step.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-022: No security scanning in PR checks
+  { id: 'DEPLOY-PROC-022', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Pull Request Workflow Without Security Scanning Step',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (!c.match(/pull_request:|on:.*pull_request/)) continue;
+        const hasSecurity = c.match(/trivy|snyk|grype|codeql|semgrep|checkov|trufflehog|gitleaks|bandit|gosec|npm audit|yarn audit/i);
+        if (!hasSecurity) {
+          findings.push({ ruleId: 'DEPLOY-PROC-022', category: 'deployment', severity: 'high', title: 'PR workflow missing security scanner — vulnerabilities not caught before merge', description: 'Add Trivy, Snyk, or CodeQL to PR checks. Security scanning on every PR catches vulnerabilities before they reach main branch and prevents regression.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-023: Container image not scanned before deployment
+  { id: 'DEPLOY-PROC-023', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Container Image Deployed Without Vulnerability Scan',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (!c.match(/docker.*build|docker.*push|Build.*image|build.*container/i)) continue;
+        const hasScan = c.match(/trivy.*image|grype|snyk.*container|docker.*scout|aqua.*scanner|anchore/i);
+        if (!hasScan) {
+          findings.push({ ruleId: 'DEPLOY-PROC-023', category: 'deployment', severity: 'high', title: 'Docker image built and pushed without vulnerability scanning', description: 'Add Trivy or Grype image scan before pushing. Container images accumulate OS package vulnerabilities. Scanning before push prevents deploying images with known CVEs.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-024: Deployment without blue-green strategy
+  { id: 'DEPLOY-PROC-024', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Zero-Downtime Deployment Strategy',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (!c.match(/deploy|release|production/i)) continue;
+        const hasZeroDowntime = c.match(/blue.?green|canary|rolling.*update|traffic.*shifting|weighted.*routing|deployment.*strategy/i);
+        if (!hasZeroDowntime) {
+          findings.push({ ruleId: 'DEPLOY-PROC-024', category: 'deployment', severity: 'medium', title: 'Deployment pipeline without zero-downtime strategy', description: 'Implement blue-green or rolling deployments. Direct cutover deployments cause downtime. Blue-green allows instant rollback; rolling updates maintain availability during deployment.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-025: Missing artifact attestation
+  { id: 'DEPLOY-PROC-025', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Build Artifacts Without SLSA Provenance Attestation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (!c.match(/npm.*publish|docker.*push|release.*artifact/i)) continue;
+        const hasAttestation = c.match(/slsa-github-generator|attest-build-provenance|cosign.*sign|in-toto/i);
+        if (!hasAttestation) {
+          findings.push({ ruleId: 'DEPLOY-PROC-025', category: 'deployment', severity: 'medium', title: 'Published artifact without provenance attestation (SLSA)', description: 'Add SLSA provenance using slsa-github-generator or GitHub attest-build-provenance action. Provenance attestation allows consumers to verify build integrity and origin.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-026: Using latest Docker base image tag in production
+  { id: 'DEPLOY-PROC-026', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Production Dockerfile Uses :latest Tag',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\./)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^FROM\s+\S+:latest\s*$|^FROM\s+\S+\s*$/) && !lines[i].match(/^FROM\s+\S+:\d|alpine|slim|AS\s+/i)) {
+            findings.push({ ruleId: 'DEPLOY-PROC-026', category: 'deployment', severity: 'high', title: 'Dockerfile FROM uses :latest — non-deterministic builds', description: 'Pin base image to a specific digest (FROM node:20.11.0-alpine3.19@sha256:...). The :latest tag changes over time, causing builds to fail unexpectedly when the base image is updated.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-SEC-008: Secrets accessible to all workflow jobs
+  { id: 'DEPLOY-SEC-008', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Repository Secrets Exposed to Untrusted Workflow Steps',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/secrets\.\w+/) && !lines[i].match(/\/\/|#/)) {
+            const ctx = lines.slice(Math.max(0, i - 20), i).join('\n');
+            if (ctx.match(/uses:.*[^/]+\/[^@]+@\s*$|uses:.*[^/]+\/[^@]+$/) && !ctx.match(/@v\d|@[a-f0-9]{40}/)) {
+              findings.push({ ruleId: 'DEPLOY-SEC-008', category: 'deployment', severity: 'high', title: 'Secret passed to Action using unpinned version — supply chain risk', description: 'Pin all Actions to a full commit SHA before passing secrets. Unpinned Actions can be updated maliciously to exfiltrate secrets.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-027: No dependency review in PRs
+  { id: 'DEPLOY-PROC-027', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Dependency Review Action on Pull Requests',
+    check({ files }) {
+      const findings = [];
+      const hasDependencyReview = [...files.values()].some(c => c.match(/dependency-review-action|actions\/dependency-review/i));
+      const hasPRWorkflow = [...files.values()].some(c => c.match(/on:.*pull_request|on:.*\n\s+pull_request/));
+      if (hasPRWorkflow && !hasDependencyReview) {
+        findings.push({ ruleId: 'DEPLOY-PROC-027', category: 'deployment', severity: 'medium', title: 'PRs not scanned for vulnerable dependency additions', description: 'Add actions/dependency-review-action to PR workflows. This action blocks PRs that add dependencies with known vulnerabilities or incompatible licenses.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-028: No infrastructure drift detection
+  { id: 'DEPLOY-PROC-028', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Infrastructure Drift Detection in CI',
+    check({ files }) {
+      const findings = [];
+      const hasTerraform = [...files.keys()].some(f => f.endsWith('.tf'));
+      const hasDriftCheck = [...files.values()].some(c => c.match(/terraform.*plan.*detailed|drift.*detect|driftctl|infracost.*diff/i));
+      if (hasTerraform && !hasDriftCheck) {
+        findings.push({ ruleId: 'DEPLOY-PROC-028', category: 'deployment', severity: 'medium', title: 'Terraform used without drift detection in CI', description: 'Run terraform plan in CI to detect drift between code and real infrastructure. Undetected drift causes "works in code, broken in prod" failures during deployments.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-029: No secrets rotation automation
+  { id: 'DEPLOY-PROC-029', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Automated Secrets Rotation',
+    check({ files }) {
+      const findings = [];
