getdoorman 1.0.0

package/src/rules/infrastructure/index.js

@@ -0,0 +1,3048 @@
+function isDockerfile(f) { return f.endsWith('Dockerfile') || f.match(/Dockerfile\.\w+$/); }
+function isComposeFile(f) { return f.match(/docker-compose\.ya?ml$/) || f.match(/compose\.ya?ml$/); }
+function isTestFile(f) { return f.match(/\.(test|spec)\.\w+$/) || f.includes('__tests__') || f.includes('/test/'); }
+
+const SENSITIVE_PORTS = ['22', '3306', '5432', '27017'];
+const SENSITIVE_MOUNT_PATHS = ['/', '/etc', '/var/run/docker.sock', '/root', '/proc', '/sys', '/dev'];
+
+const rules = [
+  // INFRA-001: Dockerfile running as root (no USER instruction)
+  {
+    id: 'INFRA-001',
+    category: 'infrastructure',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Docker Container Runs as Root',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isDockerfile(filepath)) continue;
+        const lines = content.split('\n');
+        const hasUser = lines.some(line => line.match(/^\s*USER\s+/i));
+        if (!hasUser) {
+          findings.push({
+            ruleId: 'INFRA-001', category: 'infrastructure', severity: 'high',
+            title: 'Dockerfile has no USER instruction — container runs as root',
+            description: 'Running containers as root is a security risk. Add a USER instruction to run as a non-root user.',
+            file: filepath, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-002: Docker image using latest tag (not pinned)
+  {
+    id: 'INFRA-002',
+    category: 'infrastructure',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Unpinned Docker Image Tag',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isDockerfile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/^\s*FROM\s+(\S+)/i);
+          if (match) {
+            const image = match[1];
+            // Flag if using :latest explicitly or no tag at all (implicit latest)
+            if (image.endsWith(':latest') || (!image.includes(':') && !image.includes('@'))) {
+              findings.push({
+                ruleId: 'INFRA-002', category: 'infrastructure', severity: 'medium',
+                title: `Docker image "${image}" uses unpinned tag — builds are not reproducible`,
+                description: 'Pin images to a specific version or SHA digest (e.g. node:20-alpine) for reproducible builds.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-003: Docker COPY . . (copies everything including secrets)
+  {
+    id: 'INFRA-003',
+    category: 'infrastructure',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Docker COPY Copies Entire Context',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isDockerfile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^\s*COPY\s+\.\s+\./i) || lines[i].match(/^\s*ADD\s+\.\s+\./i)) {
+            findings.push({
+              ruleId: 'INFRA-003', category: 'infrastructure', severity: 'high',
+              title: 'COPY . . copies the entire build context including potential secrets (.env, keys)',
+              description: 'Use a .dockerignore file and copy only needed files, or use multi-stage builds to avoid leaking secrets.',
+              file: filepath, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-004: No .dockerignore file
+  {
+    id: 'INFRA-004',
+    category: 'infrastructure',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing .dockerignore File',
+    check({ files }) {
+      const findings = [];
+      const hasDockerfile = [...files.keys()].some(f => isDockerfile(f));
+      if (!hasDockerfile) return findings;
+
+      const hasDockerignore = [...files.keys()].some(f => f.endsWith('.dockerignore'));
+      if (!hasDockerignore) {
+        findings.push({
+          ruleId: 'INFRA-004', category: 'infrastructure', severity: 'medium',
+          title: 'No .dockerignore file found — build context may include unnecessary or sensitive files',
+          description: 'Add a .dockerignore to exclude node_modules, .env, .git, and other files from the Docker build context.',
+          file: null, line: null, fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-005: Docker EXPOSE on sensitive ports
+  {
+    id: 'INFRA-005',
+    category: 'infrastructure',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Sensitive Port Exposed in Dockerfile',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isDockerfile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/^\s*EXPOSE\s+(.+)/i);
+          if (match) {
+            const ports = match[1].split(/\s+/);
+            for (const port of ports) {
+              const portNum = port.replace(/\/\w+$/, ''); // strip /tcp, /udp
+              if (SENSITIVE_PORTS.includes(portNum)) {
+                findings.push({
+                  ruleId: 'INFRA-005', category: 'infrastructure', severity: 'high',
+                  title: `Dockerfile exposes sensitive port ${portNum} (SSH, database, or admin service)`,
+                  description: 'Avoid exposing SSH (22), MySQL (3306), PostgreSQL (5432), or MongoDB (27017) ports directly. Use internal networks instead.',
+                  file: filepath, line: i + 1, fix: null,
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-006: No health check in Docker Compose
+  {
+    id: 'INFRA-006',
+    category: 'infrastructure',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Health Check in Docker Compose',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isComposeFile(filepath)) continue;
+        if (!content.includes('healthcheck')) {
+          findings.push({
+            ruleId: 'INFRA-006', category: 'infrastructure', severity: 'medium',
+            title: 'Docker Compose service has no healthcheck configured',
+            description: 'Add healthcheck blocks to services so Docker can detect and restart unhealthy containers.',
+            file: filepath, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-007: Docker Compose volumes mounting host root or sensitive paths
+  {
+    id: 'INFRA-007',
+    category: 'infrastructure',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Sensitive Host Path Mounted in Docker Compose',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isComposeFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i].trim();
+          for (const sensitive of SENSITIVE_MOUNT_PATHS) {
+            // Match volume mounts like "- /etc:/something" or "- /var/run/docker.sock:/var/run/docker.sock"
+            const pattern = new RegExp(`^-\\s+${sensitive.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}(:|$)`);
+            if (line.match(pattern)) {
+              findings.push({
+                ruleId: 'INFRA-007', category: 'infrastructure', severity: 'critical',
+                title: `Docker Compose mounts sensitive host path "${sensitive}" — potential host compromise`,
+                description: 'Mounting host root, /etc, /proc, or docker.sock into containers can allow container escape. Use named volumes or restrict paths.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-008: No resource limits in Docker Compose
+  {
+    id: 'INFRA-008',
+    category: 'infrastructure',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Resource Limits in Docker Compose',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isComposeFile(filepath)) continue;
+        const hasLimits = content.includes('mem_limit') ||
+          content.includes('cpus') ||
+          content.includes('memory:') ||
+          content.includes('deploy:') && content.includes('resources:');
+        if (!hasLimits) {
+          findings.push({
+            ruleId: 'INFRA-008', category: 'infrastructure', severity: 'medium',
+            title: 'Docker Compose services have no resource limits (mem_limit, cpus)',
+            description: 'Set memory and CPU limits to prevent a single container from consuming all host resources.',
+            file: filepath, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-009: Privileged mode in Docker Compose
+  {
+    id: 'INFRA-009',
+    category: 'infrastructure',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Privileged Mode in Docker Compose',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isComposeFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^\s*privileged\s*:\s*true/i)) {
+            findings.push({
+              ruleId: 'INFRA-009', category: 'infrastructure', severity: 'critical',
+              title: 'Docker Compose service runs in privileged mode — full host access',
+              description: 'Privileged mode gives the container full access to the host. Use specific capabilities (cap_add) instead.',
+              file: filepath, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-010: No logging driver configured
+  {
+    id: 'INFRA-010',
+    category: 'infrastructure',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'No Logging Driver Configured',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (isTestFile(filepath)) continue;
+        if (!isComposeFile(filepath)) continue;
+        const hasLogging = content.includes('logging:') || content.includes('log_driver') || content.includes('log_opt');
+        if (!hasLogging) {
+          findings.push({
+            ruleId: 'INFRA-010', category: 'infrastructure', severity: 'low',
+            title: 'Docker Compose has no logging driver configured — logs may be unbounded',
+            description: 'Configure a logging driver (json-file with max-size, or a centralized driver like fluentd/awslogs) to prevent disk exhaustion.',
+            file: filepath, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-DOCKER-001: Secrets in ENV instruction
+  { id: 'INFRA-DOCKER-001', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Secrets in Dockerfile ENV Instruction',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isDockerfile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^\s*ENV\s+/) && lines[i].match(/(?:password|secret|key|token|apikey|credential)/i)) {
+            findings.push({ ruleId: 'INFRA-DOCKER-001', category: 'infrastructure', severity: 'critical',
+              title: 'Secret in Dockerfile ENV — visible in image layers and docker inspect',
+              description: 'Pass secrets at runtime via --env-file or Docker secrets. Never bake secrets into images.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-DOCKER-002: curl|bash pattern
+  { id: 'INFRA-DOCKER-002', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Remote Script Execution in Dockerfile',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isDockerfile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/curl.*\|\s*(?:bash|sh)|wget.*\|\s*(?:bash|sh)/)) {
+            findings.push({ ruleId: 'INFRA-DOCKER-002', category: 'infrastructure', severity: 'critical',
+              title: 'curl|bash in Dockerfile — remote script execution without integrity check',
+              description: 'Download scripts to a file, verify the checksum, then execute. curl|bash is a supply chain attack vector.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-DOCKER-003: No multi-stage build
+  { id: 'INFRA-DOCKER-003', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No Multi-Stage Docker Build',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isDockerfile(fp)) continue;
+        if ((c.match(/^\s*FROM\s+/gim) || []).length < 2) {
+          findings.push({ ruleId: 'INFRA-DOCKER-003', category: 'infrastructure', severity: 'medium',
+            title: 'Single-stage Dockerfile — dev dependencies included in production image',
+            description: 'Use multi-stage builds (FROM node AS build ... FROM node:alpine) to keep production images small and secure.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-DOCKER-004: Package cache not cleared
+  { id: 'INFRA-DOCKER-004', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'Package Cache Not Cleared in Dockerfile',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isDockerfile(fp)) continue;
+        if (c.match(/apt-get install/) && !c.match(/rm -rf \/var\/cache\/apt|apt-get clean/)) {
+          findings.push({ ruleId: 'INFRA-DOCKER-004', category: 'infrastructure', severity: 'low',
+            title: 'apt-get cache not cleared — unnecessary bloat in image layers',
+            description: 'Add && rm -rf /var/cache/apt/lists/* after apt-get install to reduce image size.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-001: No resource limits
+  { id: 'INFRA-K8S-001', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes Pod Without Resource Limits',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/kind:\s*Deployment|kind:\s*StatefulSet/) && !c.match(/\blimits\s*:/)) {
+          findings.push({ ruleId: 'INFRA-K8S-001', category: 'infrastructure', severity: 'high',
+            title: 'Kubernetes deployment without resource limits — pod can starve neighbors',
+            description: 'Set resources.requests and resources.limits for CPU and memory on all pods.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-002: No liveness/readiness probes
+  { id: 'INFRA-K8S-002', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'K8s Deployment Without Health Probes',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/kind:\s*Deployment/) && !c.match(/livenessProbe|readinessProbe/)) {
+          findings.push({ ruleId: 'INFRA-K8S-002', category: 'infrastructure', severity: 'high',
+            title: 'Kubernetes deployment without liveness/readiness probes',
+            description: 'Without probes K8s cannot detect unhealthy pods. Add livenessProbe and readinessProbe with /health endpoint.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-003: Secrets in ConfigMap
+  { id: 'INFRA-K8S-003', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Secrets in Kubernetes ConfigMap',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/kind:\s*ConfigMap/) && c.match(/(?:password|secret|token|api.key):/i)) {
+          findings.push({ ruleId: 'INFRA-K8S-003', category: 'infrastructure', severity: 'critical',
+            title: 'Secret-like values in ConfigMap — use kind: Secret or external secrets manager',
+            description: 'ConfigMaps are stored unencrypted. Use Kubernetes Secrets, or better, an external secrets manager (Vault, AWS Secrets Manager).', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-004: No pod autoscaler
+  { id: 'INFRA-K8S-004', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No Horizontal Pod Autoscaler',
+    check({ files }) {
+      const hasDeployment = [...files.values()].some(c => c.match(/kind:\s*Deployment/));
+      const hasHPA = [...files.values()].some(c => c.includes('HorizontalPodAutoscaler'));
+      if (hasDeployment && !hasHPA) {
+        return [{ ruleId: 'INFRA-K8S-004', category: 'infrastructure', severity: 'medium',
+          title: 'No HorizontalPodAutoscaler configured — fixed replica count under load',
+          description: 'Add an HPA to automatically scale pods based on CPU/memory. Fixed replica counts waste resources or fail under traffic spikes.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // INFRA-CLOUD-001: SSH open to all IPs
+  { id: 'INFRA-CLOUD-001', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'SSH Port Open to Internet',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|json|ya?ml)$/)) continue;
+        if (c.match(/0\.0\.0\.0\/0|:\/0/) && c.match(/port.*22\b|from_port.*22|toPort.*22/)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-001', category: 'infrastructure', severity: 'critical',
+            title: 'Security group allows SSH (port 22) from 0.0.0.0/0',
+            description: 'Restrict SSH access to specific IPs or use a bastion host. Open SSH is the leading cause of cloud server compromise.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-002: Database publicly accessible
+  { id: 'INFRA-CLOUD-002', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Database Publicly Accessible',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|json|ya?ml)$/)) continue;
+        if (c.match(/publicly_accessible\s*=\s*true|PubliclyAccessible.*true/)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-002', category: 'infrastructure', severity: 'critical',
+            title: 'RDS instance configured as publicly accessible',
+            description: 'Databases must never be publicly accessible. Place in a private subnet and connect through the application layer.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-003: Hardcoded creds in Terraform
+  { id: 'INFRA-CLOUD-003', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Hardcoded Credentials in Terraform',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('.tf')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/(?:access_key|secret_key|password)\s*=\s*["'][^"'${}]+["']/)) {
+            findings.push({ ruleId: 'INFRA-CLOUD-003', category: 'infrastructure', severity: 'critical',
+              title: 'Hardcoded credential in Terraform configuration',
+              description: 'Use TF_VAR_ environment variables or a secrets manager. Never commit credentials to version control.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-004: No remote Terraform state
+  { id: 'INFRA-CLOUD-004', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No Remote Terraform State Backend',
+    check({ files }) {
+      const hasTf = [...files.keys()].some(f => f.endsWith('.tf'));
+      const hasBackend = [...files.values()].some(c => c.match(/backend\s+"(?:s3|gcs|azurerm|remote)"/));
+      if (hasTf && !hasBackend) {
+        return [{ ruleId: 'INFRA-CLOUD-004', category: 'infrastructure', severity: 'high',
+          title: 'No remote Terraform state backend — state stored locally',
+          description: 'Use S3+DynamoDB or Terraform Cloud for state. Local state cannot be shared and is lost if the machine is destroyed.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // INFRA-CLOUD-005: IAM admin policy
+  { id: 'INFRA-CLOUD-005', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'IAM Policy Grants Full Admin Access',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|json)$/)) continue;
+        if (c.match(/AdministratorAccess/) || c.match(/"Action"\s*:\s*"\*".*"Resource"\s*:\s*"\*"/s)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-005', category: 'infrastructure', severity: 'critical',
