iam-policy-validator 1.1.0__py3-none-any.whl → 1.1.1__py3-none-any.whl

{iam_policy_validator-1.1.0.dist-info → iam_policy_validator-1.1.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.1.0
+Version: 1.1.1
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -197,7 +197,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: '3.12'
 
       - name: Install uv
         uses: astral-sh/setup-uv@v3

{iam_policy_validator-1.1.0.dist-info → iam_policy_validator-1.1.1.dist-info}/RECORD

@@ -1,38 +1,44 @@
 iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=YOIURWR5ocuvaQTQgwFi1XjHm_ifJDzicMOQSJZqmZc,206
-iam_validator/checks/__init__.py,sha256=q-_rIYGZJMjsiHK-R_3CbSUCBVGN5e137LPNDnMRZmw,841
+iam_validator/__version__.py,sha256=xEe2pX5CjvpoW3wJ6rXXULgJzJ3B6BM7RqL5dElKRA4,206
+iam_validator/checks/__init__.py,sha256=eKTPgiZ1i3zvyP6OdKgLx9s3u69onITMYifmJPJwZgM,968
 iam_validator/checks/action_condition_enforcement.py,sha256=3M1Wj89Af6H-ywBTruZbJPzhCBBQVanVb5hwv-fkiDE,29721
-iam_validator/checks/action_validation.py,sha256=KbUw1SV-2nN-HtLlj3zrE6sdd0z8iAF0ubqz35Vwb7c,6921
+iam_validator/checks/action_resource_constraint.py,sha256=p-gP7S9QYR6M7vffrnJY6LOlMUTn0kpEbrxQ8pTY5rs,6031
+iam_validator/checks/action_validation.py,sha256=IpxtTsk58f2zEZ-xzAoyHw4QK8BCRV43OffP-8ydf9E,2578
 iam_validator/checks/condition_key_validation.py,sha256=bc4LQ8IRKyt0RquaQvQvVjmeJnuOUAFRL8xdduLPa_U,2661
 iam_validator/checks/policy_size.py,sha256=4cvZiWRJXGuvYo8PRcdD1Py_ZL8Xw0lOJfXTs6EX-_I,5753
 iam_validator/checks/resource_validation.py,sha256=AEIoiR6AKYLuVaA8ne3QE5qy6NCMDe98_2JAiwE9-JU,4261
-iam_validator/checks/security_best_practices.py,sha256=OCAtbsO9HEK97DVPPnm-hJDQtf-ATlnwa1LLshweZDk,32045
+iam_validator/checks/security_best_practices.py,sha256=-gqxtcx_cUV1ZnyZ8Flydwan1vxb-RmnanWoIlU6YyY,21711
 iam_validator/checks/sid_uniqueness.py,sha256=7S8RtVJgYPTKgr7gSEmxgT0oIGkSoXN6iu0ALHbcSfw,5015
-iam_validator/commands/__init__.py,sha256=zuhECuz-1Us5hBNAJtdMae8LaYn1eNeoYPBmQPMwI94,357
+iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
+iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
+iam_validator/checks/utils/sensitive_action_matcher.py,sha256=_kQRGRJDQ0TLHymZbucXmKOfZJ_OUsf5p0blLfP54EY,8883
+iam_validator/checks/utils/wildcard_expansion.py,sha256=L6AWrLRacqXqk9k-5ZmXv5HyoAyz98cg5AlTvzH2tTI,3158
+iam_validator/commands/__init__.py,sha256=lF0fSUukLSxTAvhjg-0P79YMseYwihIr_tmQYbfNgcY,425
 iam_validator/commands/analyze.py,sha256=TWlDaZ8gVOdNv6__KQQfzeLVW36qLiL5IzlhGYfvq_g,16501
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
+iam_validator/commands/cache.py,sha256=1E-irKF3e2CFUEG9s1z64hIKLVSYFQ-L92ld6L3za5g,14368
 iam_validator/commands/post_to_pr.py,sha256=hl_K-XlELYN-ArjMdgQqysvIE-26yf9XdrMl4ToDwG0,2148
 iam_validator/commands/validate.py,sha256=R295cOTly8n7zL1jfvbh9RuCgiM5edBqbf6YMn_4G9A,14013
 iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
 iam_validator/core/access_analyzer.py,sha256=poeT1i74jXpKr1B3UmvqiTvCTbq82zffWgZHwiFUwoo,24337
-iam_validator/core/access_analyzer_report.py,sha256=iTIFKul6zQZd2qBg8V6zaDNPMKF8D_XDSX6pJwXFVYY,24791
-iam_validator/core/aws_fetcher.py,sha256=fUCIMItIWmrbgsoVCz_9Oe5k3SjuXBlNBVwQ60IWwns,25492
+iam_validator/core/access_analyzer_report.py,sha256=IrQVszlhFfQ6WykYLpig7TU3hf8dnQTegPDsOvHjR5Q,24873
+iam_validator/core/aws_fetcher.py,sha256=P7fYX1Q1TICuTOlGaqH97U3m8B0bqGE9jP7cxfmny8k,27418