+      const hasSecrets = [...files.values()].some(c => c.match(/SecretsManager|getSecretValue|vault.*read|AWS_SECRET/i));
+      const hasRotation = [...files.values()].some(c => c.match(/rotate.*secret|secret.*rotation|RotationLambda|rotateSecret/i));
+      if (hasSecrets && !hasRotation) {
+        findings.push({ ruleId: 'DEPLOY-PROC-029', category: 'deployment', severity: 'medium', title: 'Secrets Manager used without rotation configuration', description: 'Enable automatic secret rotation in AWS Secrets Manager. Long-lived credentials increase the blast radius of a credential leak. Rotate secrets at least every 90 days.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-030: No performance regression testing in CI
+  { id: 'DEPLOY-PROC-030', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Performance Regression Tests in CI Pipeline',
+    check({ files }) {
+      const findings = [];
+      const hasCICD = [...files.keys()].some(f => f.match(/\.github\/workflows|\.gitlab-ci/));
+      const hasPerfTest = [...files.values()].some(c => c.match(/k6|artillery|ab\s+-n|wrk\s+-t|loadtest|lighthouse.*ci|perf.*budget/i));
+      if (hasCICD && !hasPerfTest) {
+        findings.push({ ruleId: 'DEPLOY-PROC-030', category: 'deployment', severity: 'medium', title: 'No performance tests in CI — regressions not caught before deployment', description: 'Add Lighthouse CI or k6 to your pipeline. Without performance tests, slow query additions, bundle size increases, and memory leaks reach production undetected.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-031: No DB migration safety checks
+  { id: 'DEPLOY-PROC-031', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Database Migration Without Safety Checks',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/migration\.|migrations\//i)) continue;
+        if (c.match(/DROP\s+COLUMN|DROP\s+TABLE|ALTER.*DROP|TRUNCATE/i)) {
+          if (!c.match(/IF\s+EXISTS|reversible|down\s*\(\s*\)|async\s+down/i)) {
+            findings.push({ ruleId: 'DEPLOY-PROC-031', category: 'deployment', severity: 'high', title: 'Destructive migration without reversible down() method', description: 'Always implement the down() method for destructive migrations. Without a reversal path, a failed deployment with a DROP statement requires manual database recovery.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-032: CI pipeline without caching
+  { id: 'DEPLOY-PROC-032', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'CI Pipeline Without Dependency Caching',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        if (c.match(/npm install|npm ci|yarn install|pnpm install/i)) {
+          if (!c.match(/cache:|actions\/cache|restore-keys|key:.*node_modules/i)) {
+            findings.push({ ruleId: 'DEPLOY-PROC-032', category: 'deployment', severity: 'low', title: 'CI installs dependencies without caching — slow and costly pipeline', description: 'Add dependency caching to CI workflows. Caching node_modules reduces pipeline time by 60-80% and cuts CI costs proportionally.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-033: Using curl | sh pattern in CI
+  { id: 'DEPLOY-PROC-033', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'Downloading and Executing Scripts via curl | sh',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp) && !fp.match(/Makefile|\.sh$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/curl.*\|\s*(?:sudo\s+)?(?:ba)?sh|wget.*\|\s*(?:sudo\s+)?(?:ba)?sh/i)) {
+            findings.push({ ruleId: 'DEPLOY-PROC-033', category: 'deployment', severity: 'critical', title: 'curl | sh pattern in CI — arbitrary remote code execution', description: 'Never pipe curl output directly to sh. Download and verify the checksum before executing. Compromised servers or MITM attacks can inject malicious code into the piped script.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-034: No branch protection rules
+  { id: 'DEPLOY-PROC-034', category: 'deployment', severity: 'high', confidence: 'likely', title: 'No Branch Protection Rules for Main Branch',
+    check({ files }) {
+      const findings = [];
+      const hasBranchProtection = [...files.keys()].some(f => f.match(/branch.*protection|CODEOWNERS/i)) || [...files.values()].some(c => c.match(/required_status_checks|required_pull_request_reviews|enforce_admins/i));
+      const hasCI = [...files.keys()].some(f => f.match(/\.github\/workflows/));
+      if (hasCI && !hasBranchProtection) {
+        findings.push({ ruleId: 'DEPLOY-PROC-034', category: 'deployment', severity: 'high', title: 'No branch protection rules — direct push to main possible', description: 'Enable branch protection on main/master: require PR reviews, passing status checks, and no direct pushes. Unprotected main branches allow unreviewed code to bypass CI/CD gates.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-SEC-009: Environment variables logged in CI output
+  { id: 'DEPLOY-SEC-009', category: 'deployment', severity: 'high', confidence: 'likely', title: 'CI Step That May Print Environment Variables',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isCIFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/printenv|env\s*>|set\s*>|echo\s+\$[A-Z_]+/i) && !lines[i].match(/#/)) {
+            findings.push({ ruleId: 'DEPLOY-SEC-009', category: 'deployment', severity: 'high', title: 'CI step printing environment variables — secrets exposed in build logs', description: 'Remove printenv and bare echo $VAR from CI steps. CI build logs are often accessible to all team members and sometimes stored publicly. Printing env vars exposes secrets.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-035: Missing CODEOWNERS file
+  { id: 'DEPLOY-PROC-035', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'No CODEOWNERS File Defined',
+    check({ files }) {
+      const findings = [];
+      const hasCodeOwners = [...files.keys()].some(f => f.match(/CODEOWNERS/));
+      const hasGitHubDir = [...files.keys()].some(f => f.match(/\.github\//));
+      if (hasGitHubDir && !hasCodeOwners) {
+        findings.push({ ruleId: 'DEPLOY-PROC-035', category: 'deployment', severity: 'low', title: 'No CODEOWNERS file — critical paths have no mandatory reviewer', description: 'Add a CODEOWNERS file to require review from domain experts for critical paths (auth, payments, migrations). Without it, changes to critical areas can be merged without appropriate review.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPLOY-PROC-036: No semantic versioning enforced
+  { id: 'DEPLOY-PROC-036', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'No Semantic Version Tagging in Release Process',
+    check({ files }) {
+      const findings = [];
+      const hasRelease = [...files.values()].some(c => c.match(/release|publish|npm.*publish/i));
+      const hasSemver = [...files.values()].some(c => c.match(/semantic-release|standard-version|release-please|changesets|release.*v\d+\.\d+\.\d+/i));