+            title: 'IAM policy grants unrestricted admin access (Action: *, Resource: *)',
+            description: 'Apply least-privilege. Grant only the specific actions and resources this role needs.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-006: RDS without encryption
+  { id: 'INFRA-CLOUD-006', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'RDS Without Encryption at Rest',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('.tf')) continue;
+        if (c.match(/resource\s+"aws_db_instance"/) && !c.match(/storage_encrypted\s*=\s*true/)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-006', category: 'infrastructure', severity: 'high',
+            title: 'RDS instance without storage_encrypted = true',
+            description: 'Enable encryption at rest. Required for HIPAA, PCI DSS, and SOC 2 compliance.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-007: No tfsec/checkov in CI
+  { id: 'INFRA-CLOUD-007', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No IaC Security Scanner in CI',
+    check({ files }) {
+      const hasTf = [...files.keys()].some(f => f.endsWith('.tf'));
+      if (!hasTf) return [];
+      const hasScan = [...files.values()].some(c => c.match(/tfsec|checkov|terrascan|trivy.*config/));
+      if (!hasScan) {
+        return [{ ruleId: 'INFRA-CLOUD-007', category: 'infrastructure', severity: 'medium',
+          title: 'No IaC security scanner (tfsec, checkov) in CI pipeline',
+          description: 'Add tfsec or checkov to catch Terraform misconfigurations before they reach production.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // INFRA-CLOUD-008: K8s ingress without TLS
+  { id: 'INFRA-CLOUD-008', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes Ingress Without TLS',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/kind:\s*Ingress/) && !c.match(/\btls\b:/)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-008', category: 'infrastructure', severity: 'high',
+            title: 'Kubernetes Ingress without TLS — serving HTTP in production',
+            description: "Add tls: section and use cert-manager with Let's Encrypt for automatic HTTPS.", file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-009: Kubernetes Pod running as root
+  { id: 'INFRA-K8S-009', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes Pod Running as Root',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/kind:\s*(?:Pod|Deployment|StatefulSet|DaemonSet)/)) {
+          if (!c.match(/runAsNonRoot:\s*true|runAsUser:\s*[1-9]/) ) {
+            findings.push({ ruleId: 'INFRA-K8S-009', category: 'infrastructure', severity: 'high', title: 'Kubernetes workload may run as root — privilege escalation risk', description: 'Set securityContext.runAsNonRoot: true and runAsUser: 1000. Running as root in containers enables container escape exploits.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-010: Privileged container
+  { id: 'INFRA-K8S-010', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes Privileged Container',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/privileged:\s*true/)) {
+          findings.push({ ruleId: 'INFRA-K8S-010', category: 'infrastructure', severity: 'critical', title: 'Privileged container — has full access to host system', description: 'Remove privileged: true. Privileged containers can access all host devices and escape the container namespace. Use specific capabilities instead.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-011: hostNetwork: true
+  { id: 'INFRA-K8S-011', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes Pod Using Host Network',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/hostNetwork:\s*true|hostPID:\s*true|hostIPC:\s*true/)) {
+          findings.push({ ruleId: 'INFRA-K8S-011', category: 'infrastructure', severity: 'high', title: 'Pod using hostNetwork/hostPID/hostIPC — breaks container isolation', description: 'Remove hostNetwork/hostPID/hostIPC. These settings allow the container to see host processes and network interfaces, defeating isolation.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-012: No network policy
+  { id: 'INFRA-K8S-012', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No Kubernetes NetworkPolicy',
+    check({ files }) {
+      const findings = [];
+      const hasDeployment = [...files.entries()].some(([fp, c]) => fp.match(/\.(yaml|yml)$/) && c.match(/kind:\s*Deployment/));
+      const hasNetPolicy = [...files.values()].some(c => c.match(/kind:\s*NetworkPolicy/));
+      if (hasDeployment && !hasNetPolicy) {
+        findings.push({ ruleId: 'INFRA-K8S-012', category: 'infrastructure', severity: 'medium', title: 'No Kubernetes NetworkPolicy — all pods can communicate with each other', description: 'Define NetworkPolicy to restrict pod-to-pod traffic. Default deny-all ingress then allowlist required connections implements least-privilege networking.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-013: No PodDisruptionBudget
+  { id: 'INFRA-K8S-013', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No PodDisruptionBudget for Production Deployments',
+    check({ files }) {
+      const findings = [];
+      const hasDeployment = [...files.entries()].some(([fp, c]) => fp.match(/\.(yaml|yml)$/) && c.match(/kind:\s*Deployment/) && c.match(/replicas:\s*[2-9]/));
+      const hasPDB = [...files.values()].some(c => c.match(/kind:\s*PodDisruptionBudget/));
+      if (hasDeployment && !hasPDB) {
+        findings.push({ ruleId: 'INFRA-K8S-013', category: 'infrastructure', severity: 'medium', title: 'Multi-replica Deployment without PodDisruptionBudget', description: 'Add PodDisruptionBudget with minAvailable: 1. Without PDB, node maintenance can take down all replicas simultaneously.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-014: Image pull policy Always missing for mutable tags
+  { id: 'INFRA-K8S-014', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Mutable Docker Tag Without imagePullPolicy: Always',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/image:\s*\w.*:latest/) && !lines.slice(i, i + 5).join('\n').match(/imagePullPolicy:\s*Always/)) {
+            findings.push({ ruleId: 'INFRA-K8S-014', category: 'infrastructure', severity: 'medium', title: 'Using :latest tag without imagePullPolicy: Always — may run stale image', description: 'Pin to a specific tag or digest and set imagePullPolicy: Always. The :latest tag is mutable and cached nodes may run old versions.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-TF-001: Terraform state not encrypted
+  { id: 'INFRA-TF-001', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform Remote State Not Encrypted',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/) && !fp.match(/backend\.tf/)) continue;
+        if (c.match(/backend\s+"s3"/i) && !c.match(/encrypt\s*=\s*true/)) {
+          findings.push({ ruleId: 'INFRA-TF-001', category: 'infrastructure', severity: 'high', title: 'Terraform S3 backend without encryption', description: 'Add encrypt = true to S3 backend config. Terraform state contains sensitive values including secrets and resource IDs.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-TF-002: Terraform state locking disabled
+  { id: 'INFRA-TF-002', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform State Without Locking',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/backend\s+"s3"/i) && !c.match(/dynamodb_table/)) {
+          findings.push({ ruleId: 'INFRA-TF-002', category: 'infrastructure', severity: 'high', title: 'S3 backend without DynamoDB lock table — concurrent applies will corrupt state', description: 'Add dynamodb_table = "terraform-lock" to backend config. Without locking, concurrent terraform apply commands corrupt state.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-TF-003: Wildcard resource in IAM policy
+  { id: 'INFRA-TF-003', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'IAM Policy with Wildcard Resource',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|json)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/"Resource"\s*:\s*['"]\*['"]/i) || lines[i].match(/resource\s*=\s*['"]\*['"]/i)) {
+            findings.push({ ruleId: 'INFRA-TF-003', category: 'infrastructure', severity: 'high', title: 'IAM policy with Resource: "*" — violates least privilege', description: 'Specify exact ARNs: arn:aws:s3:::my-bucket/*. Wildcard resources grant permissions to all resources of that type.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-TF-004: No provider version pinning
+  { id: 'INFRA-TF-004', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Terraform Provider Without Version Constraint',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/required_providers/i) && !c.match(/version\s*=\s*["']~>|version\s*=\s*["']>=/)) {
+          findings.push({ ruleId: 'INFRA-TF-004', category: 'infrastructure', severity: 'medium', title: 'Terraform provider without version constraint — may break on provider update', description: 'Pin providers: version = "~> 5.0". Unpinned providers upgrade automatically and may introduce breaking changes.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-TF-005: Public S3 bucket in Terraform
+  { id: 'INFRA-TF-005', category: 'infrastructure', severity: 'critical', confidence: 'likely', title: 'Terraform S3 Bucket Publicly Accessible',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/acl\s*=\s*["']public-read(?:-write)?["']/i)) {
+          findings.push({ ruleId: 'INFRA-TF-005', category: 'infrastructure', severity: 'critical', title: 'S3 bucket with public ACL — data exposed to internet', description: 'Remove public ACL and enable aws_s3_bucket_public_access_block with all options set to true.', file: fp, fix: null });
+        }
+        if (c.match(/block_public_acls\s*=\s*false|block_public_policy\s*=\s*false/i)) {
+          findings.push({ ruleId: 'INFRA-TF-005', category: 'infrastructure', severity: 'critical', title: 'S3 public access block disabled — bucket accessible from internet', description: 'Set block_public_acls, block_public_policy, ignore_public_acls, and restrict_public_buckets all to true.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-TF-006: No VPC for database instances
+  { id: 'INFRA-TF-006', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Database Instance Without VPC',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_db_instance|aws_rds_cluster/i) && !c.match(/vpc_security_group_ids|db_subnet_group_name/i)) {
+          findings.push({ ruleId: 'INFRA-TF-006', category: 'infrastructure', severity: 'high', title: 'RDS instance without VPC configuration — may be publicly accessible', description: 'Configure vpc_security_group_ids and db_subnet_group_name. Databases must be in a private VPC subnet with restricted security groups.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-DOCKER-005: Docker container without read-only filesystem
+  { id: 'INFRA-DOCKER-005', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Container Without Read-Only Root Filesystem',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/) && !fp.endsWith('Dockerfile')) continue;
+        if (c.match(/kind:\s*(?:Pod|Deployment)/i) && !c.match(/readOnlyRootFilesystem:\s*true/)) {
+          findings.push({ ruleId: 'INFRA-DOCKER-005', category: 'infrastructure', severity: 'medium', title: 'Container without readOnlyRootFilesystem: true', description: 'Set securityContext.readOnlyRootFilesystem: true. Prevents attackers from writing malicious files after gaining code execution.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-DOCKER-006: Exposed secrets in Docker build args
+  { id: 'INFRA-DOCKER-006', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Secrets in Docker Build Args',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/docker-compose\.ya?ml/i)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/ARG\s+(?:PASSWORD|SECRET|API_KEY|TOKEN|PRIVATE)/i) || lines[i].match(/--build-arg\s+(?:PASSWORD|SECRET|API_KEY|TOKEN)/i)) {
+            findings.push({ ruleId: 'INFRA-DOCKER-006', category: 'infrastructure', severity: 'high', title: 'Secret passed as Docker build argument — embedded in image layer history', description: 'Use Docker BuildKit secrets (--mount=type=secret) or multi-stage builds. Build ARG values are visible in docker history.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-DOCKER-007: No HEALTHCHECK in Dockerfile
+  { id: 'INFRA-DOCKER-007', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'Dockerfile Without HEALTHCHECK',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\./)) continue;
+        if (!c.match(/^HEALTHCHECK\s/m)) {
+          findings.push({ ruleId: 'INFRA-DOCKER-007', category: 'infrastructure', severity: 'low', title: 'Dockerfile without HEALTHCHECK instruction', description: 'Add HEALTHCHECK CMD curl -f http://localhost:8080/health || exit 1. Docker orchestrators use healthchecks to restart unhealthy containers.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-DOCKER-008: Running as root in Dockerfile
+  { id: 'INFRA-DOCKER-008', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Dockerfile Runs as Root User',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\./)) continue;
+        if (!c.match(/^USER\s+(?!root)/m)) {
+          findings.push({ ruleId: 'INFRA-DOCKER-008', category: 'infrastructure', severity: 'high', title: 'Dockerfile has no USER instruction — container runs as root', description: 'Add USER node or USER 1001 before CMD. Running containers as root enables privilege escalation if the app is compromised.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-DOCKER-009: Using ADD instead of COPY in Dockerfile
+  { id: 'INFRA-DOCKER-009', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'Dockerfile Uses ADD Instead of COPY',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\./)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^ADD\s+/) && !lines[i].match(/https?:\/\//)) {
+            findings.push({ ruleId: 'INFRA-DOCKER-009', category: 'infrastructure', severity: 'low', title: 'Dockerfile uses ADD for local file — prefer COPY', description: 'Use COPY for local files. ADD auto-extracts tarballs and can fetch URLs, which is surprising and potentially dangerous.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-009: Security group allows all outbound
+  { id: 'INFRA-CLOUD-009', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Security Group Allows All Outbound Traffic',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|ya?ml|json)$/)) continue;
+        if (c.match(/egress|outbound/i) && c.match(/0\.0\.0\.0\/0|:\/0/) && c.match(/-1|all.*protocol|protocol.*all/i)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-009', category: 'infrastructure', severity: 'medium', title: 'Security group allows unrestricted outbound traffic', description: 'Restrict egress to known destinations (database, external APIs). Unlimited outbound enables data exfiltration if the instance is compromised.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-010: No CloudTrail logging
+  { id: 'INFRA-CLOUD-010', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No AWS CloudTrail Configured',
+    check({ files }) {
+      const findings = [];
+      const isAWS = [...files.keys()].some(f => f.match(/\.tf$|CloudFormation|cdk/i)) && [...files.values()].some(c => c.match(/aws_|AWS::/));
+      if (!isAWS) return findings;
+      const hasTrail = [...files.values()].some(c => c.match(/aws_cloudtrail|CloudTrail|cloudtrail/i));
+      if (!hasTrail) {
+        findings.push({ ruleId: 'INFRA-CLOUD-010', category: 'infrastructure', severity: 'high', title: 'No AWS CloudTrail detected — API calls not being logged', description: 'Enable CloudTrail in all regions. CloudTrail is required for security investigations, compliance audits, and detecting unauthorized API calls.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-011: RDS instance publicly accessible
+  { id: 'INFRA-CLOUD-011', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'RDS Instance Publicly Accessible',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_db_instance/i) && c.match(/publicly_accessible\s*=\s*true/)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-011', category: 'infrastructure', severity: 'critical', title: 'RDS database publicly accessible from internet', description: 'Set publicly_accessible = false. Databases must only be accessible from within the VPC. Use bastion hosts or VPN for admin access.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-012: EC2 without IMDSv2
+  { id: 'INFRA-CLOUD-012', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'EC2 Instance Without IMDSv2',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_instance\b/i) && !c.match(/http_tokens\s*=\s*["']required['"]/i)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-012', category: 'infrastructure', severity: 'high', title: 'EC2 instance without IMDSv2 enforcement — SSRF can steal instance credentials', description: 'Set metadata_options { http_tokens = "required" }. IMDSv2 prevents SSRF attacks from stealing IAM instance role credentials.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-013: No VPC Flow Logs
+  { id: 'INFRA-CLOUD-013', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'VPC Without Flow Logs',
+    check({ files }) {
+      const findings = [];
+      const hasVPC = [...files.values()].some(c => c.match(/aws_vpc\b|resource.*vpc/i));
+      const hasFlowLogs = [...files.values()].some(c => c.match(/aws_flow_log|flow_logs|FlowLog/i));
+      if (hasVPC && !hasFlowLogs) {
+        findings.push({ ruleId: 'INFRA-CLOUD-013', category: 'infrastructure', severity: 'medium', title: 'VPC without Flow Logs — network traffic not monitored', description: 'Enable VPC Flow Logs to CloudWatch or S3. Flow logs are essential for detecting network-based attacks and investigating incidents.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-014: No WAF on public-facing API
+  { id: 'INFRA-CLOUD-014', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Public API Without WAF',
+    check({ files }) {
+      const findings = [];