 iam_validator/core/aws_global_conditions.py,sha256=ADVcMEWhgvDZWdBmRUQN3HB7a9OycbTLecXFAy3LPbo,5837
-iam_validator/core/check_registry.py,sha256=wXg4Yw5LJ-rAVLiPUIJOtw8Y49Q1PY00Zbu37LzyjHY,15477
-iam_validator/core/cli.py,sha256=5UHsHS8o7Fkag4d6MNaaqjCFSGu8evCIbtpa81591lE,3831
-iam_validator/core/config_loader.py,sha256=6Px_JEzk8WU6g8KXaSLme3x8qZXT9oppxUVXYyDkboY,16425
-iam_validator/core/defaults.py,sha256=JzuDYNQGERDtX9S8E5grr4KZmooSephJW8KRplT34L8,10956
+iam_validator/core/check_registry.py,sha256=wxqaF2t_3lWgT6x7_PnnZ8XGjHKUxUk72UlmdYBLFyo,15679
+iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
+iam_validator/core/config_loader.py,sha256=Pq2rd6LJtEZET0ZeW4hEZS2ZRLC5gNRsKbtLyIsT21I,16516
+iam_validator/core/defaults.py,sha256=sPQJUMyjv4yalGCuyQhlY42rDc_-BZLq6qS0GgoP4mc,11893
 iam_validator/core/models.py,sha256=rWIZnD-I81Sg4asgOhnB10FWJC5mxQ2JO9bdS0sHb4Q,10772
-iam_validator/core/policy_checks.py,sha256=xK5CntsEKVDgN27uIdQ92jCL97t7eBqOk0SChWU9cgw,23872
+iam_validator/core/policy_checks.py,sha256=vIzRkqf5k1BB0elry5a4E2SRBlp6Vz3jPqrav29k3PM,24842
 iam_validator/core/policy_loader.py,sha256=TR7SpzlRG3TwH4HBGEFUuhNOmxIR8Cud2SQ-AmHWBpM,14040
 iam_validator/core/pr_commenter.py,sha256=TOhVXKTFcRHQ9EVuShXQcKXn9aNjB1mU6FnR2jvltmw,10581
-iam_validator/core/report.py,sha256=aRM1mYlDjkPmQrUZtcq2akbviLPVTSa8q_mH7XyuuK4,32897
+iam_validator/core/report.py,sha256=wPkLvsIej-AaW5FlqntvUuHuEMvyi2iBI6NQF496gCM,33064
 iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
 iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
 iam_validator/core/formatters/console.py,sha256=lX4Yp4bTW61fxe0fCiHuO6bCZtC_6cjCwqDNQ55nT_8,1937
 iam_validator/core/formatters/csv.py,sha256=2FaN6Y_0TPMFOb3A3tNtj0-9bkEc5P-6eZ7eLROIqFE,5899
-iam_validator/core/formatters/enhanced.py,sha256=6hRiATRpH6Osqf_y6C58VN48L47AXYP3Dm9R90VMGs8,16432
+iam_validator/core/formatters/enhanced.py,sha256=k_DwzhGTARUKMv4bjkaCrpI6ypT10z9LcSk8gKlyDIM,16547
 iam_validator/core/formatters/html.py,sha256=j4sQi-wXiD9kCHldW5JCzbJe0frhiP5uQI9KlH3Sj_g,22994
 iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFVXG2bgnew,939
 iam_validator/core/formatters/markdown.py,sha256=aPAY6FpZBHsVBDag3FAsB_X9CZzznFjX9dQr0ysDrTE,2251
@@ -40,8 +46,8 @@ iam_validator/core/formatters/sarif.py,sha256=tqp8g7RmUh0HRk-kKDaucx4sa-5I9ikgkS
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
 iam_validator/integrations/github_integration.py,sha256=bKs94vNT4PmcmUPUeuY2WJFhCYpUY2SWiBP1vj-andA,25673
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
-iam_policy_validator-1.1.0.dist-info/METADATA,sha256=a_cegBs1dAS4y_ByXskcvgXY3CNsqC-7frERfdQR27k,25144
-iam_policy_validator-1.1.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.1.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.1.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.1.0.dist-info/RECORD,,
+iam_policy_validator-1.1.1.dist-info/METADATA,sha256=tliAMa89Y5CSxbEy0PCV_IXr-FSn07I91AKl44QpoJQ,25144
+iam_policy_validator-1.1.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.1.1.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.1.1.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.1.1.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,5 +3,5 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.0.4"
+__version__ = "1.1.1"
 __version_info__ = tuple(int(part) for part in __version__.split("."))

