iam-policy-validator 1.10.2__tar.gz → 1.10.3__tar.gz

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/.github/workflows/ci.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Set up Python
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
@@ -48,7 +48,7 @@ jobs:
         python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
@@ -72,7 +72,7 @@ jobs:
     needs: [lint, test]
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Set up Python
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
@@ -96,7 +96,7 @@ jobs:
     needs: [lint, test]
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Set up Python
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/.github/workflows/cleanup-prereleases.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Cleanup old pre-releases
         env:

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/.github/workflows/codeql.yml

@@ -26,18 +26,18 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4
+        uses: github/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db # v4
         with:
           languages: ${{ matrix.language }}
           queries: security-extended,security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@0499de31b99561a6d14a36a5f662c2a54f91beee # v4
+        uses: github/codeql-action/autobuild@014f16e7ab1402f30e7c3329d33797e7948572db # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4
+        uses: github/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db # v4
         with:
           category: "/language:${{matrix.language}}"

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/.github/workflows/pre-release.yml

@@ -69,7 +69,7 @@ jobs:
           echo "✅ PR #${{ inputs.pr_number }}: $TITLE (branch: $BRANCH)"
 
       - name: Checkout PR branch
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ steps.pr_info.outputs.branch }}
           fetch-depth: 0

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/.github/workflows/release.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0 # Full history for changelog generation
 
@@ -147,7 +147,7 @@ jobs:
 
   #   steps:
   #     - name: Checkout code
-  #       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+  #       uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
   #     - name: Configure Git
   #       run: |

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/.github/workflows/scorecard.yml

@@ -34,7 +34,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           persist-credentials: false
 
@@ -57,6 +57,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
         with:
           sarif_file: results.sarif

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.10.2
+Version: 1.10.3
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/docs/check-reference.md

@@ -1136,6 +1136,30 @@ wildcard_action:
 
 **Exception:** Allowed if ALL actions are in the allowed_wildcards list (read-only operations).
 
+#### Dual Matching Strategy
+
+The check uses **two complementary matching strategies** for maximum flexibility:
+
+**1. Literal Match (Fast Path - no AWS API calls)**
+- Policy actions match config patterns exactly as strings
+- Example: Policy `"iam:Get*"` matches config `"iam:Get*"` → ✅ PASS
+- Performance benefit: No AWS API expansion needed
+
+**2. Expanded Match (Comprehensive Path - uses AWS API)**
+- Both policy actions and config patterns expand to actual AWS actions
+- Example: Policy `"iam:GetUser"` matches config `"iam:Get*"` (expanded) → ✅ PASS
+- Ensures semantic correctness
+
+**Supported Scenarios:**
+
+| Policy Action           | Config Pattern        | Match Type | Result |
+| ----------------------- | --------------------- | ---------- | ------ |
+| `iam:Get*`              | `iam:Get*`            | Literal    | ✅ Pass |
+| `iam:GetUser`           | `iam:Get*`            | Expanded   | ✅ Pass |
+| `iam:Get*, iam:List*`   | `iam:Get*, iam:List*` | Literal    | ✅ Pass |
+| `iam:Get*, iam:GetUser` | `iam:Get*`            | Literal    | ✅ Pass |
+| `iam:Delete*`           | `iam:Get*`            | None       | ❌ Fail |
+
 #### Configuration
 
 ```yaml
@@ -1143,10 +1167,17 @@ wildcard_resource:
   enabled: true
   severity: medium
   # Actions allowed with Resource: "*" (default from Python module)
+  # Supports BOTH literal matching and pattern expansion
   allowed_wildcards:
-    - "ec2:Describe*"
-    - "s3:List*"
-    - "iam:Get*"
+    # Wildcard patterns - match both literally and expanded
+    - "ec2:Describe*"    # Matches: ec2:Describe* OR ec2:DescribeInstances
+    - "s3:List*"         # Matches: s3:List* OR s3:ListBucket
+    - "iam:Get*"         # Matches: iam:Get* OR iam:GetUser
+
+    # Specific actions - match only via expansion
+    - "iam:GetUser"      # Matches: iam:GetUser only
+    - "s3:ListBucket"    # Matches: s3:ListBucket only
+
     # ... 25 patterns by default
 ```
 