+      if (hasRelease && !hasSemver) {
+        findings.push({ ruleId: 'DEPLOY-PROC-036', category: 'deployment', severity: 'low', title: 'Release process without automated semantic versioning', description: 'Use semantic-release, release-please, or changesets for automated versioning. Manual versioning leads to inconsistent release numbers and missing changelog entries.', fix: null });
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;
+
+// DEPLOY-037: Missing readiness probe
+rules.push({
+  id: 'DEPLOY-037', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Kubernetes Deployment without readinessProbe',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*(?:Deployment|StatefulSet)/) && c.match(/containers:/) && !c.match(/readinessProbe:/)) {
+        findings.push({ ruleId: 'DEPLOY-037', category: 'deployment', severity: 'high', title: 'K8s Deployment without readinessProbe — traffic sent before app is ready', description: 'Without a readinessProbe, Kubernetes routes traffic to pods before they finish startup. Add a readinessProbe to ensure traffic only flows to healthy pods.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-038: No rolling update strategy
+rules.push({
+  id: 'DEPLOY-038', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Kubernetes Deployment without rolling update strategy',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*Deployment/) && !c.match(/strategy:/)) {
+        findings.push({ ruleId: 'DEPLOY-038', category: 'deployment', severity: 'high', title: 'Deployment without rolling update strategy — deploys may cause downtime', description: 'Add strategy: type: RollingUpdate with maxUnavailable: 0 to ensure zero-downtime deployments. Without a strategy, Kubernetes may delete all old pods before new ones are ready.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-039: Docker image using :latest tag
+rules.push({
+  id: 'DEPLOY-039', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Docker image with :latest tag — non-deterministic deployments',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/Dockerfile|\.ya?ml$/i)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*#/.test(lines[i])) continue;
+        if (/(?:image:|FROM\s+)\S+:latest\b/.test(lines[i])) {
+          findings.push({ ruleId: 'DEPLOY-039', category: 'deployment', severity: 'high', title: 'Docker image uses :latest tag — unpredictable what version is deployed', description: 'Using :latest makes deployments non-reproducible. Pin to a specific version or SHA digest: image: nginx:1.25.3 or image: nginx@sha256:...', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-040: No non-root user in Dockerfile
+rules.push({
+  id: 'DEPLOY-040', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Dockerfile without USER instruction — container runs as root',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/Dockerfile/i)) continue;
+      if (!c.match(/^USER\s+(?!root)/m)) {
+        findings.push({ ruleId: 'DEPLOY-040', category: 'deployment', severity: 'high', title: 'Dockerfile without non-root USER — container runs as root', description: 'Add USER node (or appropriate non-root user) to Dockerfile. Running as root in a container is a security risk if the container is compromised.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-041: No secrets rotation policy
+rules.push({
+  id: 'DEPLOY-041', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No secrets rotation configuration found',
+  check({ files }) {
+    const findings = [];
+    const hasSecrets = [...files.values()].some(c => /secretsmanager|vault|AWS_SECRET|SECRET_ARN/i.test(c));
+    const hasRotation = [...files.values()].some(c => /rotation|rotate.*secret|secret.*rotation|RotationRules/i.test(c));
+    if (hasSecrets && !hasRotation) {
+      findings.push({ ruleId: 'DEPLOY-041', category: 'deployment', severity: 'medium', title: 'Secrets manager used without rotation policy — static secrets', description: 'Enable automatic secret rotation in AWS Secrets Manager or HashiCorp Vault. Static secrets that never rotate are a persistent risk if compromised.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-042: Missing resource quotas
+rules.push({
+  id: 'DEPLOY-042', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Kubernetes namespace without ResourceQuota',
+  check({ files }) {
+    const findings = [];
+    const hasNamespace = [...files.keys()].some(f => f.match(/\.ya?ml$/) && /kind:\s*Namespace/.test(files.get(f)));
+    const hasQuota = [...files.values()].some(c => /kind:\s*ResourceQuota/.test(c));
+    if (hasNamespace && !hasQuota) {
+      findings.push({ ruleId: 'DEPLOY-042', category: 'deployment', severity: 'medium', title: 'Kubernetes namespace without ResourceQuota — no CPU/memory limit per namespace', description: 'Without ResourceQuotas, a single namespace can consume all cluster resources. Add ResourceQuota to cap CPU, memory, and pod count per namespace.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-043: No canary or blue/green strategy
+rules.push({
+  id: 'DEPLOY-043', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No progressive delivery strategy (canary/blue-green)',
+  check({ files }) {
+    const findings = [];
+    const hasCriticalService = [...files.values()].some(c => /payment|checkout|auth|order/i.test(c) && /kind:\s*Deployment/.test(c));
+    const hasProgressive = [...files.values()].some(c => /canary|blue.*green|argo.*rollout|flagger|spinnaker|progressive/i.test(c));
+    if (hasCriticalService && !hasProgressive) {
+      findings.push({ ruleId: 'DEPLOY-043', category: 'deployment', severity: 'medium', title: 'Critical service deployed without canary or blue/green strategy', description: 'For critical services (payments, auth), use Argo Rollouts or Flagger to gradually shift traffic to new versions, enabling instant rollback on metrics degradation.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-044: Missing backup verification in CI
+rules.push({
+  id: 'DEPLOY-044', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No database backup verification step in CI/CD pipeline',
+  check({ files }) {
+    const findings = [];
+    const hasMigration = [...files.values()].some(c => /migrate|migration|schema.*change/i.test(c));
+    const hasBackupCheck = [...files.values()].some(c => /backup.*verif|restore.*test|verify.*backup|backup.*test/i.test(c));
+    if (hasMigration && !hasBackupCheck) {
+      findings.push({ ruleId: 'DEPLOY-044', category: 'deployment', severity: 'medium', title: 'Migrations deployed without backup verification step', description: 'Before running irreversible schema migrations, verify a recent backup exists and is restorable. Add a backup check step before migration stages.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-045: Dockerfile with no HEALTHCHECK
+rules.push({
+  id: 'DEPLOY-045', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Dockerfile without HEALTHCHECK instruction',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/Dockerfile/i)) continue;