iam_validator/checks/__init__.py

@@ -5,6 +5,7 @@ Built-in policy checks for IAM Policy Validator.
 from iam_validator.checks.action_condition_enforcement import (
     ActionConditionEnforcementCheck,
 )
+from iam_validator.checks.action_resource_constraint import ActionResourceConstraintCheck
 from iam_validator.checks.action_validation import ActionValidationCheck
 from iam_validator.checks.condition_key_validation import ConditionKeyValidationCheck
 from iam_validator.checks.policy_size import PolicySizeCheck
@@ -14,6 +15,7 @@ from iam_validator.checks.sid_uniqueness import SidUniquenessCheck
 
 __all__ = [
     "ActionConditionEnforcementCheck",
+    "ActionResourceConstraintCheck",
     "ActionValidationCheck",
     "ConditionKeyValidationCheck",
     "PolicySizeCheck",

iam_validator/checks/action_resource_constraint.py

@@ -0,0 +1,151 @@
+"""Action resource constraint check - validates resource constraints for actions.
+
+This check ensures that:
+- Actions WITHOUT required resource types (empty or missing Resources field in AWS API)
+  MUST use Resource: "*" because they are account-level operations
+
+Examples of actions without required resources:
+- s3:ListAllMyBuckets (lists all buckets in account)
+- iam:ListRoles (lists all roles in account)
+- ec2:DescribeInstances (describes instances across all regions)
+
+These actions cannot target specific resources because they operate at the account level.
+"""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class ActionResourceConstraintCheck(PolicyCheck):
+    """Validates resource constraints based on action requirements.
+    This check ensures that actions without required resource types use Resource: "*".
+
+    Examples of such actions include s3:ListAllMyBuckets, iam:ListRoles, etc.
+    """
+
+    @property
+    def check_id(self) -> str:
+        return "action_resource_constraint"
+
+    @property
+    def description(self) -> str:
+        return "Validates that actions without required resource types use Resource: '*'"
+
+    @property
+    def default_severity(self) -> str:
+        return "error"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute action resource constraint validation on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        # Get actions and resources from statement
+        actions = statement.get_actions()
+        resources = statement.get_resources()
+        statement_sid = statement.sid
+        line_number = statement.line_number
+
+        # Skip if no actions or wildcard action
+        if not actions or "*" in actions:
+            return issues
+
+        # Skip if already using wildcard resource (this is correct for these actions)
+        if "*" in resources:
+            return issues
+
+        # Check each action for resource requirements
+        actions_without_required_resources = []
+
+        for action in actions:
+            # Skip wildcard actions
+            if "*" in action:
+                continue
+
+            try:
+                # Parse action to get service and action name
+                service_prefix, action_name = fetcher.parse_action(action)
+
+                # Fetch service detail to check resource requirements
+                service_detail = await fetcher.fetch_service_by_name(service_prefix)
+
+                # Check if action exists
+                if action_name not in service_detail.actions:
+                    # Action doesn't exist - skip (will be caught by action_validation_check)
+                    continue
+
+                action_detail = service_detail.actions[action_name]
+
+                # Check if action has NO required resources (empty or missing Resources field)
+                has_no_required_resources = (
+                    not action_detail.resources or len(action_detail.resources) == 0
+                )
+
+                if has_no_required_resources:
+                    actions_without_required_resources.append(action)
+
+            except ValueError:
+                # Invalid action format - skip (will be caught by action_validation_check)
+                continue
+            except Exception:
+                # Service not found or other error - skip
+                continue
+
+        # If we found actions without required resources, report the issue
+        if actions_without_required_resources:
+            # Get a sample of the resources to show in error message
+            resource_sample = resources[:3] if len(resources) > 3 else resources
+            resource_display = ", ".join(f'"{r}"' for r in resource_sample)
+            if len(resources) > 3:
+                resource_display += f", ... ({len(resources) - 3} more)"
+
+            # Format action list
+            action_list = ", ".join(f'"{a}"' for a in actions_without_required_resources)
+
+            # Determine message based on how many actions are affected
+            if len(actions_without_required_resources) == 1:
+                message = (
+                    f"Action {action_list} does not operate on specific resources "
+                    f'and requires Resource: "*"'
+                )
+                suggestion = (
+                    f"Action {action_list} is an account-level operation that cannot target "
+                    'specific resources. Move this action to a separate statement with Resource: "*", '
+                    "and keep resource-specific actions in another statement with their specific ARNs"
+                )
+            else:
+                message = (
+                    f"Actions {action_list} do not operate on specific resources "
+                    f'and require Resource: "*"'
+                )
+                suggestion = (
+                    "These actions are account-level operations that cannot target "
+                    'specific resources. Move these actions to a dedicated statement with Resource: "*", '
+                    "and keep resource-specific actions in separate statements with their specific ARNs"
+                )
+
+            issues.append(
+                ValidationIssue(
+                    severity=self.get_severity(config),
+                    statement_sid=statement_sid,
+                    statement_index=statement_idx,
+                    issue_type="invalid_resource_constraint",
+                    message=message,
+                    action=action_list,
+                    resource=resource_display,
+                    suggestion=suggestion,
+                    line_number=line_number,
+                )
+            )
+
+        return issues