+      const hasAPI = [...files.values()].some(c => c.match(/aws_api_gateway|aws_lb|ApplicationLoadBalancer|ApiGateway/i));
+      const hasWAF = [...files.values()].some(c => c.match(/aws_wafv2|waf_web_acl|WafWebAcl|AWS::WAFv2/i));
+      if (hasAPI && !hasWAF) {
+        findings.push({ ruleId: 'INFRA-CLOUD-014', category: 'infrastructure', severity: 'medium', title: 'Public API Gateway/ALB without WAF — no automated threat protection', description: 'Associate WAFv2 Web ACL with API Gateway and ALB. WAF blocks SQL injection, XSS, and bot traffic before reaching your application.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-015: Lambda without VPC for DB access
+  { id: 'INFRA-CLOUD-015', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Lambda Function Accessing Database Without VPC',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_lambda_function/i) && !c.match(/vpc_config/i)) {
+          const allCode = [...files.values()].join('\n');
+          if (allCode.match(/aws_db_instance|aws_rds_cluster|aws_elasticache/i)) {
+            findings.push({ ruleId: 'INFRA-CLOUD-015', category: 'infrastructure', severity: 'medium', title: 'Lambda function without VPC config — cannot securely reach private database', description: 'Configure vpc_config with private subnet IDs to place Lambda in VPC. Required for secure RDS/ElastiCache access.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-MON-001: No alerting configured
+  { id: 'INFRA-MON-001', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No Infrastructure Alerting',
+    check({ files }) {
+      const findings = [];
+      const hasAlerts = [...files.values()].some(c => c.match(/aws_cloudwatch_metric_alarm|PagerDuty|OpsGenie|Slack.*alert|AlertManager|prometheus.*alert/i));
+      const hasInfra = [...files.keys()].some(f => f.match(/\.tf$|\.(yaml|yml)$/));
+      if (hasInfra && !hasAlerts) {
+        findings.push({ ruleId: 'INFRA-MON-001', category: 'infrastructure', severity: 'medium', title: 'No infrastructure alerting configured — incidents not automatically detected', description: 'Configure CloudWatch alarms, PagerDuty, or AlertManager. Alert on: error rate, CPU, memory, disk, and latency p99.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-MON-002: No log aggregation
+  { id: 'INFRA-MON-002', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No Centralized Log Aggregation',
+    check({ files }) {
+      const findings = [];
+      const hasLogs = [...files.values()].some(c => c.match(/elasticsearch|opensearch|splunk|datadog|loggly|papertrail|CloudWatch.*Logs|loki|fluentd|logstash/i));
+      const hasApp = [...files.keys()].some(f => f.endsWith('package.json'));
+      if (hasApp && !hasLogs) {
+        findings.push({ ruleId: 'INFRA-MON-002', category: 'infrastructure', severity: 'medium', title: 'No log aggregation service detected', description: 'Configure centralized logging (CloudWatch Logs, Datadog, or ELK stack). Without aggregation, debugging incidents requires SSH access to each server.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-MON-003: No infrastructure-as-code for monitoring
+  { id: 'INFRA-MON-003', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'Monitoring Not Defined as Code',
+    check({ files }) {
+      const findings = [];
+      const hasTerraform = [...files.keys()].some(f => f.match(/\.tf$/));
+      const hasMonitoring = [...files.values()].some(c => c.match(/aws_cloudwatch|datadog_monitor|grafana.*dashboard|prometheus/i));
+      if (hasTerraform && !hasMonitoring) {
+        findings.push({ ruleId: 'INFRA-MON-003', category: 'infrastructure', severity: 'low', title: 'No monitoring resources in Terraform — monitoring not managed as code', description: 'Define CloudWatch dashboards and alarms in Terraform. Infrastructure-as-code for monitoring ensures monitoring survives environment rebuilds.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-NET-001: Unrestricted ICMP
+  { id: 'INFRA-NET-001', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'Security Group Allows All ICMP',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|ya?ml|json)$/)) continue;
+        if (c.match(/protocol.*icmp|icmp.*protocol/i) && c.match(/0\.0\.0\.0\/0/) && c.match(/ingress|inbound/i)) {
+          findings.push({ ruleId: 'INFRA-NET-001', category: 'infrastructure', severity: 'low', title: 'Security group allows all ICMP from internet — enables ping sweeps', description: 'Restrict ICMP to VPC CIDR only. Unrestricted ICMP enables network mapping and can be used in amplification attacks.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-NET-002: Open all ports between services
+  { id: 'INFRA-NET-002', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Unrestricted Intra-Service Networking',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/kind:\s*NetworkPolicy/i) && c.match(/podSelector:\s*\{\}/i) && c.match(/namespaceSelector:\s*\{\}/i)) {
+          findings.push({ ruleId: 'INFRA-NET-002', category: 'infrastructure', severity: 'high', title: 'NetworkPolicy allows traffic from any namespace — no namespace isolation', description: 'Restrict namespaceSelector to specific namespaces. Wildcard namespace selectors allow any pod in the cluster to communicate.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-TF-007: Sensitive Terraform output not marked sensitive
+  { id: 'INFRA-TF-007', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform Output With Sensitive Data Not Marked',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^output\s+["']\w*(password|secret|key|token)\w*["']/i)) {
+            const block = lines.slice(i, i + 10).join('\n');
+            if (!block.match(/sensitive\s*=\s*true/)) {
+              findings.push({ ruleId: 'INFRA-TF-007', category: 'infrastructure', severity: 'high', title: 'Terraform output containing secret not marked sensitive = true', description: 'Add sensitive = true to outputs containing passwords/keys. Without it, the value is shown in plaintext in terraform plan/apply output.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-015: No PodSecurityPolicy/PodSecurityAdmission
+  { id: 'INFRA-K8S-015', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No Pod Security Standards Enforced',
+    check({ files }) {
+      const findings = [];
+      const hasDeployment = [...files.entries()].some(([fp, c]) => fp.match(/\.(yaml|yml)$/) && c.match(/kind:\s*Deployment/));
+      const hasPSA = [...files.values()].some(c => c.match(/pod-security\.kubernetes\.io|PodSecurityPolicy|securityContext:/i));
+      if (hasDeployment && !hasPSA) {
+        findings.push({ ruleId: 'INFRA-K8S-015', category: 'infrastructure', severity: 'high', title: 'No Pod Security Standards/Admission controller configured', description: 'Add pod-security.kubernetes.io/enforce: restricted label to namespaces. Without PSA, pods can request any capabilities.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-016: No resource quotas on namespace
+  { id: 'INFRA-K8S-016', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No Kubernetes Resource Quotas',
+    check({ files }) {
+      const findings = [];
+      const hasNamespace = [...files.values()].some(c => c.match(/kind:\s*Namespace/i));
+      const hasQuota = [...files.values()].some(c => c.match(/kind:\s*ResourceQuota/i));
+      if (hasNamespace && !hasQuota) {
+        findings.push({ ruleId: 'INFRA-K8S-016', category: 'infrastructure', severity: 'medium', title: 'Kubernetes namespace without ResourceQuota', description: 'Add ResourceQuota to limit CPU, memory, and pod count per namespace. Without quotas, one misbehaving app can starve all others.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-016: No GuardDuty / Threat Detection
+  { id: 'INFRA-CLOUD-016', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No Cloud Threat Detection Service',
+    check({ files }) {
+      const findings = [];
+      const isAWS = [...files.values()].some(c => c.match(/aws_|AWS::/));
+      const hasGuardDuty = [...files.values()].some(c => c.match(/aws_guardduty|GuardDuty|security_hub|aws_securityhub/i));
+      if (isAWS && !hasGuardDuty) {
+        findings.push({ ruleId: 'INFRA-CLOUD-016', category: 'infrastructure', severity: 'high', title: 'No AWS GuardDuty — threat detection not enabled', description: 'Enable GuardDuty in all regions. GuardDuty detects: compromised instances, unusual API calls, Bitcoin mining, data exfiltration, and more.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-017: No AWS Config rules
+  { id: 'INFRA-CLOUD-017', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No AWS Config for Compliance Monitoring',
+    check({ files }) {
+      const findings = [];
+      const isAWS = [...files.values()].some(c => c.match(/aws_|AWS::/));
+      const hasConfig = [...files.values()].some(c => c.match(/aws_config|AWS::Config|AWSConfig/i));
+      if (isAWS && !hasConfig) {
+        findings.push({ ruleId: 'INFRA-CLOUD-017', category: 'infrastructure', severity: 'medium', title: 'No AWS Config — resource compliance not continuously monitored', description: 'Enable AWS Config to track resource changes and evaluate against compliance rules. Required for SOC 2, PCI DSS, and HIPAA on AWS.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-DOCKER-010: Docker layer cache not optimized
+  { id: 'INFRA-DOCKER-010', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'Dockerfile Layer Order Not Optimized for Cache',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\./)) continue;
+        const lines = c.split('\n');
+        let copyIdx = -1, npmIdx = -1;
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^COPY\s+\.\s+\.|^ADD\s+\.\s+\./)) copyIdx = i;
+          if (lines[i].match(/npm\s+(?:ci|install)|yarn\s+install|pnpm\s+install/)) npmIdx = i;
+        }
+        if (copyIdx >= 0 && npmIdx >= 0 && copyIdx < npmIdx) {
+          findings.push({ ruleId: 'INFRA-DOCKER-010', category: 'infrastructure', severity: 'low', title: 'COPY . before npm install — code changes invalidate dependency cache', description: 'Copy package*.json first, run npm install, then COPY . . This caches node_modules when only source code changes, speeding builds 5-10x.', file: fp, line: copyIdx + 1, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-018: No KMS encryption for secrets
+  { id: 'INFRA-CLOUD-018', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Secrets Manager Without KMS Customer-Managed Key',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_secretsmanager_secret\b/i) && !c.match(/kms_key_id/i)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-018', category: 'infrastructure', severity: 'high', title: 'Secrets Manager secret without KMS customer-managed key', description: 'Add kms_key_id to use a customer-managed KMS key. Without CMK, AWS uses shared keys — CMK enables access control and audit via CloudTrail.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-019: IAM role with inline policy
+  { id: 'INFRA-CLOUD-019', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'IAM Role With Inline Policy',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_iam_role_policy\b/i) && !c.match(/aws_iam_role_policy_attachment/i)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-019', category: 'infrastructure', severity: 'medium', title: 'IAM role with inline policy — use managed policies for reusability', description: 'Use aws_iam_policy + aws_iam_role_policy_attachment. Inline policies cannot be reused across roles and are harder to audit.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-020: No S3 object versioning for Terraform state bucket
+  { id: 'INFRA-CLOUD-020', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform State S3 Bucket Without Versioning',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/backend\s+"s3"/i) && !c.match(/versioning.*enabled|versioning_configuration.*ENABLED/i)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-020', category: 'infrastructure', severity: 'high', title: 'Terraform state bucket without versioning — state corruption is unrecoverable', description: 'Enable versioning on the S3 bucket storing Terraform state. State file corruption without versioning permanently destroys infrastructure tracking.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-017: ConfigMap with sensitive data
+  { id: 'INFRA-K8S-017', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes ConfigMap Storing Secrets',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/kind:\s*ConfigMap/i)) {
+          if (c.match(/password|secret|api_key|token|credential/i)) {
+            findings.push({ ruleId: 'INFRA-K8S-017', category: 'infrastructure', severity: 'high', title: 'Kubernetes ConfigMap contains what appears to be secret data', description: 'Move secrets to kind: Secret (with encryption at rest) or use external secrets operator (Vault, AWS Secrets Manager). ConfigMaps are not encrypted.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-018: No resource requests (only limits)
+  { id: 'INFRA-K8S-018', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes Container Without Resource Requests',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/kind:\s*(?:Pod|Deployment|StatefulSet)/i) && c.match(/limits:/)) {
+          if (!c.match(/requests:/)) {
+            findings.push({ ruleId: 'INFRA-K8S-018', category: 'infrastructure', severity: 'medium', title: 'Container has limits but no resource requests — scheduler cannot make optimal placement', description: 'Add resources.requests matching your typical usage. Without requests, Kubernetes cannot schedule pods efficiently and may cause node oversubscription.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-TF-008: No module versioning
+  { id: 'INFRA-TF-008', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Terraform Module Without Version Pin',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/source\s*=\s*["']registry\.terraform\.io|source\s*=\s*["']\w+\//i)) {
+            if (!lines.slice(i, i + 5).join('\n').match(/version\s*=/)) {
+              findings.push({ ruleId: 'INFRA-TF-008', category: 'infrastructure', severity: 'medium', title: 'Terraform module without version constraint — automatically uses latest', description: 'Pin module versions: version = "~> 3.0". Unpinned modules break infrastructure on their next release.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-MON-004: No log retention for compliance
+  { id: 'INFRA-MON-004', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Logs Without Compliance Retention Period',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|ya?ml|json)$/)) continue;
+        if (c.match(/log_group|LogGroup|cloudwatch.*log/i) && !c.match(/retention.*days.*(?:30|60|90|180|365|730|1827|3653)|RetentionInDays/i)) {
+          findings.push({ ruleId: 'INFRA-MON-004', category: 'infrastructure', severity: 'medium', title: 'Log group without retention policy for compliance', description: 'Set retention: PCI DSS requires 1 year, HIPAA 6 years, SOC 2 typically 90 days. Infinite retention is expensive; too short fails compliance audits.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-CLOUD-021: Lambda without dead letter queue
+  { id: 'INFRA-CLOUD-021', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Lambda Without Dead Letter Queue',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$|serverless\.ya?ml|sam\.ya?ml/i)) continue;
+        if (c.match(/aws_lambda_function|Lambda\s*:/i)) {
+          if (!c.match(/dead_letter_config|DeadLetterConfig|dlq|dead.*letter/i)) {
+            findings.push({ ruleId: 'INFRA-CLOUD-021', category: 'infrastructure', severity: 'medium', title: 'Lambda function without Dead Letter Queue — failed invocations lost silently', description: 'Configure dead_letter_config with an SQS queue or SNS topic. Without DLQ, failed async Lambda invocations are lost without alerting.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-NET-003: No DNS TTL optimization
+  { id: 'INFRA-NET-003', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'DNS Records With High TTL (Slow Failover)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|ya?ml|json)$/)) continue;
+        const match = c.match(/ttl\s*=\s*(\d+)/i);
+        if (match && parseInt(match[1]) > 300 && c.match(/A\s*record|CNAME|failover|health.*check/i)) {
+          findings.push({ ruleId: 'INFRA-NET-003', category: 'infrastructure', severity: 'low', title: `DNS TTL of ${match[1]}s — slow failover during outages`, description: 'Set TTL to 60s for DNS records used with health checks or failover. High TTL means users cache the old IP for minutes during incidents.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-K8S-019: No startup probe for slow-starting containers
+  { id: 'INFRA-K8S-019', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No Startup Probe for Slow-Starting Container',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/initialDelaySeconds:\s*([6-9]\d|[1-9]\d\d)/) && !c.match(/startupProbe:/)) {
+          findings.push({ ruleId: 'INFRA-K8S-019', category: 'infrastructure', severity: 'medium', title: 'Long initialDelaySeconds without startup probe', description: 'Use startupProbe instead of initialDelaySeconds for slow-starting apps. startupProbe delays other probes until app is ready without fixed delay.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-022: CloudFront without WAF
+  { id: 'INFRA-CLOUD-022', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'CloudFront Distribution Without WAF',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_cloudfront_distribution/i) && !c.match(/web_acl_id|waf_web_acl/i)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-022', category: 'infrastructure', severity: 'medium', title: 'CloudFront distribution without WAF Web ACL', description: 'Associate WAFv2 with CloudFront. WAF at the edge blocks attacks before they reach your origin, reducing origin load and improving protection.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-023: RDS backup retention too short
+  { id: 'INFRA-CLOUD-023', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'RDS Backup Retention Too Short',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        const match = c.match(/backup_retention_period\s*=\s*(\d+)/i);