+      if (!c.match(/^HEALTHCHECK\s/m)) {
+        findings.push({ ruleId: 'DEPLOY-045', category: 'deployment', severity: 'medium', title: 'Dockerfile without HEALTHCHECK — Docker cannot detect unhealthy containers', description: 'Add HEALTHCHECK instruction to enable Docker to detect and restart unhealthy containers: HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost/health || exit 1', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-046: No multi-stage Docker build
+rules.push({
+  id: 'DEPLOY-046', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'Single-stage Dockerfile — production image includes build tools',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/Dockerfile/i)) continue;
+      const fromCount = (c.match(/^FROM\s+/gm) || []).length;
+      if (fromCount === 1 && /npm\s+install|yarn\s+install|RUN.*build/i.test(c)) {
+        findings.push({ ruleId: 'DEPLOY-046', category: 'deployment', severity: 'low', title: 'Single-stage Dockerfile — dev dependencies included in production image', description: 'Use multi-stage builds: FROM node:18 AS builder / RUN npm ci / FROM node:18-alpine / COPY --from=builder. This reduces image size and attack surface.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-047: No .dockerignore file
+rules.push({
+  id: 'DEPLOY-047', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Dockerfile present without .dockerignore — sensitive files may be copied',
+  check({ files }) {
+    const findings = [];
+    const hasDockerfile = [...files.keys()].some(f => f.match(/Dockerfile/i));
+    const hasDockerignore = [...files.keys()].some(f => f.match(/\.dockerignore$/));
+    if (hasDockerfile && !hasDockerignore) {
+      findings.push({ ruleId: 'DEPLOY-047', category: 'deployment', severity: 'medium', title: 'No .dockerignore file — .env, node_modules, and secrets may be copied into image', description: 'Create a .dockerignore file to exclude .env files, node_modules, .git, and other sensitive/unnecessary files from Docker build context.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-048: Missing PodDisruptionBudget
+rules.push({
+  id: 'DEPLOY-048', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No PodDisruptionBudget for critical services',
+  check({ files }) {
+    const findings = [];
+    const hasDeployment = [...files.values()].some(c => /kind:\s*Deployment/.test(c));
+    const hasPDB = [...files.values()].some(c => /kind:\s*PodDisruptionBudget/.test(c));
+    if (hasDeployment && !hasPDB) {
+      findings.push({ ruleId: 'DEPLOY-048', category: 'deployment', severity: 'medium', title: 'No PodDisruptionBudget — node maintenance can take down all pods simultaneously', description: 'Add a PodDisruptionBudget with minAvailable: 1 to ensure at least one pod stays running during node maintenance and voluntary disruptions.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-049: Helm chart without resource limits
+rules.push({
+  id: 'DEPLOY-049', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Helm values without resource limits defined',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/values.*\.ya?ml$|Chart\.ya?ml$/i)) continue;
+      if (c.match(/resources:/) && !c.match(/limits:/)) {
+        findings.push({ ruleId: 'DEPLOY-049', category: 'deployment', severity: 'high', title: 'Helm values.yaml has resources section without limits', description: 'Define resources.limits.cpu and resources.limits.memory in Helm values to prevent containers from consuming unlimited cluster resources.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-050: No environment-specific config separation
+rules.push({
+  id: 'DEPLOY-050', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No environment-specific configuration separation',
+  check({ files }) {
+    const findings = [];
+    const hasConfig = [...files.values()].some(c => /NODE_ENV.*production|DATABASE_URL|API_URL/i.test(c));
+    const hasEnvSep = [...files.keys()].some(f => f.match(/\.env\.(?:production|staging|development)|config.*prod.*\.js|environments\/prod/i));
+    if (hasConfig && !hasEnvSep) {
+      findings.push({ ruleId: 'DEPLOY-050', category: 'deployment', severity: 'medium', title: 'No environment-specific config files — production and dev settings mixed', description: 'Separate configuration by environment using .env.production, .env.staging, and .env.development files. Load the appropriate file based on NODE_ENV.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-051: Missing Terraform state locking
+rules.push({
+  id: 'DEPLOY-051', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Terraform without remote state locking',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/terraform\s*\{/) && c.match(/backend\s*["']/) && !c.match(/dynamodb_table|lockFilePath|lock/i)) {
+        findings.push({ ruleId: 'DEPLOY-051', category: 'deployment', severity: 'high', title: 'Terraform backend without state locking — concurrent applies cause state corruption', description: 'Configure state locking using DynamoDB (for S3 backend) to prevent concurrent terraform applies from corrupting state.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-052: No automated rollback on deployment failure
+rules.push({
+  id: 'DEPLOY-052', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'CI/CD pipeline without automated rollback on failure',
+  check({ files }) {
+    const findings = [];
+    const hasDeployStep = [...files.values()].some(c => /deploy|kubectl.*apply|helm.*upgrade|serverless.*deploy/i.test(c));
+    const hasRollback = [...files.values()].some(c => /rollback|helm.*rollback|kubectl.*rollout.*undo|revert.*deploy/i.test(c));
+    if (hasDeployStep && !hasRollback) {
+      findings.push({ ruleId: 'DEPLOY-052', category: 'deployment', severity: 'medium', title: 'Deployment pipeline without rollback step — manual intervention required on failure', description: 'Add an automated rollback step to your CI/CD pipeline: kubectl rollout undo or helm rollback. Automatic rollback minimizes time-to-recovery on bad deploys.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-053 through DEPLOY-072: Additional deployment rules
+
+// DEPLOY-053: No container registry vulnerability scanning in CI
+rules.push({
+  id: 'DEPLOY-053', category: 'deployment', severity: 'high', confidence: 'likely', title: 'CI/CD pipeline without container image vulnerability scan',
+  check({ files }) {
+    const findings = [];
+    const hasCIFile = [...files.keys()].some(f => f.match(/\.github\/workflows|\.gitlab-ci|\.circleci|Jenkinsfile/i));
+    const hasScan = [...files.values()].some(c => /trivy|grype|snyk.*container|clair|anchore|dockle/i.test(c));
+    const hasDocker = [...files.keys()].some(f => f.match(/Dockerfile/i));
+    if (hasCIFile && hasDocker && !hasScan) {