@@ -1165,16 +1196,31 @@ wildcard_resource:
 **Issue:** `Statement applies to all resources (*)`
 **Severity:** `medium`
 
-✅ **PASS: Wildcard with allowed read-only actions**
+✅ **PASS: Wildcard actions with literal match (fast path)**
+```json
+{
+  "Statement": [{
+    "Effect": "Allow",
+    "Action": ["iam:Get*", "iam:List*"],  // Wildcard actions
+    "Resource": "*"  // OK - matches config literally
+  }]
+}
+```
+**Config:** `allowed_wildcards: ["iam:Get*", "iam:List*"]`
+**Match:** Literal string match (no AWS API call needed)
+
+✅ **PASS: Specific actions with expanded match**
 ```json
 {
   "Statement": [{
     "Effect": "Allow",
-    "Action": ["ec2:DescribeInstances", "ec2:DescribeVolumes"],  // All allowed
-    "Resource": "*"  // OK for describe actions
+    "Action": ["ec2:DescribeInstances", "ec2:DescribeVolumes"],  // Specific actions
+    "Resource": "*"  // OK - all match when config expands
   }]
 }
 ```
+**Config:** `allowed_wildcards: ["ec2:Describe*"]`
+**Match:** Config expands to include these specific actions
 
 ✅ **PASS: Specific resource**
 ```json
@@ -1187,15 +1233,7 @@ wildcard_resource:
 }
 ```
 
-**Customize allowed wildcards:**
-```yaml
-wildcard_resource:
-  allowed_wildcards:
-    - "cloudwatch:Describe*"
-    - "cloudwatch:Get*"
-    - "cloudwatch:List*"
-    # Only these patterns allowed with Resource: "*"
-```
+**Performance Tip:** Use exact patterns in both policy and config for fastest validation (literal match path).
 
 ---
 

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/examples/configs/full-reference-config.yaml

@@ -567,19 +567,68 @@ wildcard_action:
 # Check for wildcard resources (Resource: "*")
 # Flags statements that apply to all resources
 # Exception: Allowed if ALL actions are in allowed_wildcards list
+#
+# ⚡ DUAL MATCHING STRATEGY:
+# The check uses two complementary matching strategies to maximize flexibility:
+#
+# 1. LITERAL MATCH (Fast Path - no AWS API calls):
+#    - Policy actions match config patterns exactly as strings
+#    - Example:
+#        Config:  allowed_wildcards: ["iam:Get*", "iam:List*"]
+#        Policy:  Action: ["iam:Get*", "iam:List*"], Resource: "*"
+#        Result:  ✅ PASS (literal string match: "iam:Get*" == "iam:Get*")
+#
+# 2. EXPANDED MATCH (Comprehensive Path - uses AWS API):
+#    - Both policy actions and config patterns expand to actual AWS actions
+#    - Example:
+#        Config:  allowed_wildcards: ["iam:Get*"]
+#                 → expands to ["iam:GetUser", "iam:GetRole", "iam:GetPolicy", ...]
+#        Policy:  Action: ["iam:GetUser"], Resource: "*"
+#        Result:  ✅ PASS (iam:GetUser is in expanded list)
+#
+# SUPPORTED SCENARIOS:
+#   ┌─────────────────────────┬────────────────────────┬────────────┬────────────┐
+#   │ Policy Action           │ Config Pattern         │ Match Type │ Result     │
+#   ├─────────────────────────┼────────────────────────┼────────────┼────────────┤
+#   │ iam:Get*                │ iam:Get*               │ Literal    │ ✅ Pass    │
+#   │ iam:GetUser             │ iam:Get*               │ Expanded   │ ✅ Pass    │
+#   │ iam:Get*, iam:List*     │ iam:Get*, iam:List*    │ Literal    │ ✅ Pass    │
+#   │ iam:Get*, iam:GetUser   │ iam:Get*               │ Literal    │ ✅ Pass    │
+#   │ iam:Delete*             │ iam:Get*               │ None       │ ❌ Fail    │
+#   └─────────────────────────┴────────────────────────┴────────────┴────────────┘
+#
+# PERFORMANCE TIP:
+#   - Literal matching is faster (no AWS API expansion)
+#   - Use exact patterns in both policy and config for best performance
+#
 wildcard_resource:
   enabled: true
   severity: medium # Security issue: medium severity
   description: "Checks for wildcard resources (*)"
 