iam_validator/checks/action_validation.py

@@ -1,73 +1,22 @@
-"""Action validation check - validates IAM actions against AWS service definitions."""
+"""Action validation check - validates IAM actions against AWS service definitions.
 
-import re
-from functools import lru_cache
-from re import Pattern
+This check ensures that all actions specified in IAM policies are valid actions
+defined by AWS services. It helps identify typos or deprecated actions that may
+lead to unintended access permissions.
+
+This check is not necessary when using Access Analyzer, as it performs similar
+validations. However, it can be useful in environments where Access Analyzer is
+not available or for pre-deployment policy validation to catch errors early.
+"""
 
 from iam_validator.core.aws_fetcher import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
 
-# Global cache for compiled wildcard patterns
-@lru_cache(maxsize=512)
-def _compile_wildcard_pattern(pattern: str) -> Pattern[str]:
-    """Compile and cache wildcard patterns for O(1) reuse.
-
-    Args:
-        pattern: Wildcard pattern (e.g., "s3:Get*")
-
-    Returns:
-        Compiled regex pattern
-
-    Performance:
-        20-30x speedup by avoiding repeated pattern compilation
-    """
-    regex_pattern = "^" + re.escape(pattern).replace(r"\*", ".*") + "$"
-    return re.compile(regex_pattern, re.IGNORECASE)
-
-
 class ActionValidationCheck(PolicyCheck):
     """Validates that IAM actions exist in AWS services."""
 
-    # Default allowlist for safe wildcard patterns (read-only operations)
-    # Note: s3:Get* is intentionally excluded as reading S3 data can be sensitive
-    # Using frozenset for O(1) lookup performance
-    DEFAULT_ALLOWED_WILDCARDS = frozenset(
-        {
-            "s3:List*",
-            "s3:Describe*",
-            "ec2:Describe*",
-            "iam:Get*",
-            "iam:List*",
-            "rds:Describe*",
-            "lambda:Get*",
-            "lambda:List*",
-            "dynamodb:Describe*",
-            "cloudwatch:Describe*",
-            "cloudwatch:Get*",
-            "cloudwatch:List*",
-            "logs:Describe*",
-            "logs:Get*",
-            "logs:Filter*",
-            "kms:Describe*",
-            "kms:Get*",
-            "kms:List*",
-            "sns:Get*",
-            "sns:List*",
-            "sqs:Get*",
-            "sqs:List*",
-            "elasticloadbalancing:Describe*",
-            "autoscaling:Describe*",
-            "cloudformation:Describe*",
-            "cloudformation:Get*",
-            "cloudformation:List*",
-            "route53:Get*",
-            "route53:List*",
-            "apigateway:GET",
-        }
-    )
-
     @property
     def check_id(self) -> str:
         return "action_validation"
@@ -80,41 +29,6 @@ class ActionValidationCheck(PolicyCheck):
     def default_severity(self) -> str:
         return "error"
 