+      findings.push({ ruleId: 'DEPLOY-053', category: 'deployment', severity: 'high', title: 'Docker image built without vulnerability scan in CI', description: 'Add Trivy or Grype to scan container images for CVEs before pushing to registry: trivy image myapp:latest', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-054: Missing terraform plan before apply
+rules.push({
+  id: 'DEPLOY-054', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Terraform apply in CI without prior plan review',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/) || !fp.match(/\.github|\.gitlab|ci\//i)) continue;
+      if (c.match(/terraform.*apply/) && !c.match(/terraform.*plan/)) {
+        findings.push({ ruleId: 'DEPLOY-054', category: 'deployment', severity: 'high', title: 'terraform apply without plan step — no review of infrastructure changes', description: 'Always run terraform plan before terraform apply and require approval for the plan output. Blindly applying can cause unexpected infrastructure changes.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-055: Environment variables hardcoded in CI config
+rules.push({
+  id: 'DEPLOY-055', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'Hardcoded secret in CI/CD configuration file',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/) || !fp.match(/\.github|\.gitlab|jenkins|circleci/i)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*#/.test(lines[i])) continue;
+        if (/(?:PASSWORD|SECRET|TOKEN|API_KEY|PRIVATE_KEY)\s*:\s*[A-Za-z0-9+/=_\-]{10,}/i.test(lines[i]) && !/\$\{|\$\(|\$secrets|\${{/i.test(lines[i])) {
+          findings.push({ ruleId: 'DEPLOY-055', category: 'deployment', severity: 'critical', title: 'Hardcoded secret in CI configuration', description: 'Store secrets in CI/CD secrets management (GitHub Secrets, GitLab CI Variables) and reference them as ${{ secrets.MY_SECRET }} or $MY_SECRET.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-056: No dependency caching in CI
+rules.push({
+  id: 'DEPLOY-056', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'CI pipeline without dependency caching — slow builds',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/) || !fp.match(/\.github\/workflows|\.gitlab-ci|\.circleci/i)) continue;
+      if (c.match(/npm\s+ci|yarn\s+install|pip\s+install/) && !c.match(/cache:/)) {
+        findings.push({ ruleId: 'DEPLOY-056', category: 'deployment', severity: 'low', title: 'CI builds dependencies without caching — slow pipeline', description: 'Cache node_modules or pip packages in CI to speed up builds: use actions/cache@v3 (GitHub Actions) or cache: npm key in GitLab CI.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-057: Docker build without BuildKit
+rules.push({
+  id: 'DEPLOY-057', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'Docker build without BuildKit — slower builds',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$|Makefile/)) continue;
+      if (c.match(/docker\s+build\b/) && !c.match(/DOCKER_BUILDKIT=1|buildx\s+build/)) {
+        findings.push({ ruleId: 'DEPLOY-057', category: 'deployment', severity: 'low', title: 'Docker build without BuildKit — use DOCKER_BUILDKIT=1 for faster builds', description: 'BuildKit provides better caching, parallel builds, and security for build secrets. Enable with: DOCKER_BUILDKIT=1 docker build or use docker buildx build.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-058: No image tag immutability in ECR
+rules.push({
+  id: 'DEPLOY-058', category: 'deployment', severity: 'high', confidence: 'likely', title: 'ECR repository without image tag immutability',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/aws_ecr_repository/) && !c.match(/image_tag_mutability\s*=\s*["']IMMUTABLE["']/)) {
+        findings.push({ ruleId: 'DEPLOY-058', category: 'deployment', severity: 'high', title: 'ECR without IMMUTABLE tag — existing image tags can be overwritten', description: 'Set image_tag_mutability = "IMMUTABLE" to prevent overwriting deployed image tags. Mutable tags can lead to deploying different code than expected.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-059: Missing artifact integrity check
+rules.push({
+  id: 'DEPLOY-059', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No artifact integrity verification in deployment pipeline',
+  check({ files }) {
+    const findings = [];
+    const hasDeployment = [...files.values()].some(c => /deploy.*stage|kubectl.*apply|helm.*upgrade/i.test(c));
+    const hasSignatureCheck = [...files.values()].some(c => /cosign|sigstore|sha256sum|checksum|verify.*sig|signature.*verify/i.test(c));
+    if (hasDeployment && !hasSignatureCheck) {
+      findings.push({ ruleId: 'DEPLOY-059', category: 'deployment', severity: 'medium', title: 'Deployment without artifact integrity verification', description: 'Sign artifacts with Cosign or verify SHA checksums to ensure what you deploy matches what was built. Prevents supply chain attacks on deployment artifacts.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-060: No minimum replica count for services
+rules.push({
+  id: 'DEPLOY-060', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Kubernetes Deployment with replicas: 1 — single point of failure',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*Deployment/) && c.match(/replicas:\s*1\b/)) {
+        findings.push({ ruleId: 'DEPLOY-060', category: 'deployment', severity: 'medium', title: 'Deployment with replicas: 1 — pod failure causes full service outage', description: 'Set replicas: 2 or more for any service that requires availability. A single replica means any pod restart (update, node failure, OOM kill) causes downtime.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-061 through DEPLOY-075
+
+// DEPLOY-061: No monitoring/alerting configured
+rules.push({
+  id: 'DEPLOY-061', category: 'deployment', severity: 'high', confidence: 'likely', title: 'No monitoring or alerting configuration found',
+  check({ files }) {
+    const findings = [];
+    const hasProductionConfig = [...files.values()].some(c => /NODE_ENV.*production|app\.listen/i.test(c));
+    const hasMonitoring = [...files.values()].some(c => /cloudwatch|datadog|newrelic|prometheus|grafana|pagerduty|opsgenie|sentry|rollbar|honeybadger/i.test(c));
+    if (hasProductionConfig && !hasMonitoring) {
+      findings.push({ ruleId: 'DEPLOY-061', category: 'deployment', severity: 'high', title: 'Production service without monitoring — outages go undetected', description: 'Configure monitoring and alerting (CloudWatch, Datadog, Sentry) to detect errors, high latency, and availability issues in production.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-062: No log aggregation
+rules.push({
+  id: 'DEPLOY-062', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No log aggregation service configured',
+  check({ files }) {
+    const findings = [];
+    const hasApp = [...files.values()].some(c => /express|fastify|koa/i.test(c));
+    const hasLogAgg = [...files.values()].some(c => /elasticsearch|kibana|logstash|splunk|sumologic|cloudwatch.*logs|fluentd|loki|papertrail/i.test(c));