+        if (match && parseInt(match[1]) < 7) {
+          findings.push({ ruleId: 'INFRA-CLOUD-023', category: 'infrastructure', severity: 'medium', title: `RDS backup retention ${match[1]} days — too short for compliance`, description: 'Set backup_retention_period = 7 (minimum). PCI DSS requires 90 days, HIPAA requires 6 years for audit logs. Increase retention for compliance.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-024: No deletion protection on production database
+  { id: 'INFRA-CLOUD-024', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Production Database Without Deletion Protection',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_db_instance\b/i) && !c.match(/deletion_protection\s*=\s*true/)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-024', category: 'infrastructure', severity: 'high', title: 'RDS instance without deletion_protection = true', description: 'Set deletion_protection = true for production databases. This prevents accidental terraform destroy from permanently deleting your production database.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-DOCKER-011: Dockerfile using latest base image
+  { id: 'INFRA-DOCKER-011', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Dockerfile Uses :latest Base Image Tag',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\./)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^FROM\s+\w[^@\n]*:latest/i)) {
+            findings.push({ ruleId: 'INFRA-DOCKER-011', category: 'infrastructure', severity: 'medium', title: 'Dockerfile FROM uses :latest tag — non-reproducible builds', description: 'Pin to a specific version: FROM node:20.11.0-alpine3.19. :latest changes silently and can break builds or introduce vulnerabilities.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-TF-009: terraform.tfvars with secrets committed
+  { id: 'INFRA-TF-009', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Terraform Variables File With Secrets',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('.tfvars') && !fp.endsWith('.tfvars.json')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/password\s*=\s*["'].{4,}|secret\s*=\s*["'].{4,}|api_key\s*=\s*["'].{4,}/i)) {
+            findings.push({ ruleId: 'INFRA-TF-009', category: 'infrastructure', severity: 'critical', title: 'Terraform .tfvars file contains secret values — should not be committed to git', description: 'Add *.tfvars to .gitignore. Use Vault, SSM Parameter Store, or AWS Secrets Manager for secret values. Reference with data.aws_secretsmanager_secret.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-NET-004: Security group ingress from 0.0.0.0 on database port
+  { id: 'INFRA-NET-004', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Database Port Open to Internet',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/from_port\s*=\s*(?:5432|3306|27017|1433|6379|9200)/) && lines.slice(i, i + 10).join('\n').match(/0\.0\.0\.0\/0/)) {
+            findings.push({ ruleId: 'INFRA-NET-004', category: 'infrastructure', severity: 'critical', title: 'Database port open to 0.0.0.0/0 — database accessible from internet', description: 'Restrict database security group ingress to application security group only. Databases must never be publicly accessible.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-025: No encryption at rest for EBS volumes
+  { id: 'INFRA-CLOUD-025', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'EBS Volume Without Encryption at Rest',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_ebs_volume\b|aws_instance\b/i) && !c.match(/encrypted\s*=\s*true/)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-025', category: 'infrastructure', severity: 'high', title: 'EBS volume without encryption at rest', description: 'Set encrypted = true for all EBS volumes. Required for HIPAA, PCI DSS. Enable account-level EBS encryption default in AWS settings.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // INFRA-TF-010: No tagging strategy
+  { id: 'INFRA-TF-010', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'No Resource Tagging Strategy',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_instance\b|aws_db_instance\b|aws_s3_bucket\b/i)) {
+          if (!c.match(/tags\s*=\s*\{|default_tags|common_tags/i)) {
+            findings.push({ ruleId: 'INFRA-TF-010', category: 'infrastructure', severity: 'low', title: 'AWS resources without consistent tags — cost allocation impossible', description: 'Add tags: Environment, Team, Service, CostCenter. Tags enable cost allocation by team/service and are required for billing analysis.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-K8S-020: No anti-affinity rules for HA
+  { id: 'INFRA-K8S-020', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No Pod Anti-Affinity for High Availability',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/kind:\s*Deployment/i) && c.match(/replicas:\s*[2-9]/)) {
+          if (!c.match(/podAntiAffinity|pod.*anti.*affinity/i)) {
+            findings.push({ ruleId: 'INFRA-K8S-020', category: 'infrastructure', severity: 'medium', title: 'Multi-replica Deployment without pod anti-affinity — all pods may land on same node', description: 'Add podAntiAffinity to spread replicas across nodes. Without it, Kubernetes may place all pods on one node, negating HA.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-026: Route53 without health check failover
+  { id: 'INFRA-CLOUD-026', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Route53 Without Health Check Based Failover',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_route53_record/i) && !c.match(/health_check_id|failover|FAILOVER/i)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-026', category: 'infrastructure', severity: 'medium', title: 'Route53 record without health check failover', description: 'Add Route53 health checks with failover routing. Without health checks, DNS continues directing traffic to failed endpoints.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-027: No SES sending limit monitoring
+  { id: 'INFRA-CLOUD-027', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'SES Without Bounce/Complaint Rate Monitoring',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasSES = allCode.match(/aws.*ses|ses.*send|sendEmail|SESClient/i);
+      const hasMonitor = allCode.match(/bounce.*rate|complaint.*rate|ses.*reputation|ses.*notification/i);
+      if (hasSES && !hasMonitor) {
+        findings.push({ ruleId: 'INFRA-CLOUD-027', category: 'infrastructure', severity: 'medium', title: 'AWS SES without bounce/complaint rate monitoring', description: 'Monitor SES bounce rate (<5%) and complaint rate (<0.1%). AWS suspends sending if rates exceed thresholds, potentially killing all email functionality.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // INFRA-MON-005: No capacity planning
+  { id: 'INFRA-MON-005', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No Disk Space Monitoring',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasDiskMonitor = allCode.match(/disk.*alert|disk.*alarm|diskSpace|node_disk|disk.*usage.*alarm/i);
+      const hasInfra = [...files.keys()].some(f => f.match(/\.tf$/));
+      if (hasInfra && !hasDiskMonitor) {
+        findings.push({ ruleId: 'INFRA-MON-005', category: 'infrastructure', severity: 'medium', title: 'No disk space alerting — disk full causes silent failures', description: 'Alert when disk usage > 80%. Full disks cause databases, log systems, and applications to fail silently or with cryptic errors.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // INFRA-NET-005: No DDoS protection
+  { id: 'INFRA-NET-005', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No DDoS Protection Service',
+    check({ files }) {
+      const findings = [];
+      const isAWS = [...files.values()].some(c => c.match(/aws_|AWS::/));
+      const hasShield = [...files.values()].some(c => c.match(/aws_shield|Shield.*Advanced|cloudflare|akamai.*ddos/i));
+      if (isAWS && !hasShield) {
+        findings.push({ ruleId: 'INFRA-NET-005', category: 'infrastructure', severity: 'high', title: 'No AWS Shield or DDoS protection configured', description: 'Enable AWS Shield Standard (free) for basic DDoS protection. For critical infrastructure, AWS Shield Advanced provides enhanced protection and DDoS cost protection.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // INFRA-K8S-021: No Pod Security Standards enforcement
+  { id: 'INFRA-K8S-021', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No Pod Security Standards Labels on Namespaces',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.yaml$|\.yml$/)) continue;
+        if (c.match(/kind:\s*Namespace/)) {
+          if (!c.match(/pod-security\.kubernetes\.io\/(enforce|audit|warn)/)) {
+            findings.push({ ruleId: 'INFRA-K8S-021', category: 'infrastructure', severity: 'high', title: 'Kubernetes Namespace without Pod Security Standards labels', description: 'Add pod-security.kubernetes.io/enforce: restricted label to namespaces. Without PSS enforcement, pods can run as root or with privileged access, violating least-privilege.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-K8S-022: Service account with auto-mounted token
+  { id: 'INFRA-K8S-022', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes ServiceAccount Token Auto-Mounted',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.yaml$|\.yml$/)) continue;
+        if (c.match(/kind:\s*Pod|kind:\s*Deployment/)) {
+          if (!c.match(/automountServiceAccountToken:\s*false/)) {
+            findings.push({ ruleId: 'INFRA-K8S-022', category: 'infrastructure', severity: 'medium', title: 'Pod does not disable automatic ServiceAccount token mounting', description: 'Set automountServiceAccountToken: false if the pod does not need Kubernetes API access. Auto-mounted tokens can be stolen if the pod is compromised and used to access the cluster.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-TF-011: No remote state locking
+  { id: 'INFRA-TF-011', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform Remote State Without Locking',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/backend\s+"s3"/) && !c.match(/dynamodb_table|lock_table/i)) {
+          findings.push({ ruleId: 'INFRA-TF-011', category: 'infrastructure', severity: 'high', title: 'Terraform S3 backend without DynamoDB state locking', description: 'Add dynamodb_table to S3 backend config. Without state locking, concurrent terraform applies corrupt the state file, causing phantom resource creation and deletion.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-028: Lambda without concurrency limits
+  { id: 'INFRA-CLOUD-028', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Lambda Without Reserved or Provisioned Concurrency Limits',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$|serverless\.yml|\.yaml$/) ) continue;
+        if (c.match(/aws_lambda_function|handler:.*\.handler/i)) {
+          if (!c.match(/reserved_concurrent_executions|provisioned_concurrent_executions|reservedConcurrency/i)) {
+            findings.push({ ruleId: 'INFRA-CLOUD-028', category: 'infrastructure', severity: 'medium', title: 'Lambda without concurrency limit — single function can exhaust account concurrency', description: 'Set reserved_concurrent_executions on Lambda functions. Without limits, a traffic spike or runaway loop on one function can consume all 1,000 account-level concurrent executions.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-029: No S3 bucket public access block
+  { id: 'INFRA-CLOUD-029', category: 'infrastructure', severity: 'critical', confidence: 'likely', title: 'S3 Bucket Without Public Access Block',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        const buckets = c.match(/resource\s+"aws_s3_bucket"\s+"\w+"/g) || [];
+        if (buckets.length > 0) {
+          const hasBlock = c.match(/aws_s3_bucket_public_access_block|block_public_acls\s*=\s*true/i);
+          if (!hasBlock) {
+            findings.push({ ruleId: 'INFRA-CLOUD-029', category: 'infrastructure', severity: 'critical', title: 'S3 bucket defined without public access block configuration', description: 'Add aws_s3_bucket_public_access_block with all options set to true. Without this, S3 ACLs or policies can accidentally make buckets public, exposing data.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-030: RDS without automated backups
+  { id: 'INFRA-CLOUD-030', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'RDS Instance With Automated Backup Disabled',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_db_instance|aws_rds_cluster/i)) {
+          if (c.match(/backup_retention_period\s*=\s*0/)) {
+            findings.push({ ruleId: 'INFRA-CLOUD-030', category: 'infrastructure', severity: 'high', title: 'RDS automated backups disabled (backup_retention_period = 0)', description: 'Set backup_retention_period to at least 7 days. Disabling automated backups means data loss in case of corruption or accidental deletion with no recovery path.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-MON-006: No alerting on Lambda error rate
+  { id: 'INFRA-MON-006', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Lambda Functions Without Error Rate Alarms',
+    check({ files }) {
+      const findings = [];
+      const hasLambda = [...files.values()].some(c => c.match(/aws_lambda_function/i));
+      const hasAlarm = [...files.values()].some(c => c.match(/aws_cloudwatch_metric_alarm.*Lambda.*Errors|metric_name.*Errors.*aws.*lambda/i));
+      if (hasLambda && !hasAlarm) {
+        findings.push({ ruleId: 'INFRA-MON-006', category: 'infrastructure', severity: 'medium', title: 'Lambda functions without CloudWatch error alarms', description: 'Create CloudWatch alarms for Lambda Errors metric. Without alarms, Lambda failures are invisible until users complain. Alarm on error rate > 1% for 5 minutes.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-031: No VPC endpoint for S3/DynamoDB
+  { id: 'INFRA-CLOUD-031', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No VPC Endpoint for AWS Services (S3/DynamoDB)',
+    check({ files }) {
+      const findings = [];
+      const hasVPC = [...files.values()].some(c => c.match(/aws_vpc\s+|resource.*aws_vpc/i));
+      const hasS3OrDynamo = [...files.values()].some(c => c.match(/aws_s3_bucket|aws_dynamodb_table/i));
+      const hasEndpoint = [...files.values()].some(c => c.match(/aws_vpc_endpoint/i));
+      if (hasVPC && hasS3OrDynamo && !hasEndpoint) {
+        findings.push({ ruleId: 'INFRA-CLOUD-031', category: 'infrastructure', severity: 'medium', title: 'VPC resources accessing S3/DynamoDB without VPC endpoints', description: 'Add VPC endpoints for S3 and DynamoDB. Without endpoints, traffic routes through the public internet, incurring NAT Gateway data processing costs and increasing attack surface.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // INFRA-NET-006: Security group allows unrestricted database port
+  { id: 'INFRA-NET-006', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Security Group Exposes Database Port Publicly',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/from_port\s*=\s*(5432|3306|1433|27017|6379|5984)\b/)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+            if (ctx.match(/cidr_blocks\s*=\s*\[["']0\.0\.0\.0\/0["']\]/)) {
+              findings.push({ ruleId: 'INFRA-NET-006', category: 'infrastructure', severity: 'critical', title: 'Database port (Postgres/MySQL/Redis/MongoDB) exposed to 0.0.0.0/0', description: 'Restrict database security group ingress to application security group only. Publicly exposed database ports are scanned and attacked within minutes of exposure.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-K8S-023: Container with writable root filesystem
+  { id: 'INFRA-K8S-023', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Container Without readOnlyRootFilesystem',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.yaml$|\.yml$/)) continue;
+        if (c.match(/kind:\s*(Pod|Deployment|StatefulSet|DaemonSet)/) && c.match(/containers:/) && !c.match(/readOnlyRootFilesystem:\s*true/)) {
+          findings.push({ ruleId: 'INFRA-K8S-023', category: 'infrastructure', severity: 'medium', title: 'Kubernetes container without readOnlyRootFilesystem: true', description: 'Set securityContext.readOnlyRootFilesystem: true. A writable filesystem allows attackers to drop malware or modify application binaries after gaining initial access.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-032: EC2 instance store used for persistent data
+  { id: 'INFRA-CLOUD-032', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'EC2 Instance Store Used for Persistent Data',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_instance.*instance_type\s*=.*\w+\.(i\d|d\d|h\d)/i)) {
+          const hasEBS = c.match(/ebs_block_device|root_block_device/i);
+          if (!hasEBS) {
+            findings.push({ ruleId: 'INFRA-CLOUD-032', category: 'infrastructure', severity: 'high', title: 'Storage-optimized EC2 instance without explicit EBS volume — data lost on stop/terminate', description: 'Use EBS volumes for persistent data, not instance store. Instance store volumes are ephemeral and all data is permanently lost when the instance stops or fails.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-TF-012: Terraform output with sensitive = false for secrets
+  { id: 'INFRA-TF-012', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Sensitive Value in Terraform Output Without sensitive = true',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/output\s+"\w*(password|secret|key|token|credential)\w*"/i)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+            if (!ctx.match(/sensitive\s*=\s*true/)) {
+              findings.push({ ruleId: 'INFRA-TF-012', category: 'infrastructure', severity: 'high', title: 'Terraform output for secret/password without sensitive = true', description: 'Mark outputs containing secrets with sensitive = true. Without this, the value is printed in plain text in terraform apply output and stored unredacted in state.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-MON-007: No CloudWatch dashboard