-    def _is_allowed_wildcard(
-        self, action: str, allowed_wildcards: frozenset[str] | list[str] | set[str]
-    ) -> bool:
-        """Check if a wildcard action matches the allowlist.
-
-        Args:
-            action: The action to check (e.g., "s3:Get*")
-            allowed_wildcards: Set or list of allowed wildcard patterns
-
-        Returns:
-            True if the action matches any pattern in the allowlist
-
-        Note:
-            Exact matches use O(1) set lookup for performance.
-            Pattern matches (wildcards in allowlist) require O(n) iteration.
-        """
-        # Fast O(1) exact match using set membership
-        if action in allowed_wildcards:
-            return True
-
-        # Pattern match - check if action matches any pattern in allowlist
-        # This is needed when allowlist contains wildcards like "s3:*"
-        # Uses cached compiled patterns for 20-30x speedup
-        for pattern in allowed_wildcards:
-            # Skip exact matches (already checked above)
-            if "*" not in pattern:
-                continue
-
-            # Use cached compiled pattern
-            compiled = _compile_wildcard_pattern(pattern)
-            if compiled.match(action):
-                return True
-
-        return False
-
     async def execute(
         self,
         statement: Statement,
@@ -122,7 +36,11 @@ class ActionValidationCheck(PolicyCheck):
         fetcher: AWSServiceFetcher,
         config: CheckConfig,
     ) -> list[ValidationIssue]:
-        """Execute action validation on a statement."""
+        """Execute action validation on a statement.
+
+        This check ONLY validates that actions exist in AWS service definitions.
+        Wildcard security checks are handled by security_best_practices_check.
+        """
         issues = []
 
         # Get actions from statement
@@ -130,28 +48,13 @@ class ActionValidationCheck(PolicyCheck):
         statement_sid = statement.sid
         line_number = statement.line_number
 
-        # Get allowed wildcards from config, or use defaults
-        allowed_wildcards_raw = config.config.get(
-            "allowed_wildcards", self.DEFAULT_ALLOWED_WILDCARDS
-        )
-
-        # Convert list to frozenset for O(1) lookups (if from config)
-        # DEFAULT_ALLOWED_WILDCARDS is already a frozenset
-        if isinstance(allowed_wildcards_raw, list):
-            allowed_wildcards = frozenset(allowed_wildcards_raw)
-        else:
-            allowed_wildcards = allowed_wildcards_raw
-
-        # Check if wildcard warnings are disabled entirely
-        disable_wildcard_warnings = config.config.get("disable_wildcard_warnings", False)
-
         for action in actions:
-            # Wildcard-only actions are handled by security checks
-            if action == "*":
+            # Skip wildcard actions - they're handled by security_best_practices_check
+            if action == "*" or "*" in action:
                 continue
 
-            # Validate the action
-            is_valid, error_msg, is_wildcard = await fetcher.validate_action(action)
+            # Validate the action exists in AWS
+            is_valid, error_msg, _is_wildcard = await fetcher.validate_action(action)
 
             if not is_valid:
                 issues.append(
@@ -165,28 +68,5 @@ class ActionValidationCheck(PolicyCheck):
                         line_number=line_number,
                     )
                 )
-            elif is_wildcard:
-                # Check if this wildcard is in the allowlist
-                if self._is_allowed_wildcard(action, allowed_wildcards):
-                    # Wildcard is allowed, skip warning
-                    continue
-
-                # Wildcard actions are security concerns (unless disabled)
-                # Note: This uses "info" severity by default because the security_best_practices
-                # check provides more comprehensive wildcard analysis with proper security severities.
-                # This is mainly informational - the action IS valid, just uses a wildcard.
-                if not disable_wildcard_warnings:
-                    issues.append(
-                        ValidationIssue(
-                            severity="info",  # Changed from "warning" - this is just informational
-                            statement_sid=statement_sid,
-                            statement_index=statement_idx,
-                            issue_type="wildcard_action",
-                            message=f"Action uses wildcard: {action}",
-                            action=action,
-                            suggestion="Consider using specific actions instead of wildcards for better security",
-                            line_number=line_number,
-                        )
-                    )
 
         return issues