+    if (hasApp && !hasLogAgg) {
+      findings.push({ ruleId: 'DEPLOY-062', category: 'deployment', severity: 'medium', title: 'No centralized log aggregation — logs only on individual pods/instances', description: 'Configure log aggregation (CloudWatch, ELK, Loki) to collect logs from all instances centrally. Otherwise logs are lost when pods restart.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-063: Missing node version in .nvmrc
+rules.push({
+  id: 'DEPLOY-063', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'No .nvmrc or .node-version file — inconsistent Node.js version',
+  check({ files }) {
+    const findings = [];
+    const hasNodeProject = [...files.keys()].some(f => f.match(/package\.json$/));
+    const hasNvmrc = [...files.keys()].some(f => f.match(/\.nvmrc$|\.node-version$/));
+    if (hasNodeProject && !hasNvmrc) {
+      findings.push({ ruleId: 'DEPLOY-063', category: 'deployment', severity: 'low', title: 'No .nvmrc — Node.js version inconsistent across developer machines', description: 'Create an .nvmrc file with the required Node.js version to ensure consistent environments: echo "18.19.0" > .nvmrc', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-064: Terraform without module versioning
+rules.push({
+  id: 'DEPLOY-064', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Terraform module without pinned version',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*#/.test(lines[i])) continue;
+        if (/source\s*=\s*["'].*github\.com.*\/\//.test(lines[i])) {
+          const ctx = lines.slice(i, Math.min(lines.length, i + 5)).join('\n');
+          if (!/version\s*=\s*["'][0-9]|ref=/.test(ctx) && !ctx.match(/\?ref=/)) {
+            findings.push({ ruleId: 'DEPLOY-064', category: 'deployment', severity: 'medium', title: 'Terraform module without pinned version/ref — breaking changes auto-applied', description: 'Pin Terraform module versions: source = "module?ref=v1.2.3". Without pinning, changes to the module are automatically pulled on next init.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-065: No disaster recovery plan
+rules.push({
+  id: 'DEPLOY-065', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No disaster recovery or backup strategy found',
+  check({ files }) {
+    const findings = [];
+    const hasTF = [...files.keys()].some(f => f.match(/\.tf$/));
+    const hasDR = [...files.values()].some(c => /backup|aws_db_instance.*backup|snapshot|cross_region_replica|RTO|RPO|disaster.*recovery/i.test(c));
+    if (hasTF && !hasDR) {
+      findings.push({ ruleId: 'DEPLOY-065', category: 'deployment', severity: 'medium', title: 'No backup or disaster recovery configuration found in Terraform', description: 'Configure automated backups for databases, define RTO and RPO targets, and document disaster recovery procedures. Enable automated snapshots on RDS and S3 versioning.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-066: Missing readiness in startup probe
+rules.push({
+  id: 'DEPLOY-066', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Kubernetes container without startup probe for slow-starting apps',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*Deployment/) && c.match(/livenessProbe:/) && !c.match(/startupProbe:/)) {
+        findings.push({ ruleId: 'DEPLOY-066', category: 'deployment', severity: 'medium', title: 'Deployment with livenessProbe but no startupProbe — slow apps killed prematurely', description: 'Add a startupProbe for applications that take more than 30 seconds to initialize. Without it, the livenessProbe may kill the pod before it finishes starting.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-067: No tagging strategy for cloud resources
+rules.push({
+  id: 'DEPLOY-067', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'Terraform resources without cost allocation tags',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/resource\s+["']aws_/) && !c.match(/tags\s*=\s*\{/)) {
+        findings.push({ ruleId: 'DEPLOY-067', category: 'deployment', severity: 'low', title: 'AWS resources without tags — no cost allocation or resource management', description: 'Tag all AWS resources with environment, team, and cost-center tags for cost allocation and operational management: tags = { Environment = "production", Team = "platform" }', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-068: Missing Kubernetes HorizontalPodAutoscaler
+rules.push({
+  id: 'DEPLOY-068', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Kubernetes Deployment without HorizontalPodAutoscaler',
+  check({ files }) {
+    const findings = [];
+    const deployFiles = [];
+    const hpaFiles = new Set();
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*Deployment/.test(c)) deployFiles.push(fp);
+      if (/kind:\s*HorizontalPodAutoscaler/.test(c)) hpaFiles.add(fp.replace(/\/[^/]+$/, ''));
+    }
+    for (const fp of deployFiles) {
+      const dir = fp.replace(/\/[^/]+$/, '');
+      if (!hpaFiles.has(dir)) findings.push({ ruleId: 'DEPLOY-068', category: 'deployment', severity: 'medium', title: 'Kubernetes Deployment without HorizontalPodAutoscaler — no auto-scaling', description: 'Create an HPA to automatically scale pods based on CPU/memory metrics.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-069: Dockerfile not using multi-stage build
+rules.push({
+  id: 'DEPLOY-069', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Dockerfile without multi-stage build — large final image',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('Dockerfile') && !fp.endsWith('.dockerfile')) continue;
+      const fromCount = (c.match(/^FROM\s/gm) || []).length;
+      if (fromCount === 1 && /npm install|yarn install/.test(c)) findings.push({ ruleId: 'DEPLOY-069', category: 'deployment', severity: 'medium', title: 'Single-stage Dockerfile includes build tools in final image — increases attack surface and image size', description: 'Use multi-stage builds: one stage for building, another for the final minimal runtime image.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-070: CI/CD pipeline without linting step
+rules.push({
+  id: 'DEPLOY-070', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'CI/CD pipeline without linting step',
+  check({ files }) {
+    const findings = [];
+    const ciFiles = [...files.keys()].filter(f => f.includes('.github/workflows') || f.includes('.gitlab-ci') || f.includes('Jenkinsfile') || f.includes('circleci'));
+    for (const fp of ciFiles) {
+      const c = files.get(fp) || '';
+      if (!/lint|eslint|tslint|prettier/.test(c)) findings.push({ ruleId: 'DEPLOY-070', category: 'deployment', severity: 'low', title: 'CI pipeline without linting — code quality issues may reach production', description: 'Add a lint step to your CI pipeline to catch code quality issues before deployment.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-071: No security scanning in CI pipeline
+rules.push({
+  id: 'DEPLOY-071', category: 'deployment', severity: 'high', confidence: 'likely', title: 'CI/CD pipeline without security scanning',