   # Allowed wildcard patterns for actions that can be used with Resource: "*"
+  # Supports BOTH literal matching and pattern expansion via AWS API
+  #
   # Defaults are loaded from Python (iam_validator/core/config/wildcards.py)
   # Override here to customize. Default includes describe/get/list patterns for:
   #   - autoscaling, cloudwatch, dynamodb, ec2, elb, iam, kms, lambda
   #   - logs, rds, route53, s3 (safe operations only), sqs, apigateway
+  #
+  # Examples:
   # allowed_wildcards:
-  #   - "ec2:Describe*"
-  #   - "s3:List*"
+  #   # Option 1: Specific wildcard patterns (will match both literally and expanded)
+  #   - "ec2:Describe*"     # Matches: ec2:Describe* (literal) OR ec2:DescribeInstances (expanded)
+  #   - "s3:List*"          # Matches: s3:List* (literal) OR s3:ListBucket (expanded)
+  #   - "iam:Get*"          # Matches: iam:Get* (literal) OR iam:GetUser (expanded)
+  #
+  #   # Option 2: Specific actions (will only match via expansion)
+  #   - "iam:GetUser"       # Only matches: iam:GetUser
+  #   - "s3:ListBucket"     # Only matches: s3:ListBucket
+  #
+  #   # Option 3: Mix both approaches
+  #   - "ec2:Describe*"     # Wildcard pattern
+  #   - "iam:GetUser"       # Specific action
+  #   - "s3:List*"          # Wildcard pattern
 
   # Customize validation messages (optional)
   message: "Statement applies to all resources (*)"

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.10.2"
+__version__ = "1.10.3"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/iam_validator/checks/wildcard_resource.py

@@ -39,22 +39,44 @@ class WildcardResourceCheck(PolicyCheck):
             # to all matching AWS actions using the AWS API, then checking if the policy's
             # actions are in that expanded list. This ensures only validated AWS actions
             # are allowed with Resource: "*".
+            allowed_wildcards_config = config.config.get("allowed_wildcards", [])
             allowed_wildcards_expanded = await self._get_expanded_allowed_wildcards(config, fetcher)
 
             # Check if ALL actions (excluding full wildcard "*") are in the expanded list
             non_wildcard_actions = [a for a in actions if a != "*"]
 
-            if allowed_wildcards_expanded and non_wildcard_actions:
-                # Check if all actions are in the expanded allowed list (exact match)
-                all_actions_allowed = all(
-                    action in allowed_wildcards_expanded for action in non_wildcard_actions
+            if (allowed_wildcards_config or allowed_wildcards_expanded) and non_wildcard_actions:
+                # Strategy 1: Check literal pattern match (fast path)
+                # If policy action matches config pattern literally, allow it
+                # Example: Policy has "iam:Get*", config has "iam:Get*" -> match
+                all_actions_allowed_literal = all(
+                    action in allowed_wildcards_config for action in non_wildcard_actions
                 )
 