+  { id: 'INFRA-MON-007', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'No CloudWatch Dashboard for Production Resources',
+    check({ files }) {
+      const findings = [];
+      const hasAWSResources = [...files.values()].some(c => c.match(/aws_lambda_function|aws_rds_instance|aws_ecs_service/i));
+      const hasDashboard = [...files.values()].some(c => c.match(/aws_cloudwatch_dashboard|CloudWatch.*Dashboard|grafana/i));
+      if (hasAWSResources && !hasDashboard) {
+        findings.push({ ruleId: 'INFRA-MON-007', category: 'infrastructure', severity: 'low', title: 'No CloudWatch dashboard configured for production resources', description: 'Create CloudWatch dashboards for key metrics (request rate, error rate, latency, CPU, memory). Dashboards reduce MTTR by providing instant visibility into system health.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-033: IAM role with AdministratorAccess
+  { id: 'INFRA-CLOUD-033', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'IAM Role with AdministratorAccess Policy',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$|\.json$|\.yaml$|\.yml$/)) continue;
+        if (c.match(/AdministratorAccess|arn:aws:iam::aws:policy\/AdministratorAccess/)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-033', category: 'infrastructure', severity: 'critical', title: 'IAM role attached to AdministratorAccess managed policy', description: 'Replace AdministratorAccess with minimum required permissions. AdministratorAccess grants full AWS account control — a compromised role can delete all resources, exfiltrate all data.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-NET-007: No private subnet for databases
+  { id: 'INFRA-NET-007', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Database Resources Not in Private Subnet',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_db_instance|aws_rds_cluster|aws_elasticache_cluster/i)) {
+          if (!c.match(/db_subnet_group|subnet.*private|private.*subnet/i)) {
+            findings.push({ ruleId: 'INFRA-NET-007', category: 'infrastructure', severity: 'high', title: 'Database resource without explicit private subnet group', description: 'Create a dedicated DB subnet group using private subnets. Databases should never be placed in public subnets. Use private subnets that route through NAT for outbound, not inbound.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-K8S-024: Kubernetes RBAC with wildcard verbs
+  { id: 'INFRA-K8S-024', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes RBAC Role With Wildcard Verbs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.yaml$|\.yml$/)) continue;
+        if (c.match(/kind:\s*(Role|ClusterRole)/) && c.match(/verbs:\s*\n\s*-\s*['"*]["']/)) {
+          findings.push({ ruleId: 'INFRA-K8S-024', category: 'infrastructure', severity: 'high', title: 'Kubernetes Role with wildcard (*) verbs — overly permissive', description: 'Specify minimum required verbs (get, list, watch, create, update, patch, delete). Wildcard verbs grant all operations including delete, enabling privilege escalation or data destruction.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-034: SQS queue without encryption at rest
+  { id: 'INFRA-CLOUD-034', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'SQS Queue Without Encryption at Rest',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_sqs_queue/i) && !c.match(/kms_master_key_id|sqs_managed_sse_enabled\s*=\s*true/i)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-034', category: 'infrastructure', severity: 'medium', title: 'SQS queue without SSE encryption', description: 'Enable SQS Server-Side Encryption with SQS-managed keys (sqs_managed_sse_enabled = true) or a KMS key. Encrypted queues protect sensitive message data at rest.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-TF-013: No Terraform module source versioning
+  { id: 'INFRA-TF-013', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Terraform Module Source Without Version Constraint',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/source\s*=\s*["'](?!\.\/|\.\.\/|\bterraform\b)/)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 8)).join('\n');
+            if (!ctx.match(/version\s*=/)) {
+              findings.push({ ruleId: 'INFRA-TF-013', category: 'infrastructure', severity: 'medium', title: 'Terraform module without version pin — breaking changes on next apply', description: 'Add version = "~> X.Y" to all module blocks. Unpinned modules pull the latest version on each terraform init, which may introduce breaking changes silently.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-035: AWS account without budget alerts
+  { id: 'INFRA-CLOUD-035', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No AWS Budget Alert Configured',
+    check({ files }) {
+      const findings = [];
+      const hasAWSResources = [...files.values()].some(c => c.match(/aws_lambda|aws_rds|aws_ecs|aws_ec2/i));
+      const hasBudget = [...files.values()].some(c => c.match(/aws_budgets_budget|cost.*alert|billing.*alarm|CostAnomaly/i));
+      if (hasAWSResources && !hasBudget) {
+        findings.push({ ruleId: 'INFRA-CLOUD-035', category: 'infrastructure', severity: 'medium', title: 'AWS resources provisioned without budget alerts', description: 'Create AWS Budgets with email/SNS alerts. Without cost alerts, runaway Lambda loops, DDoS attacks, or misconfigured resources can generate unbounded costs before discovery.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // INFRA-NET-008: No TLS termination at load balancer
+  { id: 'INFRA-NET-008', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Load Balancer Without HTTPS Listener',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_lb_listener|aws_alb_listener/i)) {
+          const hasHTTPS = c.match(/protocol\s*=\s*["']HTTPS["']|port\s*=\s*["']443["']/i);
+          const hasHTTP = c.match(/protocol\s*=\s*["']HTTP["']|port\s*=\s*["']80["']/i);
+          if (hasHTTP && !hasHTTPS) {
+            findings.push({ ruleId: 'INFRA-NET-008', category: 'infrastructure', severity: 'high', title: 'Load balancer with only HTTP listener — no HTTPS termination', description: 'Add an HTTPS listener with an ACM certificate. HTTP traffic is unencrypted and can be intercepted. Redirect all HTTP traffic to HTTPS (status 301).', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-CLOUD-036: Lambda with excessive timeout
+  { id: 'INFRA-CLOUD-036', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'Lambda Function With Maximum Timeout Setting',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$|serverless\.yml|serverless\.yaml$/)) continue;
+        if (c.match(/timeout\s*=\s*900|timeout\s*:\s*900/i)) {
+          findings.push({ ruleId: 'INFRA-CLOUD-036', category: 'infrastructure', severity: 'low', title: 'Lambda timeout set to maximum (15 minutes) — runaway functions waste money', description: 'Set Lambda timeout to 2x the expected maximum execution time. Maximum timeouts mask bugs, increase blast radius of infinite loops, and delay failure detection by 15 minutes.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // INFRA-K8S-025: Kubernetes Ingress without TLS
+  { id: 'INFRA-K8S-025', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes Ingress Without TLS Configuration',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.yaml$|\.yml$/)) continue;
+        if (c.match(/kind:\s*Ingress/) && c.match(/host:|rules:/) && !c.match(/tls:|cert-manager/i)) {
+          findings.push({ ruleId: 'INFRA-K8S-025', category: 'infrastructure', severity: 'high', title: 'Kubernetes Ingress without TLS — traffic served over HTTP', description: 'Add tls: section with cert-manager annotation. HTTP-only Ingress exposes all traffic including authentication tokens in plaintext. Use cert-manager for automatic TLS certificate management.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;
+
+// INFRA-K8S-026: No resource limits in K8s deployment
+rules.push({
+  id: 'INFRA-K8S-026', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes container without CPU/memory resource limits',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*(?:Deployment|StatefulSet|DaemonSet)/) && c.match(/containers:/) && !c.match(/resources:\s*\n\s+limits:/)) {
+        findings.push({ ruleId: 'INFRA-K8S-026', category: 'infrastructure', severity: 'high', title: 'K8s container without resource limits — noisy neighbor risk', description: 'Without resource limits, a container can consume all node CPU/memory, starving other pods. Add resources.limits.cpu and resources.limits.memory.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-027: No liveness probe
+rules.push({
+  id: 'INFRA-K8S-027', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes Deployment without liveness probe',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*(?:Deployment|StatefulSet)/) && c.match(/containers:/) && !c.match(/livenessProbe:/)) {
+        findings.push({ ruleId: 'INFRA-K8S-027', category: 'infrastructure', severity: 'medium', title: 'K8s Deployment without livenessProbe — stuck pods not restarted', description: 'Without a liveness probe, Kubernetes cannot detect when a container is deadlocked. Add a livenessProbe to trigger automatic restart.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-028: Privileged container
+rules.push({
+  id: 'INFRA-K8S-028', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes container running as privileged',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/privileged\s*:\s*true/)) {
+        findings.push({ ruleId: 'INFRA-K8S-028', category: 'infrastructure', severity: 'critical', title: 'Privileged K8s container — full host access, container escape possible', description: 'Privileged containers have root access to the host node. A compromised privileged container can escape to the host. Remove privileged: true and use specific capabilities instead.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-029: hostNetwork: true
+rules.push({
+  id: 'INFRA-K8S-029', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes pod using hostNetwork: true',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/hostNetwork\s*:\s*true/)) {
+        findings.push({ ruleId: 'INFRA-K8S-029', category: 'infrastructure', severity: 'high', title: 'K8s pod with hostNetwork:true — bypasses network isolation', description: 'hostNetwork: true gives the pod access to the host network namespace, bypassing Kubernetes network policies and exposing host services. Use Service resources instead.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-030: Root filesystem not read-only
+rules.push({
+  id: 'INFRA-K8S-030', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes container without readOnlyRootFilesystem',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*(?:Deployment|StatefulSet|DaemonSet)/) && c.match(/securityContext:/) && !c.match(/readOnlyRootFilesystem\s*:\s*true/)) {
+        findings.push({ ruleId: 'INFRA-K8S-030', category: 'infrastructure', severity: 'medium', title: 'Container without readOnlyRootFilesystem — attacker can modify container filesystem', description: 'Set securityContext.readOnlyRootFilesystem: true to prevent attackers from writing malicious files to the container. Mount specific writable volumes only where needed.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-031: Missing network policy
+rules.push({
+  id: 'INFRA-K8S-031', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No Kubernetes NetworkPolicy defined — all pod-to-pod traffic allowed',
+  check({ files }) {
+    const findings = [];
+    const hasDeployment = [...files.keys()].some(f => f.match(/\.ya?ml$/) && [...files.get(f)].join && /kind:\s*Deployment/.test(files.get(f)));
+    const hasNetPol = [...files.values()].some(c => /kind:\s*NetworkPolicy/.test(c));
+    if (hasDeployment && !hasNetPol) {
+      findings.push({ ruleId: 'INFRA-K8S-031', category: 'infrastructure', severity: 'medium', title: 'No NetworkPolicy — all pods can communicate without restriction', description: 'Without NetworkPolicies, any compromised pod can reach any other pod or service. Define ingress/egress NetworkPolicies to enforce least-privilege network access.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-DC-026: Docker Compose no restart policy
+rules.push({
+  id: 'INFRA-DC-026', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Docker Compose service without restart policy',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/docker-compose.*\.ya?ml$/i)) continue;
+      if (c.match(/services:/) && !c.match(/restart\s*:/)) {
+        findings.push({ ruleId: 'INFRA-DC-026', category: 'infrastructure', severity: 'medium', title: 'Docker Compose service without restart policy — won\'t recover from crashes', description: 'Without restart: unless-stopped or always, crashed services stay down. Add restart: unless-stopped to all production services.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-DC-027: Secrets in Docker Compose environment
+rules.push({
+  id: 'INFRA-DC-027', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Hardcoded secret in Docker Compose environment section',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/docker-compose.*\.ya?ml$/i) && !fp.match(/compose\.ya?ml$/i)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:PASSWORD|SECRET|KEY|TOKEN|API_KEY)\s*:\s*[^${\s][^\s]{3,}/i.test(lines[i]) && !/\$\{/.test(lines[i])) {
+          findings.push({ ruleId: 'INFRA-DC-027', category: 'infrastructure', severity: 'critical', title: 'Hardcoded secret in docker-compose.yml environment section', description: 'Secrets committed to docker-compose files are exposed to anyone with repo access. Use ${VARIABLE} references with a .env file, or Docker secrets.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-DC-028: Docker Compose port bound to 0.0.0.0
+rules.push({
+  id: 'INFRA-DC-028', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Docker Compose port bound to all interfaces (0.0.0.0)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/docker-compose.*\.ya?ml$/i) && !fp.match(/compose\.ya?ml$/i)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/["']?0\.0\.0\.0:\d+:\d+["']?/.test(lines[i])) {
+          findings.push({ ruleId: 'INFRA-DC-028', category: 'infrastructure', severity: 'medium', title: 'Port bound to 0.0.0.0 — accessible from any network interface', description: 'Binding ports to 0.0.0.0 exposes services to all network interfaces including public ones. Bind to 127.0.0.1 for local-only services: "127.0.0.1:3000:3000".', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-026: No S3 versioning
+rules.push({
+  id: 'INFRA-TF-026', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Terraform S3 bucket without versioning enabled',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/resource\s+["']aws_s3_bucket["']/) && !c.match(/versioning\s*\{[^}]*enabled\s*=\s*true/)) {
+        findings.push({ ruleId: 'INFRA-TF-026', category: 'infrastructure', severity: 'medium', title: 'S3 bucket without versioning — no protection against accidental deletion', description: 'Enable S3 versioning to protect against accidental overwrites and deletions. Add versioning { enabled = true } to your aws_s3_bucket resource.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-027: No CloudTrail
+rules.push({
+  id: 'INFRA-TF-027', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No AWS CloudTrail configured in Terraform',
+  check({ files }) {
+    const findings = [];
+    const hasTF = [...files.keys()].some(f => f.match(/\.tf$/));
+    const hasCloudTrail = [...files.values()].some(c => /aws_cloudtrail|cloudtrail/i.test(c));
+    if (hasTF && !hasCloudTrail) {
+      findings.push({ ruleId: 'INFRA-TF-027', category: 'infrastructure', severity: 'high', title: 'No CloudTrail — API calls not audited, incident response blind', description: 'CloudTrail provides an audit log of all AWS API calls. Without it, security incidents cannot be investigated. Enable CloudTrail with log file validation.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-028: Open security group (0.0.0.0/0 ingress)
+rules.push({
+  id: 'INFRA-TF-028', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Terraform security group with unrestricted ingress (0.0.0.0/0)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/cidr_blocks\s*=\s*\[\s*["']0\.0\.0\.0\/0["']/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 5), i).join('\n');
+          if (/ingress/.test(ctx)) {
+            findings.push({ ruleId: 'INFRA-TF-028', category: 'infrastructure', severity: 'critical', title: 'Security group allows ingress from any IP (0.0.0.0/0)', description: 'Opening a security group to the entire internet exposes services to port scanning and exploitation. Restrict ingress to specific IP ranges or VPC CIDRs.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-029: No GuardDuty
+rules.push({
+  id: 'INFRA-TF-029', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No AWS GuardDuty configured',
+  check({ files }) {
+    const findings = [];
+    const hasTF = [...files.keys()].some(f => f.match(/\.tf$/));
+    const hasGuardDuty = [...files.values()].some(c => /aws_guardduty|guardduty/i.test(c));
+    if (hasTF && !hasGuardDuty) {
+      findings.push({ ruleId: 'INFRA-TF-029', category: 'infrastructure', severity: 'medium', title: 'No GuardDuty — no threat detection for malicious activity', description: 'AWS GuardDuty continuously monitors for malicious activity and anomalous behavior. Enable it to detect compromised credentials, crypto mining, and data exfiltration.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-030: RDS not encrypted at rest
+rules.push({
+  id: 'INFRA-TF-030', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform RDS instance without storage encryption',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/resource\s+["']aws_db_instance["']/) && !c.match(/storage_encrypted\s*=\s*true/)) {