+  check({ files }) {
+    const findings = [];
+    const ciFiles = [...files.keys()].filter(f => f.includes('.github/workflows') || f.includes('.gitlab-ci') || f.includes('Jenkinsfile'));
+    for (const fp of ciFiles) {
+      const c = files.get(fp) || '';
+      if (!/trivy|snyk|grype|clair|anchore|owasp|security.scan|npm.audit|semgrep/i.test(c)) findings.push({ ruleId: 'DEPLOY-071', category: 'deployment', severity: 'high', title: 'CI pipeline without security scanning — vulnerabilities not caught before deployment', description: 'Add security scanning (Trivy, Snyk, OWASP) to your CI pipeline.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-072: Missing deployment rollback documentation
+rules.push({
+  id: 'DEPLOY-072', category: 'deployment', severity: 'medium', confidence: 'suggestion', title: 'No rollback strategy in deployment configuration',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*Deployment/.test(c) && !/rollback|revisionHistoryLimit/.test(c)) findings.push({ ruleId: 'DEPLOY-072', category: 'deployment', severity: 'medium', title: 'Kubernetes Deployment without revisionHistoryLimit — rollback history not preserved', description: 'Set revisionHistoryLimit in Deployment spec to retain rollback history.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-073: Missing container image tag pinning (SHA digest)
+rules.push({
+  id: 'DEPLOY-073', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Container image referenced by tag rather than digest',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml') && !fp.endsWith('Dockerfile') && !fp.endsWith('.dockerfile')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/image:\s*\S+:\S+/.test(lines[i]) && !/@sha256:/.test(lines[i]) && !/latest/.test(lines[i])) continue;
+        if (/image:\s*\S+:latest/.test(lines[i])) findings.push({ ruleId: 'DEPLOY-073', category: 'deployment', severity: 'medium', title: 'Container image using :latest tag — not reproducible', description: 'Pin container images to specific tags or SHA digests for reproducible deployments.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-074: No post-deployment smoke tests
+rules.push({
+  id: 'DEPLOY-074', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'CI/CD pipeline without post-deployment smoke tests',
+  check({ files }) {
+    const findings = [];
+    const ciFiles = [...files.keys()].filter(f => f.includes('.github/workflows') || f.includes('.gitlab-ci'));
+    for (const fp of ciFiles) {
+      const c = files.get(fp) || '';
+      if (!/smoke.test|post.deploy|healthcheck|curl.*health|wget.*health/i.test(c)) findings.push({ ruleId: 'DEPLOY-074', category: 'deployment', severity: 'medium', title: 'No post-deployment smoke test — deployment failures not detected automatically', description: 'Add smoke tests after deployment to verify the application is responding correctly.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-075: Helm chart without resource requests
+rules.push({
+  id: 'DEPLOY-075', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Helm chart values without resource requests defined',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (!fp.includes('helm') && !fp.includes('chart') && !fp.includes('values')) continue;
+      if (/replicaCount|image:|service:/.test(c) && !/resources:|requests:|cpu:|memory:/.test(c)) findings.push({ ruleId: 'DEPLOY-075', category: 'deployment', severity: 'high', title: 'Helm chart without resource requests — pods may be over/under-provisioned', description: 'Define resource requests and limits in Helm chart values for predictable scheduling.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-076: Docker COPY with too-broad glob
+rules.push({
+  id: 'DEPLOY-076', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Dockerfile COPY . . without .dockerignore — copies unnecessary files',
+  check({ files }) {
+    const findings = [];
+    const hasDockerignore = [...files.keys()].some(f => f.endsWith('.dockerignore'));
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('Dockerfile') && !fp.endsWith('.dockerfile')) continue;
+      if (/^COPY\s+\.\s+\./m.test(c) && !hasDockerignore) findings.push({ ruleId: 'DEPLOY-076', category: 'deployment', severity: 'medium', title: 'Dockerfile COPY . . without .dockerignore — includes .git, node_modules, secrets', description: 'Create a .dockerignore file to exclude unnecessary files from the Docker build context.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-077: Missing environment-specific configuration management
+rules.push({
+  id: 'DEPLOY-077', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No environment configuration management strategy',
+  check({ files }) {
+    const findings = [];
+    const hasEnvConfig = [...files.keys()].some(f => /\.env\.(?:production|staging|development)|config\.(?:prod|staging)/.test(f)) || [...files.values()].some(c => /NODE_ENV.*production|process\.env\.NODE_ENV/.test(c));
+    if (!hasEnvConfig) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) findings.push({ ruleId: 'DEPLOY-077', category: 'deployment', severity: 'medium', title: 'No environment-specific configuration strategy found', description: 'Use environment variables or per-environment config files to manage configuration across deployments.', file: pkgJson, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-078: Missing container registry authentication in CI
+rules.push({
+  id: 'DEPLOY-078', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Container registry credentials not using CI secrets',
+  check({ files }) {
+    const findings = [];
+    const ciFiles = [...files.keys()].filter(f => f.includes('.github/workflows') || f.includes('.gitlab-ci'));
+    for (const fp of ciFiles) {
+      const c = files.get(fp) || '';
+      if (/docker.login|docker.push|ecr|gcr|registry/i.test(c) && /password:|DOCKER_PASSWORD|REGISTRY_PASSWORD/i.test(c) && !/secrets\.|vault\.\$\{/i.test(c)) {
+        findings.push({ ruleId: 'DEPLOY-078', category: 'deployment', severity: 'high', title: 'Container registry credentials may be hardcoded in CI config', description: 'Store registry credentials in CI/CD secrets variables, not hardcoded in pipeline configuration.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-079: Missing Kubernetes NetworkPolicy
+rules.push({
+  id: 'DEPLOY-079', category: 'deployment', severity: 'high', confidence: 'likely', title: 'No Kubernetes NetworkPolicy — all pods can communicate freely',
+  check({ files }) {
+    const findings = [];
+    const hasDeployment = [...files.values()].some(c => /kind:\s*Deployment/.test(c));
+    const hasNetPolicy = [...files.values()].some(c => /kind:\s*NetworkPolicy/.test(c));
+    if (hasDeployment && !hasNetPolicy) {
+      const deployFile = [...files.keys()].find(f => (f.endsWith('.yaml') || f.endsWith('.yml')) && /Deployment/.test(files.get(f) || ''));
+      if (deployFile) findings.push({ ruleId: 'DEPLOY-079', category: 'deployment', severity: 'high', title: 'No Kubernetes NetworkPolicy found — unrestricted pod-to-pod communication', description: 'Define NetworkPolicies to restrict ingress/egress between pods following least-privilege networking.', file: deployFile, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-080: No CHANGELOG or release notes
+rules.push({
+  id: 'DEPLOY-080', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'No CHANGELOG file — release history not documented',
+  check({ files }) {
+    const findings = [];
+    const hasChangelog = [...files.keys()].some(f => /CHANGELOG|CHANGES|HISTORY|RELEASES/i.test(f));
+    if (!hasChangelog) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) findings.push({ ruleId: 'DEPLOY-080', category: 'deployment', severity: 'low', title: 'No CHANGELOG file — changes between releases not documented', description: 'Maintain a CHANGELOG.md using Keep a Changelog format to document changes for each release.', file: pkgJson, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-081: GitHub Actions without pinned action versions
+rules.push({
+  id: 'DEPLOY-081', category: 'deployment', severity: 'high', confidence: 'likely', title: 'GitHub Actions using mutable version tags instead of SHA',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.includes('.github/workflows')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/uses:\s*\w+\/\w+@v\d/.test(lines[i]) && !/@[0-9a-f]{40}/.test(lines[i])) {
+          findings.push({ ruleId: 'DEPLOY-081', category: 'deployment', severity: 'high', title: 'GitHub Action using mutable tag — supply chain attack risk', description: 'Pin GitHub Actions to full commit SHAs (e.g. actions/checkout@abc123...) to prevent supply chain attacks.', file: fp, line: i + 1, fix: null });
+          break;
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-082: Missing Kubernetes resource quotas on namespace
+rules.push({
+  id: 'DEPLOY-082', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'No Kubernetes ResourceQuota on namespace',
+  check({ files }) {
+    const findings = [];
+    const hasDeployment = [...files.values()].some(c => /kind:\s*Deployment/.test(c));
+    const hasResourceQuota = [...files.values()].some(c => /kind:\s*ResourceQuota/.test(c));
+    if (hasDeployment && !hasResourceQuota) {
+      const deployFile = [...files.keys()].find(f => (f.endsWith('.yaml') || f.endsWith('.yml')) && /Deployment/.test(files.get(f) || ''));
+      if (deployFile) findings.push({ ruleId: 'DEPLOY-082', category: 'deployment', severity: 'medium', title: 'No ResourceQuota defined — namespace can consume unlimited cluster resources', description: 'Define ResourceQuotas per namespace to prevent resource starvation across workloads.', file: deployFile, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-083: Missing pre-deployment database migration check
+rules.push({
+  id: 'DEPLOY-083', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Deployment without pre-migration step for database changes',
+  check({ files }) {
+    const findings = [];
+    const hasMigrations = [...files.keys()].some(f => /migration|migrate/.test(f));
+    if (!hasMigrations) return findings;
+    const ciFiles = [...files.keys()].filter(f => f.includes('.github/workflows') || f.includes('.gitlab-ci'));
+    for (const fp of ciFiles) {
+      const c = files.get(fp) || '';
+      if (!/migrate|migration/.test(c)) findings.push({ ruleId: 'DEPLOY-083', category: 'deployment', severity: 'high', title: 'CI/CD pipeline does not run database migrations before deployment', description: 'Run database migrations as part of your deployment pipeline before updating application pods.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-084: Missing Kubernetes liveness vs readiness probe distinction
+rules.push({
+  id: 'DEPLOY-084', category: 'deployment', severity: 'medium', confidence: 'likely', title: 'Kubernetes Deployment with same endpoint for liveness and readiness',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (!/kind:\s*Deployment/.test(c)) continue;
+      const lMatch = c.match(/livenessProbe:[\s\S]{0,200}path:\s*(\S+)/);
+      const rMatch = c.match(/readinessProbe:[\s\S]{0,200}path:\s*(\S+)/);
+      if (lMatch && rMatch && lMatch[1] === rMatch[1]) findings.push({ ruleId: 'DEPLOY-084', category: 'deployment', severity: 'medium', title: 'Liveness and readiness probes use same endpoint — liveness should check process, readiness checks dependencies', description: 'Use different endpoints: liveness checks if the process is alive, readiness checks if it can serve traffic.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-085: Missing image vulnerability scanning in CI
+rules.push({
+  id: 'DEPLOY-085', category: 'deployment', severity: 'high', confidence: 'likely', title: 'CI pipeline builds Docker image without vulnerability scan',
+  check({ files }) {
+    const findings = [];
+    const ciFiles = [...files.keys()].filter(f => f.includes('.github/workflows') || f.includes('.gitlab-ci'));
+    for (const fp of ciFiles) {
+      const c = files.get(fp) || '';
+      if (/docker.build|docker build/i.test(c) && !/trivy|grype|anchore|clair|snyk container/i.test(c)) findings.push({ ruleId: 'DEPLOY-085', category: 'deployment', severity: 'high', title: 'Docker image built in CI without vulnerability scan', description: 'Add Trivy or Grype scanning after docker build to detect vulnerabilities before pushing.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-086: No automated dependency updates configured
+rules.push({
+  id: 'DEPLOY-086', category: 'deployment', severity: 'low', confidence: 'suggestion', title: 'No automated dependency update configuration (Dependabot/Renovate)',
+  check({ files }) {
+    const findings = [];
+    const hasDependabot = [...files.keys()].some(f => f.includes('.github/dependabot.yml') || f.includes('renovate.json'));
+    if (!hasDependabot) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) findings.push({ ruleId: 'DEPLOY-086', category: 'deployment', severity: 'low', title: 'No Dependabot or Renovate configuration — dependencies not automatically updated', description: 'Add .github/dependabot.yml or renovate.json to automate dependency update PRs.', file: pkgJson, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPLOY-087: Missing Kubernetes PodSecurityContext
+rules.push({
+  id: 'DEPLOY-087', category: 'deployment', severity: 'high', confidence: 'likely', title: 'Kubernetes Pod without securityContext settings',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*(?:Deployment|Pod|StatefulSet)/.test(c) && !/securityContext/.test(c)) findings.push({ ruleId: 'DEPLOY-087', category: 'deployment', severity: 'high', title: 'Kubernetes Pod without securityContext — runs with default insecure settings', description: 'Add securityContext to pods: set runAsNonRoot: true, readOnlyRootFilesystem: true.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});