+        findings.push({ ruleId: 'INFRA-TF-030', category: 'infrastructure', severity: 'high', title: 'RDS instance without storage_encrypted=true — data at rest unprotected', description: 'Enable RDS encryption at rest: storage_encrypted = true. AWS KMS encrypts the underlying storage, snapshots, and replicas.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-032: Container running as root
+rules.push({
+  id: 'INFRA-K8S-032', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes container may run as root (no runAsNonRoot)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*(?:Deployment|StatefulSet|DaemonSet)/) && c.match(/containers:/) && !c.match(/runAsNonRoot\s*:\s*true|runAsUser\s*:\s*[1-9]/)) {
+        findings.push({ ruleId: 'INFRA-K8S-032', category: 'infrastructure', severity: 'high', title: 'K8s container without runAsNonRoot — may execute as UID 0', description: 'Set securityContext.runAsNonRoot: true to prevent containers from running as root. A root container has elevated privileges if it escapes to the host.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-033: Sensitive hostPath mount
+rules.push({
+  id: 'INFRA-K8S-033', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes pod mounts sensitive host path',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/hostPath:/) && c.match(/path:\s*(?:\/etc|\/var\/run\/docker\.sock|\/proc|\/sys|\/root)/)) {
+        findings.push({ ruleId: 'INFRA-K8S-033', category: 'infrastructure', severity: 'critical', title: 'Pod mounts sensitive host path (/etc, /proc, docker.sock) — container escape risk', description: 'Mounting /etc, docker.sock, /proc or /sys gives container access to host credentials and container runtime. Remove sensitive hostPath mounts.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-031: EKS cluster public endpoint access
+rules.push({
+  id: 'INFRA-TF-031', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'EKS cluster Kubernetes API publicly accessible',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/resource\s+["']aws_eks_cluster["']/) && c.match(/endpoint_public_access\s*=\s*true/) && !c.match(/public_access_cidrs/)) {
+        findings.push({ ruleId: 'INFRA-TF-031', category: 'infrastructure', severity: 'high', title: 'EKS cluster API endpoint publicly accessible without IP restriction', description: 'Restrict public EKS endpoint access with public_access_cidrs to known IPs, or disable public access and use a VPN/bastion.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-DC-029: Docker Compose missing health check
+rules.push({
+  id: 'INFRA-DC-029', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Docker Compose service without healthcheck',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/docker-compose.*\.ya?ml$/i) && !fp.match(/compose\.ya?ml$/i)) continue;
+      if (c.match(/services:/) && !c.match(/healthcheck:/)) {
+        findings.push({ ruleId: 'INFRA-DC-029', category: 'infrastructure', severity: 'medium', title: 'Docker Compose without healthcheck — container marked healthy before ready', description: 'Without healthcheck, Docker marks containers healthy immediately. Add healthcheck with test, interval, timeout, and retries to ensure services are truly ready.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA additional rules
+
+// INFRA-TF-032: No WAF configured
+rules.push({
+  id: 'INFRA-TF-032', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No WAF (Web Application Firewall) configured',
+  check({ files }) {
+    const findings = [];
+    const hasTF = [...files.keys()].some(f => f.match(/\.tf$/));
+    const hasALB = [...files.values()].some(c => /aws_alb|aws_lb\b|aws_cloudfront/i.test(c));
+    const hasWAF = [...files.values()].some(c => /aws_waf|aws_wafv2|waf_regional/i.test(c));
+    if (hasTF && hasALB && !hasWAF) {
+      findings.push({ ruleId: 'INFRA-TF-032', category: 'infrastructure', severity: 'high', title: 'Load balancer without WAF — no protection against OWASP Top 10', description: 'Attach AWS WAFv2 to your ALB or CloudFront distribution to block OWASP Top 10 attacks and malicious bots.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-034: No pod security policy/admission controller
+rules.push({
+  id: 'INFRA-K8S-034', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No Pod Security Standards or Admission Controller configured',
+  check({ files }) {
+    const findings = [];
+    const hasK8s = [...files.keys()].some(f => f.match(/\.ya?ml$/) && /kind:\s*Deployment/.test(files.get(f)));
+    const hasPSP = [...files.values()].some(c => /PodSecurityPolicy|PodSecurity|OPA|Kyverno|admission.*webhook/i.test(c));
+    if (hasK8s && !hasPSP) {
+      findings.push({ ruleId: 'INFRA-K8S-034', category: 'infrastructure', severity: 'high', title: 'No Pod Security Standards admission controller — privileged pods can be deployed', description: 'Configure Kubernetes Pod Security Standards (Restricted profile) or an OPA/Kyverno policy to prevent privileged containers from being scheduled.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-033: ELB access logs disabled
+rules.push({
+  id: 'INFRA-TF-033', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Terraform ELB/ALB without access logging',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/resource\s+["']aws_(?:alb|lb)\b/) && !c.match(/access_logs\s*\{[^}]*enabled\s*=\s*true/)) {
+        findings.push({ ruleId: 'INFRA-TF-033', category: 'infrastructure', severity: 'medium', title: 'ALB without access logs — no HTTP request audit trail', description: 'Enable ALB access logs to S3 for security auditing and incident investigation. Set access_logs { bucket = ... enabled = true }.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-034: ECR image scanning disabled
+rules.push({
+  id: 'INFRA-TF-034', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Terraform ECR repository without image scanning',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/aws_ecr_repository/) && !c.match(/scan_on_push\s*=\s*true/)) {
+        findings.push({ ruleId: 'INFRA-TF-034', category: 'infrastructure', severity: 'medium', title: 'ECR repository without scan_on_push — container vulnerabilities not detected', description: 'Enable scan_on_push = true in aws_ecr_repository to automatically scan images for CVEs on each push.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-035: Missing pod anti-affinity for HA
+rules.push({
+  id: 'INFRA-K8S-035', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes Deployment without pod anti-affinity — all pods may schedule on same node',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*Deployment/) && !c.match(/affinity:|podAntiAffinity:/)) {
+        const replicas = c.match(/replicas:\s*(\d+)/);
+        if (replicas && parseInt(replicas[1]) > 1) {
+          findings.push({ ruleId: 'INFRA-K8S-035', category: 'infrastructure', severity: 'medium', title: `Deployment with ${replicas[1]} replicas but no anti-affinity — single node failure takes all pods`, description: 'Add podAntiAffinity to spread replicas across nodes. Without it, all pods may schedule on the same node, making a node failure a full service outage.', file: fp, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-035: VPC without VPC Flow Logs
+rules.push({
+  id: 'INFRA-TF-035', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'AWS VPC without flow logs enabled',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/resource\s+["']aws_vpc["']/) && !c.match(/aws_flow_log|vpc_flow_log/)) {
+        findings.push({ ruleId: 'INFRA-TF-035', category: 'infrastructure', severity: 'medium', title: 'VPC without flow logs — network traffic not audited', description: 'Enable VPC Flow Logs to capture network traffic for security analysis and incident response. Store in S3 or CloudWatch.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-036: RDS not in private subnet
+rules.push({
+  id: 'INFRA-TF-036', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'RDS instance publicly accessible',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/resource\s+["']aws_db_instance["']/) && c.match(/publicly_accessible\s*=\s*true/)) {
+        findings.push({ ruleId: 'INFRA-TF-036', category: 'infrastructure', severity: 'critical', title: 'RDS instance publicly accessible — database exposed to internet', description: 'Set publicly_accessible = false and place the RDS instance in a private subnet. Never expose database endpoints directly to the internet.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-DC-030: docker-compose with root user
+rules.push({
+  id: 'INFRA-DC-030', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Docker Compose service without user directive — runs as root',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/docker-compose.*\.ya?ml$/i) && !fp.match(/compose\.ya?ml$/i)) continue;
+      if (c.match(/services:/) && !c.match(/user\s*:/)) {
+        findings.push({ ruleId: 'INFRA-DC-030', category: 'infrastructure', severity: 'medium', title: 'Docker Compose services without user directive — containers run as root', description: 'Add user: "1000:1000" (or appropriate non-root UID) to Docker Compose service definitions to prevent root container execution.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-036: Missing image pull policy for immutable tags
+rules.push({
+  id: 'INFRA-K8S-036', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'K8s container with mutable image tag and no imagePullPolicy: Always',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*(?:Deployment|StatefulSet)/) && !c.match(/imagePullPolicy:\s*Always/)) {
+        findings.push({ ruleId: 'INFRA-K8S-036', category: 'infrastructure', severity: 'low', title: 'No imagePullPolicy: Always — stale image may be used on pod restart', description: 'If using mutable image tags, set imagePullPolicy: Always to ensure the latest image is pulled on each pod creation. For immutable tags (SHA), IfNotPresent is fine.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-037: No MFA delete on S3 bucket
+rules.push({
+  id: 'INFRA-TF-037', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'S3 bucket without MFA delete protection',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/resource\s+["']aws_s3_bucket["']/) && !c.match(/mfa_delete\s*=\s*["']Enabled["']/)) {
+        findings.push({ ruleId: 'INFRA-TF-037', category: 'infrastructure', severity: 'medium', title: 'S3 bucket without MFA delete — versioned objects can be deleted without MFA', description: 'Enable MFA delete on S3 buckets with critical data to require multi-factor authentication for permanent deletions. Protects against credential compromise.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA additional rules
+
+// INFRA-TF-038: CloudFront without HTTPS only
+rules.push({
+  id: 'INFRA-TF-038', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'CloudFront distribution allowing HTTP (not HTTPS-only)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/aws_cloudfront_distribution/) && !c.match(/viewer_protocol_policy\s*=\s*["']https-only["']/)) {
+        findings.push({ ruleId: 'INFRA-TF-038', category: 'infrastructure', severity: 'high', title: 'CloudFront viewer protocol policy not set to https-only', description: 'Set viewer_protocol_policy = "https-only" or "redirect-to-https" to force TLS for all CloudFront traffic.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-037: ConfigMap used for secrets
+rules.push({
+  id: 'INFRA-K8S-037', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes ConfigMap storing secret values',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*ConfigMap/) && c.match(/(?:password|secret|token|key|api_key)\s*:/i)) {
+        findings.push({ ruleId: 'INFRA-K8S-037', category: 'infrastructure', severity: 'critical', title: 'Secrets stored in ConfigMap — use Kubernetes Secret or external secrets manager', description: 'ConfigMaps are not encrypted at rest. Use Kubernetes Secrets with encryption at rest, or an external secrets manager like AWS Secrets Manager.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-039: IAM role with wildcard permissions
+rules.push({
+  id: 'INFRA-TF-039', category: 'infrastructure', severity: 'critical', confidence: 'likely', title: 'IAM role with wildcard action (*) permissions',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$|\.json$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*[#;]/.test(lines[i])) continue;
+        if (/["']Action["']\s*:\s*["']\*["']|actions\s*=\s*\[\s*["']\*["']/.test(lines[i])) {
+          findings.push({ ruleId: 'INFRA-TF-039', category: 'infrastructure', severity: 'critical', title: 'IAM policy with Action: "*" — wildcard grants all permissions', description: 'Wildcard IAM actions violate least-privilege principles. Grant only the specific actions required: ["s3:GetObject", "s3:PutObject"].', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-040: AWS account root user access key
+rules.push({
+  id: 'INFRA-TF-040', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'AWS root account access key configured',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/aws_iam_access_key/) && !c.match(/user\s*=/)) {
+        findings.push({ ruleId: 'INFRA-TF-040', category: 'infrastructure', severity: 'critical', title: 'IAM access key without user — may be root account key', description: 'Delete root account access keys. Create IAM users or roles with minimum necessary permissions. Root account keys cannot be restricted by IAM policies.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-038: Service type NodePort in production
+rules.push({
+  id: 'INFRA-K8S-038', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes Service with type: NodePort — direct node exposure',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$/)) continue;
+      if (c.match(/kind:\s*Service/) && c.match(/type:\s*NodePort/)) {
+        findings.push({ ruleId: 'INFRA-K8S-038', category: 'infrastructure', severity: 'medium', title: 'NodePort service exposes ports directly on all nodes', description: 'NodePort exposes the service on a port on every cluster node. Use LoadBalancer or Ingress instead for production traffic to control access properly.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-041: Unencrypted EKS secrets
+rules.push({
+  id: 'INFRA-TF-041', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'EKS cluster without envelope encryption for Kubernetes secrets',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/resource\s+["']aws_eks_cluster["']/) && !c.match(/encryption_config|resources.*secrets/i)) {
+        findings.push({ ruleId: 'INFRA-TF-041', category: 'infrastructure', severity: 'high', title: 'EKS cluster without secrets encryption — Kubernetes secrets stored unencrypted in etcd', description: 'Enable envelope encryption for EKS Kubernetes secrets using AWS KMS. Without it, secrets are stored unencrypted in etcd.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-042: RDS deletion protection disabled
+rules.push({
+  id: 'INFRA-TF-042', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'RDS without deletion protection enabled',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/resource\s+["']aws_db_instance["']/) && !c.match(/deletion_protection\s*=\s*true/)) {
+        findings.push({ ruleId: 'INFRA-TF-042', category: 'infrastructure', severity: 'high', title: 'RDS without deletion_protection — database can be deleted accidentally', description: 'Set deletion_protection = true on production RDS instances to prevent accidental deletion. This requires it to be explicitly disabled before the instance can be destroyed.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-DC-031: Docker Compose using host network mode
+rules.push({
+  id: 'INFRA-DC-031', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Docker Compose service using host network mode',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/docker-compose.*\.ya?ml$/i) && !fp.match(/compose\.ya?ml$/i)) continue;
+      if (c.match(/network_mode:\s*["']?host["']?/)) {
+        findings.push({ ruleId: 'INFRA-DC-031', category: 'infrastructure', severity: 'high', title: 'Docker service with network_mode: host — bypasses container network isolation', description: 'host network mode removes all network isolation between the container and host. Use bridge networking with explicit port mappings instead.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-039: Missing PodDisruptionBudget
+rules.push({
+  id: 'INFRA-K8S-039', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes Deployment without PodDisruptionBudget',
+  check({ files }) {
+    const findings = [];
+    const deployFiles = [];
+    const pdbFiles = new Set();
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*Deployment/.test(c)) deployFiles.push(fp);
+      if (/kind:\s*PodDisruptionBudget/.test(c)) pdbFiles.add(fp.replace(/\/[^/]+$/, ''));
+    }
+    for (const fp of deployFiles) {
+      const dir = fp.replace(/\/[^/]+$/, '');
+      if (!pdbFiles.has(dir)) findings.push({ ruleId: 'INFRA-K8S-039', category: 'infrastructure', severity: 'medium', title: 'No PodDisruptionBudget for Deployment — pods may all be evicted during node drain', description: 'Create a PodDisruptionBudget to ensure minimum pod availability during voluntary disruptions.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-040: Container with all capabilities
+rules.push({
+  id: 'INFRA-K8S-040', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes container with all capabilities added',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (!/kind:\s*(?:Deployment|Pod|DaemonSet|StatefulSet)/.test(c)) continue;
+      if (/capabilities:[\s\S]{0,100}add:\s*[\s\S]{0,50}ALL/.test(c)) findings.push({ ruleId: 'INFRA-K8S-040', category: 'infrastructure', severity: 'critical', title: 'Container with ALL capabilities added — grants root-like privileges', description: 'Drop all capabilities and only add the specific ones required by the container.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-041: Kubernetes secret in plaintext ConfigMap
+rules.push({
+  id: 'INFRA-K8S-041', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Database credentials stored in Kubernetes ConfigMap',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (!/kind:\s*ConfigMap/.test(c)) continue;
+      if (/(?:password|secret|key|token)\s*:\s*\S+/i.test(c) && !/secretKeyRef|valueFrom/.test(c)) findings.push({ ruleId: 'INFRA-K8S-041', category: 'infrastructure', severity: 'high', title: 'Secret-looking data in ConfigMap — use Kubernetes Secret instead', description: 'Move sensitive values (passwords, keys, tokens) to Kubernetes Secrets or an external secrets manager.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-043: AWS Lambda function without VPC configuration
+rules.push({
+  id: 'INFRA-TF-043', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Terraform Lambda function without VPC configuration',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_lambda_function"/.test(c) && !/vpc_config/.test(c)) findings.push({ ruleId: 'INFRA-TF-043', category: 'infrastructure', severity: 'medium', title: 'Lambda function without VPC configuration — publicly accessible', description: 'Place Lambda functions in a VPC with private subnets if they access internal resources.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-044: S3 bucket with public access allowed
+rules.push({
+  id: 'INFRA-TF-044', category: 'infrastructure', severity: 'critical', confidence: 'likely', title: 'Terraform S3 bucket without block public access settings',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_s3_bucket"\s+"[^"]+"/.test(c) && !/aws_s3_bucket_public_access_block/.test(c)) findings.push({ ruleId: 'INFRA-TF-044', category: 'infrastructure', severity: 'critical', title: 'S3 bucket without public access block — may be publicly readable', description: 'Add aws_s3_bucket_public_access_block with all four block settings enabled.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-045: Terraform backend without encryption
+rules.push({
+  id: 'INFRA-TF-045', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform S3 backend without encryption',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/backend\s+"s3"/.test(c) && !/encrypt\s*=\s*true/.test(c)) findings.push({ ruleId: 'INFRA-TF-045', category: 'infrastructure', severity: 'high', title: 'Terraform S3 backend without encrypt = true', description: 'Enable encryption for S3 backend state files: encrypt = true.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-046: EC2 instance with public IP
+rules.push({
+  id: 'INFRA-TF-046', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform EC2 instance with associate_public_ip_address = true',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_instance"/.test(c) && /associate_public_ip_address\s*=\s*true/.test(c)) findings.push({ ruleId: 'INFRA-TF-046', category: 'infrastructure', severity: 'high', title: 'EC2 instance with public IP — expose attack surface', description: 'Use a private subnet and NAT gateway. Only place EC2 instances in public subnets if they serve as load balancers.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-DC-032: Docker Compose missing resource limits
+rules.push({
+  id: 'INFRA-DC-032', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Docker Compose service without memory/CPU limits',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.includes('docker-compose') && !fp.includes('compose.')) continue;
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/^\s+\w+:$/m.test(c) && !/memory:|cpus:|resources:/.test(c)) findings.push({ ruleId: 'INFRA-DC-032', category: 'infrastructure', severity: 'medium', title: 'Docker Compose service without resource limits — container may consume all host resources', description: 'Add memory and CPU limits under deploy.resources.limits in Docker Compose files.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-042: Kubernetes cluster with deprecated API versions
+rules.push({
+  id: 'INFRA-K8S-042', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes manifest using deprecated API version',
+  check({ files }) {
+    const findings = [];
+    const deprecated = [
+      { pattern: /apiVersion:\s*extensions\/v1beta1/, msg: 'extensions/v1beta1 is removed in K8s 1.16+' },
+      { pattern: /apiVersion:\s*apps\/v1beta[12]/, msg: 'apps/v1beta1/2 is removed in K8s 1.16+' },
+      { pattern: /apiVersion:\s*networking\.k8s\.io\/v1beta1/, msg: 'networking.k8s.io/v1beta1 is removed in K8s 1.22+' },
+    ];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      for (const { pattern, msg } of deprecated) {
+        if (pattern.test(c)) findings.push({ ruleId: 'INFRA-K8S-042', category: 'infrastructure', severity: 'medium', title: `Deprecated Kubernetes API: ${msg}`, description: 'Update manifests to use current API versions.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-047: Missing AWS WAF association with ALB
+rules.push({
+  id: 'INFRA-TF-047', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform ALB without WAF web ACL association',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_alb"\s+"[^"]+"/.test(c) && !/aws_wafv2_web_acl_association|aws_waf_web_acl/.test(c)) findings.push({ ruleId: 'INFRA-TF-047', category: 'infrastructure', severity: 'high', title: 'Application Load Balancer without WAF — vulnerable to common web attacks', description: 'Associate an AWS WAF web ACL with your ALB to protect against common attack patterns.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-043: Missing namespace for Kubernetes resources
+rules.push({
+  id: 'INFRA-K8S-043', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes resource deployed to default namespace',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (!/kind:\s*(?:Deployment|Service|Pod|StatefulSet)/.test(c)) continue;
+      if (/namespace:\s*default/.test(c) || (!/namespace:/.test(c) && /kind:\s*Deployment/.test(c))) findings.push({ ruleId: 'INFRA-K8S-043', category: 'infrastructure', severity: 'medium', title: 'Kubernetes resource in default namespace — no isolation', description: 'Deploy workloads to dedicated namespaces for better isolation and access control.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-048: Missing SNS topic encryption
+rules.push({
+  id: 'INFRA-TF-048', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Terraform SNS topic without KMS encryption',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_sns_topic"/.test(c) && !/kms_master_key_id/.test(c)) findings.push({ ruleId: 'INFRA-TF-048', category: 'infrastructure', severity: 'medium', title: 'SNS topic without KMS encryption — messages stored unencrypted', description: 'Configure kms_master_key_id on aws_sns_topic to encrypt messages at rest.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-049: DynamoDB without point-in-time recovery
+rules.push({
+  id: 'INFRA-TF-049', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform DynamoDB table without point-in-time recovery',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_dynamodb_table"/.test(c) && !/point_in_time_recovery/.test(c)) findings.push({ ruleId: 'INFRA-TF-049', category: 'infrastructure', severity: 'high', title: 'DynamoDB table without point-in-time recovery — cannot recover from accidental deletes', description: 'Enable point_in_time_recovery { enabled = true } on DynamoDB tables.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-K8S-044: Service account with cluster-admin role
+rules.push({
+  id: 'INFRA-K8S-044', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes service account bound to cluster-admin role',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*ClusterRoleBinding/.test(c) && /cluster-admin/.test(c) && !/system:masters/.test(c)) findings.push({ ruleId: 'INFRA-K8S-044', category: 'infrastructure', severity: 'critical', title: 'Service account with cluster-admin role — full cluster access', description: 'Follow least privilege — create a Role with only the permissions required.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-050: RDS without automated backups
+rules.push({
+  id: 'INFRA-TF-050', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform RDS instance with backup_retention_period = 0',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_db_instance"/.test(c) && /backup_retention_period\s*=\s*0/.test(c)) findings.push({ ruleId: 'INFRA-TF-050', category: 'infrastructure', severity: 'high', title: 'RDS backup retention set to 0 — no automated backups', description: 'Set backup_retention_period to at least 7 days to enable automated RDS backups.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-051: Security group with unrestricted egress
+rules.push({
+  id: 'INFRA-TF-051', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Terraform security group with unrestricted outbound (0.0.0.0/0)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_security_group"/.test(c) && /egress[\s\S]{0,200}cidr_blocks\s*=\s*\["0\.0\.0\.0\/0"\]/.test(c)) findings.push({ ruleId: 'INFRA-TF-051', category: 'infrastructure', severity: 'medium', title: 'Security group with unrestricted outbound access — enables data exfiltration', description: 'Restrict egress to specific CIDR ranges and ports required by the service.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-052: Missing Terraform provider version constraint
+rules.push({
+  id: 'INFRA-TF-052', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Terraform provider without version constraint',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/required_providers\s*\{/.test(c) && !/version\s*=\s*"/.test(c)) findings.push({ ruleId: 'INFRA-TF-052', category: 'infrastructure', severity: 'medium', title: 'Terraform provider without version pin — unexpected breaking changes', description: 'Specify version constraints for all required providers: version = "~> 4.0".', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-TF-053: ElastiCache Redis without auth token
+rules.push({
+  id: 'INFRA-TF-053', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform ElastiCache Redis without auth token',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_elasticache_replication_group"/.test(c) && !/auth_token/.test(c)) findings.push({ ruleId: 'INFRA-TF-053', category: 'infrastructure', severity: 'high', title: 'ElastiCache Redis without auth token — unauthenticated access possible', description: 'Set auth_token on aws_elasticache_replication_group to require password authentication.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-054: Kubernetes pod without network policy
+rules.push({
+  id: 'INFRA-054', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes namespace without NetworkPolicy',
+  check({ files }) {
+    const findings = [];
+    const hasK8s = [...files.keys()].some(fp => (fp.endsWith('.yaml') || fp.endsWith('.yml')) && files.get(fp).includes('kind: Deployment'));
+    const hasNetPol = [...files.values()].some(c => /kind:\s*NetworkPolicy/.test(c));
+    if (hasK8s && !hasNetPol) findings.push({ ruleId: 'INFRA-054', category: 'infrastructure', severity: 'high', title: 'Kubernetes cluster without NetworkPolicy — unrestricted pod-to-pod traffic', description: 'Define NetworkPolicy resources to restrict pod communication. By default, all pods can communicate with each other.', fix: null });
+    return findings;
+  },
+});
+
+// INFRA-055: Kubernetes secret not encrypted at rest
+rules.push({
+  id: 'INFRA-055', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes Secret in plain YAML',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*Secret/.test(c) && /data:/.test(c) && !/sops|sealed-secrets|external-secrets|vault/.test(c)) findings.push({ ruleId: 'INFRA-055', category: 'infrastructure', severity: 'high', title: 'Kubernetes Secret stored as plain base64 in YAML — not encrypted', description: 'Use sealed-secrets, SOPS, or external-secrets-operator to encrypt secrets at rest.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-056: No pod disruption budget
+rules.push({
+  id: 'INFRA-056', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes Deployment without PodDisruptionBudget',
+  check({ files }) {
+    const findings = [];
+    const hasDeployment = [...files.values()].some(c => /kind:\s*Deployment/.test(c));
+    const hasPDB = [...files.values()].some(c => /kind:\s*PodDisruptionBudget/.test(c));
+    if (hasDeployment && !hasPDB) findings.push({ ruleId: 'INFRA-056', category: 'infrastructure', severity: 'medium', title: 'No PodDisruptionBudget — voluntary disruptions may take all pods offline', description: 'Add PodDisruptionBudget with minAvailable or maxUnavailable to ensure availability during node maintenance.', fix: null });
+    return findings;
+  },
+});
+
+// INFRA-057: Kubernetes container running as privileged
+rules.push({
+  id: 'INFRA-057', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes privileged container',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/privileged:\s*true/.test(c)) findings.push({ ruleId: 'INFRA-057', category: 'infrastructure', severity: 'critical', title: 'Container running in privileged mode — full host access', description: 'Remove privileged: true. Privileged containers can access all host devices and escape containment.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-058: Kubernetes hostNetwork enabled
+rules.push({
+  id: 'INFRA-058', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes pod with hostNetwork',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/hostNetwork:\s*true/.test(c)) findings.push({ ruleId: 'INFRA-058', category: 'infrastructure', severity: 'high', title: 'Pod uses host network namespace — bypasses network isolation', description: 'Remove hostNetwork: true unless absolutely necessary. Host networking breaks pod isolation.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-059: Kubernetes hostPID enabled
+rules.push({
+  id: 'INFRA-059', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes pod with hostPID',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/hostPID:\s*true/.test(c)) findings.push({ ruleId: 'INFRA-059', category: 'infrastructure', severity: 'high', title: 'Pod uses host PID namespace — can see and signal host processes', description: 'Remove hostPID: true. Sharing the host PID namespace allows containers to view all host processes.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-060: No Kubernetes RBAC
+rules.push({
+  id: 'INFRA-060', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No Kubernetes RBAC configuration',
+  check({ files }) {
+    const findings = [];
+    const hasK8s = [...files.keys()].some(fp => (fp.endsWith('.yaml') || fp.endsWith('.yml')) && /kind:\s*(?:Deployment|Pod)/.test(files.get(fp)));
+    const hasRBAC = [...files.values()].some(c => /kind:\s*(?:Role|ClusterRole|RoleBinding|ClusterRoleBinding|ServiceAccount)/.test(c));
+    if (hasK8s && !hasRBAC) findings.push({ ruleId: 'INFRA-060', category: 'infrastructure', severity: 'high', title: 'No RBAC resources defined — pods may use default service account', description: 'Define ServiceAccounts, Roles, and RoleBindings to enforce least-privilege access in the cluster.', fix: null });
+    return findings;
+  },
+});
+
+// INFRA-061: Kubernetes default namespace usage
+rules.push({
+  id: 'INFRA-061', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes resource in default namespace',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*(?:Deployment|Service|Pod|StatefulSet)/.test(c) && (/namespace:\s*default/.test(c) || (!/namespace:/.test(c) && /kind:\s*(?:Deployment|Service|Pod|StatefulSet)/.test(c)))) findings.push({ ruleId: 'INFRA-061', category: 'infrastructure', severity: 'medium', title: 'Resource deployed to default namespace — use dedicated namespaces', description: 'Create dedicated namespaces per application/team for better isolation and RBAC scoping.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-062: No Kubernetes Ingress TLS
+rules.push({
+  id: 'INFRA-062', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes Ingress without TLS',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*Ingress/.test(c) && !/tls:/.test(c)) findings.push({ ruleId: 'INFRA-062', category: 'infrastructure', severity: 'high', title: 'Ingress without TLS termination — traffic served over HTTP', description: 'Add TLS configuration with a valid certificate. Use cert-manager for automatic certificate provisioning.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-063: Cloud storage bucket without encryption
+rules.push({
+  id: 'INFRA-063', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Cloud storage without server-side encryption',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_s3_bucket"/.test(c) && !/server_side_encryption_configuration|aws_s3_bucket_server_side_encryption/.test(c)) findings.push({ ruleId: 'INFRA-063', category: 'infrastructure', severity: 'high', title: 'S3 bucket without server-side encryption configuration', description: 'Enable server-side encryption (SSE-S3 or SSE-KMS) on all S3 buckets.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-064: Cloud storage bucket public access
+rules.push({
+  id: 'INFRA-064', category: 'infrastructure', severity: 'critical', confidence: 'likely', title: 'Cloud storage with public access enabled',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_s3_bucket"/.test(c) && /acl\s*=\s*"public-read/.test(c)) findings.push({ ruleId: 'INFRA-064', category: 'infrastructure', severity: 'critical', title: 'S3 bucket with public-read ACL — data exposure risk', description: 'Remove public-read ACL. Use CloudFront or presigned URLs for controlled access.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-065: No VPC flow logs
+rules.push({
+  id: 'INFRA-065', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'VPC without flow logs enabled',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_vpc"/.test(c) && !/aws_flow_log/.test(c)) findings.push({ ruleId: 'INFRA-065', category: 'infrastructure', severity: 'medium', title: 'VPC without flow logs — no network traffic visibility', description: 'Enable VPC flow logs for security monitoring and troubleshooting network connectivity.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-066: Database publicly accessible
+rules.push({
+  id: 'INFRA-066', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'RDS instance publicly accessible',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_db_instance"/.test(c) && /publicly_accessible\s*=\s*true/.test(c)) findings.push({ ruleId: 'INFRA-066', category: 'infrastructure', severity: 'critical', title: 'RDS database publicly accessible from the internet', description: 'Set publicly_accessible = false. Place databases in private subnets with no internet gateway.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-067: No CloudTrail logging
+rules.push({
+  id: 'INFRA-067', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No CloudTrail audit logging configured',
+  check({ files }) {
+    const findings = [];
+    const hasTF = [...files.keys()].some(fp => fp.endsWith('.tf'));
+    const hasCloudTrail = [...files.values()].some(c => /aws_cloudtrail/.test(c));
+    if (hasTF && !hasCloudTrail) findings.push({ ruleId: 'INFRA-067', category: 'infrastructure', severity: 'high', title: 'No CloudTrail configured — API calls not audited', description: 'Enable CloudTrail for all regions to log API activity for security auditing and compliance.', fix: null });
+    return findings;
+  },
+});
+
+// INFRA-068: Security group with 0.0.0.0/0 SSH
+rules.push({
+  id: 'INFRA-068', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'SSH open to the world',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/from_port\s*=\s*22/.test(c) && /cidr_blocks\s*=\s*\["0\.0\.0\.0\/0"\]/.test(c)) findings.push({ ruleId: 'INFRA-068', category: 'infrastructure', severity: 'critical', title: 'SSH port 22 open to 0.0.0.0/0 — brute force target', description: 'Restrict SSH access to specific IP ranges or use SSM Session Manager instead.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-069: No WAF on ALB
+rules.push({
+  id: 'INFRA-069', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Application Load Balancer without WAF',
+  check({ files }) {
+    const findings = [];
+    const hasALB = [...files.values()].some(c => /resource\s+"aws_lb"/.test(c) || /resource\s+"aws_alb"/.test(c));
+    const hasWAF = [...files.values()].some(c => /aws_wafv2_web_acl_association/.test(c));
+    if (hasALB && !hasWAF) findings.push({ ruleId: 'INFRA-069', category: 'infrastructure', severity: 'medium', title: 'ALB without WAF — no L7 attack protection', description: 'Attach a WAFv2 Web ACL to the ALB to protect against SQL injection, XSS, and other L7 attacks.', fix: null });
+    return findings;
+  },
+});
+
+// INFRA-070: No monitoring/alerting configured
+rules.push({
+  id: 'INFRA-070', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No monitoring or alerting configuration',
+  check({ files }) {
+    const findings = [];
+    const hasInfra = [...files.keys()].some(fp => fp.endsWith('.tf') || fp.endsWith('docker-compose.yml'));
+    const hasMonitoring = [...files.keys()].some(fp => /prometheus|grafana|datadog|newrelic|cloudwatch|pagerduty|opsgenie/i.test(fp));
+    const hasMonitoringContent = [...files.values()].some(c => /aws_cloudwatch_metric_alarm|prometheus|grafana|datadog|newrelic/i.test(c));
+    if (hasInfra && !hasMonitoring && !hasMonitoringContent) findings.push({ ruleId: 'INFRA-070', category: 'infrastructure', severity: 'medium', title: 'No monitoring or alerting configuration detected', description: 'Set up monitoring (Prometheus/Grafana, Datadog, CloudWatch) with alerts for key infrastructure metrics.', fix: null });
+    return findings;
+  },
+});
+
+// INFRA-071: Docker compose without restart policy
+rules.push({
+  id: 'INFRA-071', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Docker Compose service without restart policy',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!/docker-compose\.ya?ml$|compose\.ya?ml$/.test(fp)) continue;
+      if (/services:/.test(c) && !/restart:/.test(c)) findings.push({ ruleId: 'INFRA-071', category: 'infrastructure', severity: 'medium', title: 'Docker Compose service without restart policy — no auto-recovery', description: 'Add restart: unless-stopped or restart: always to ensure services recover from crashes.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-072: Docker compose without memory limits
+rules.push({
+  id: 'INFRA-072', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Docker Compose without memory limits',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!/docker-compose\.ya?ml$|compose\.ya?ml$/.test(fp)) continue;
+      if (/services:/.test(c) && !/mem_limit|memory:|deploy:/.test(c)) findings.push({ ruleId: 'INFRA-072', category: 'infrastructure', severity: 'medium', title: 'Docker Compose services without memory limits — OOM risk to host', description: 'Set memory limits using deploy.resources.limits.memory or mem_limit to prevent a single service from exhausting host memory.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-073: No health check in Docker Compose
+rules.push({
+  id: 'INFRA-073', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Docker Compose without healthcheck',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!/docker-compose\.ya?ml$|compose\.ya?ml$/.test(fp)) continue;
+      if (/services:/.test(c) && !/healthcheck:/.test(c)) findings.push({ ruleId: 'INFRA-073', category: 'infrastructure', severity: 'medium', title: 'Docker Compose service without healthcheck — no liveness detection', description: 'Add healthcheck with test, interval, and timeout to detect unhealthy containers.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-074: Kubernetes pod without liveness probe
+rules.push({
+  id: 'INFRA-074', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Kubernetes container without livenessProbe',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*Deployment/.test(c) && !/livenessProbe:/.test(c)) findings.push({ ruleId: 'INFRA-074', category: 'infrastructure', severity: 'high', title: 'Kubernetes Deployment without livenessProbe — hung containers not restarted', description: 'Add livenessProbe to containers so Kubernetes restarts pods that become unresponsive.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-075: Kubernetes automountServiceAccountToken
+rules.push({
+  id: 'INFRA-075', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes pod with automounted service account token',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*(?:Deployment|Pod)/.test(c) && !/automountServiceAccountToken:\s*false/.test(c) && /kind:\s*(?:Deployment|Pod)/.test(c)) findings.push({ ruleId: 'INFRA-075', category: 'infrastructure', severity: 'medium', title: 'Service account token auto-mounted — unnecessary API access', description: 'Set automountServiceAccountToken: false unless the pod needs to call the Kubernetes API.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-076: No container image pull policy
+rules.push({
+  id: 'INFRA-076', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'Kubernetes container without imagePullPolicy',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*Deployment/.test(c) && !/imagePullPolicy:/.test(c)) findings.push({ ruleId: 'INFRA-076', category: 'infrastructure', severity: 'low', title: 'No imagePullPolicy set — may use cached stale images', description: 'Set imagePullPolicy: Always for production deployments to ensure the latest image is pulled.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-077: Terraform state stored locally
+rules.push({
+  id: 'INFRA-077', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Terraform state stored locally',
+  check({ files }) {
+    const findings = [];
+    const hasTF = [...files.keys()].some(fp => fp.endsWith('.tf'));
+    const hasRemoteBackend = [...files.values()].some(c => /backend\s+"(?:s3|gcs|azurerm|consul|remote)"/.test(c));
+    if (hasTF && !hasRemoteBackend) findings.push({ ruleId: 'INFRA-077', category: 'infrastructure', severity: 'high', title: 'Terraform state stored locally — no team collaboration or locking', description: 'Configure a remote backend (S3, GCS, etc.) with state locking for safe team collaboration.', fix: null });
+    return findings;
+  },
+});
+
+// INFRA-078: No DDoS protection
+rules.push({
+  id: 'INFRA-078', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No DDoS protection configured',
+  check({ files }) {
+    const findings = [];
+    const hasTF = [...files.keys()].some(fp => fp.endsWith('.tf'));
+    const hasDDoS = [...files.values()].some(c => /aws_shield|cloudflare|aws_wafv2/.test(c));
+    if (hasTF && !hasDDoS) findings.push({ ruleId: 'INFRA-078', category: 'infrastructure', severity: 'medium', title: 'No DDoS protection configured — exposed to volumetric attacks', description: 'Enable AWS Shield Advanced, Cloudflare, or WAFv2 rate-limiting rules for DDoS protection.', fix: null });
+    return findings;
+  },
+});
+
+// INFRA-079: Docker socket mounted
+rules.push({
+  id: 'INFRA-079', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Docker socket mounted in container',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!/docker-compose\.ya?ml$|compose\.ya?ml$/.test(fp) && !fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/\/var\/run\/docker\.sock/.test(c)) findings.push({ ruleId: 'INFRA-079', category: 'infrastructure', severity: 'critical', title: 'Docker socket mounted — container can control host Docker daemon', description: 'Mounting docker.sock gives the container full root access to the host. Use rootless Docker or a Docker proxy with ACLs.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-080: No backup configuration
+rules.push({
+  id: 'INFRA-080', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'No database backup configuration',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_db_instance"/.test(c) && /backup_retention_period\s*=\s*0/.test(c)) findings.push({ ruleId: 'INFRA-080', category: 'infrastructure', severity: 'high', title: 'RDS backup retention set to 0 — no automated backups', description: 'Set backup_retention_period to at least 7 days for production databases.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-081: Unencrypted RDS
+rules.push({
+  id: 'INFRA-081', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'RDS instance without encryption',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_db_instance"/.test(c) && !/storage_encrypted\s*=\s*true/.test(c)) findings.push({ ruleId: 'INFRA-081', category: 'infrastructure', severity: 'high', title: 'RDS instance without storage encryption at rest', description: 'Set storage_encrypted = true. Encryption at rest is a basic security requirement for databases.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-082: No access logging on load balancer
+rules.push({
+  id: 'INFRA-082', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Load balancer without access logging',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_lb"/.test(c) && !/access_logs/.test(c)) findings.push({ ruleId: 'INFRA-082', category: 'infrastructure', severity: 'medium', title: 'ALB without access logging — no request audit trail', description: 'Enable access logs on the load balancer for security analysis and debugging.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-083: Kubernetes container with writable root filesystem
+rules.push({
+  id: 'INFRA-083', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes container with writable root filesystem',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*Deployment/.test(c) && !/readOnlyRootFilesystem:\s*true/.test(c)) findings.push({ ruleId: 'INFRA-083', category: 'infrastructure', severity: 'medium', title: 'Container root filesystem writable — malware can write to disk', description: 'Set readOnlyRootFilesystem: true in securityContext and use emptyDir for writable paths.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-084: No node affinity/anti-affinity rules
+rules.push({
+  id: 'INFRA-084', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'Kubernetes Deployment without affinity rules',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*Deployment/.test(c) && /replicas:\s*[2-9]/.test(c) && !/affinity:/.test(c)) findings.push({ ruleId: 'INFRA-084', category: 'infrastructure', severity: 'low', title: 'Multi-replica Deployment without pod anti-affinity — single node failure risk', description: 'Add podAntiAffinity to spread replicas across nodes for high availability.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-085: No Kubernetes HPA
+rules.push({
+  id: 'INFRA-085', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'Kubernetes Deployment without HorizontalPodAutoscaler',
+  check({ files }) {
+    const findings = [];
+    const hasDeployment = [...files.values()].some(c => /kind:\s*Deployment/.test(c));
+    const hasHPA = [...files.values()].some(c => /kind:\s*HorizontalPodAutoscaler/.test(c));
+    if (hasDeployment && !hasHPA) findings.push({ ruleId: 'INFRA-085', category: 'infrastructure', severity: 'low', title: 'No HPA configured — manual scaling only', description: 'Add HorizontalPodAutoscaler to automatically scale pods based on CPU/memory utilization.', fix: null });
+    return findings;
+  },
+});
+
+// INFRA-086: Nginx config without rate limiting
+rules.push({
+  id: 'INFRA-086', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Nginx without rate limiting',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.includes('nginx') || (!fp.endsWith('.conf') && !fp.endsWith('.cfg'))) continue;
+      if (/server\s*\{/.test(c) && !/limit_req_zone|limit_req\s/.test(c)) findings.push({ ruleId: 'INFRA-086', category: 'infrastructure', severity: 'medium', title: 'Nginx config without rate limiting — vulnerable to abuse', description: 'Add limit_req_zone and limit_req directives to protect against request floods.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-087: Nginx SSL/TLS misconfiguration
+rules.push({
+  id: 'INFRA-087', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'Nginx with weak SSL/TLS configuration',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.includes('nginx') || !fp.endsWith('.conf')) continue;
+      if (/ssl_protocols/.test(c) && /TLSv1(?:\s|;)|SSLv3/.test(c)) findings.push({ ruleId: 'INFRA-087', category: 'infrastructure', severity: 'high', title: 'Nginx allows TLSv1.0/SSLv3 — vulnerable to POODLE/BEAST', description: 'Set ssl_protocols TLSv1.2 TLSv1.3; to disable insecure protocol versions.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-088: No log rotation configured
+rules.push({
+  id: 'INFRA-088', category: 'infrastructure', severity: 'low', confidence: 'suggestion', title: 'Docker logging without log rotation',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!/docker-compose\.ya?ml$|compose\.ya?ml$/.test(fp)) continue;
+      if (/services:/.test(c) && !/logging:|max-size/.test(c)) findings.push({ ruleId: 'INFRA-088', category: 'infrastructure', severity: 'low', title: 'Docker containers without log rotation — disk fill risk', description: 'Configure logging driver with max-size and max-file options to prevent disk exhaustion.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-089: No container security scanning
+rules.push({
+  id: 'INFRA-089', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No container image scanning configured',
+  check({ files }) {
+    const findings = [];
+    const hasDocker = [...files.keys()].some(fp => fp.endsWith('Dockerfile'));
+    const hasScanning = [...files.values()].some(c => /trivy|snyk\s+container|docker\s+scout|grype|clair|anchore/i.test(c));
+    if (hasDocker && !hasScanning) findings.push({ ruleId: 'INFRA-089', category: 'infrastructure', severity: 'medium', title: 'No container image vulnerability scanning in CI', description: 'Add Trivy, Snyk Container, or Docker Scout to CI pipeline to detect known CVEs in container images.', fix: null });
+    return findings;
+  },
+});
+
+// INFRA-090: Kubernetes capability not dropped
+rules.push({
+  id: 'INFRA-090', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'Kubernetes container without dropping capabilities',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.yaml') && !fp.endsWith('.yml')) continue;
+      if (/kind:\s*Deployment/.test(c) && /securityContext:/.test(c) && !/drop:/.test(c)) findings.push({ ruleId: 'INFRA-090', category: 'infrastructure', severity: 'medium', title: 'Container capabilities not dropped — excessive Linux privileges', description: 'Add capabilities: { drop: ["ALL"] } and only add back specific capabilities that are required.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-091: No Terraform plan in CI
+rules.push({
+  id: 'INFRA-091', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'No Terraform plan step in CI/CD',
+  check({ files }) {
+    const findings = [];
+    const hasTF = [...files.keys()].some(fp => fp.endsWith('.tf'));
+    const hasTFPlan = [...files.values()].some(c => /terraform\s+plan|tf\s+plan|tfplan/.test(c));
+    if (hasTF && !hasTFPlan) findings.push({ ruleId: 'INFRA-091', category: 'infrastructure', severity: 'medium', title: 'No terraform plan in CI — changes applied without review', description: 'Add terraform plan to CI pipeline and require plan output review before apply.', fix: null });
+    return findings;
+  },
+});
+
+// INFRA-092: EBS volume unencrypted
+rules.push({
+  id: 'INFRA-092', category: 'infrastructure', severity: 'high', confidence: 'likely', title: 'EBS volume without encryption',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_ebs_volume"/.test(c) && !/encrypted\s*=\s*true/.test(c)) findings.push({ ruleId: 'INFRA-092', category: 'infrastructure', severity: 'high', title: 'EBS volume without encryption — data at rest exposed', description: 'Set encrypted = true on all EBS volumes. Enable default encryption in account settings.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// INFRA-093: No multi-AZ for RDS
+rules.push({
+  id: 'INFRA-093', category: 'infrastructure', severity: 'medium', confidence: 'likely', title: 'RDS instance without Multi-AZ',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_db_instance"/.test(c) && !/multi_az\s*=\s*true/.test(c)) findings.push({ ruleId: 'INFRA-093', category: 'infrastructure', severity: 'medium', title: 'RDS without Multi-AZ — single point of failure', description: 'Set multi_az = true for production databases to enable automatic failover.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});