-                # If all actions are in the expanded list, skip the wildcard resource warning
-                if all_actions_allowed:
-                    # All actions are safe, Resource: "*" is acceptable
+                if all_actions_allowed_literal:
+                    # All actions match literally, Resource: "*" is acceptable
                     return issues
 
+                # Strategy 2: Check expanded pattern match (comprehensive path)
+                # Expand both policy actions and config patterns, then compare
+                # Example: Policy has "iam:Get*" -> ["iam:GetUser", ...],
+                #          config has "iam:Get*" -> ["iam:GetUser", ...] -> all match
+                if allowed_wildcards_expanded:
+                    expanded_statement_actions = await expand_wildcard_actions(
+                        non_wildcard_actions, fetcher
+                    )
+
+                    # Check if all expanded actions are in the expanded allowed list (exact match)
+                    all_actions_allowed_expanded = all(
+                        action in allowed_wildcards_expanded
+                        for action in expanded_statement_actions
+                    )
+
+                    # If all actions are in the expanded list, skip the wildcard resource warning
+                    if all_actions_allowed_expanded:
+                        # All actions are safe, Resource: "*" is acceptable
+                        return issues
+
             # Flag the issue if actions are not all allowed or no allowed_wildcards configured
             message = config.config.get(
                 "message", 'Statement applies to all resources `"*"` (wildcard resource).'

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/iam_validator/core/config/defaults.py

@@ -344,13 +344,41 @@ DEFAULT_CONFIG = {
     # Check for wildcard resources (Resource: "*")
     # Flags statements that apply to all resources
     # Exception: Allowed if ALL actions are in allowed_wildcards list
+    #
+    # DUAL MATCHING STRATEGY:
+    # The check uses two complementary matching strategies for maximum flexibility:
+    #
+    # 1. LITERAL MATCH (Fast Path - no AWS API calls):
+    #    Policy actions match config patterns exactly as strings
+    #    Example: Policy "iam:Get*" matches config "iam:Get*" → PASS
+    #
+    # 2. EXPANDED MATCH (Comprehensive Path - uses AWS API):
+    #    Both policy actions and config patterns expand to actual AWS actions
+    #    Example: Policy "iam:GetUser" matches config "iam:Get*" (expanded) → PASS
+    #
+    # SUPPORTED SCENARIOS:
+    #   Policy Action         Config Pattern        Match Type   Result
+    #   iam:Get*              iam:Get*              Literal      ✅ Pass
+    #   iam:GetUser           iam:Get*              Expanded     ✅ Pass
+    #   iam:Get*, iam:List*   iam:Get*, iam:List*   Literal      ✅ Pass
+    #   iam:Get*, iam:GetUser iam:Get*              Literal      ✅ Pass
+    #   iam:Delete*           iam:Get*              None         ❌ Fail
+    #
+    # PERFORMANCE TIP: Literal matching is faster (no AWS API expansion)
     "wildcard_resource": {
         "enabled": True,
         "severity": "medium",  # Security issue
         "description": "Checks for wildcard resources (*)",
         # Allowed wildcard patterns for actions that can be used with Resource: "*"
+        # Supports BOTH literal matching and pattern expansion via AWS API
+        #
         # Default: 25 read-only patterns (Describe*, List*, Get*)
         # See: iam_validator/core/config/wildcards.py
+        #
+        # Examples:
+        #   ["ec2:Describe*"]  # Matches: ec2:Describe* (literal) OR ec2:DescribeInstances (expanded)
+        #   ["iam:GetUser"]    # Matches: iam:GetUser only
+        #   ["s3:List*"]       # Matches: s3:List* (literal) OR s3:ListBucket (expanded)
         "allowed_wildcards": list(DEFAULT_ALLOWED_WILDCARDS),
         "message": "Statement applies to all resources (*)",
         "suggestion": "Replace wildcard with specific resource ARNs",

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "iam-policy-validator"
-version = "1.10.2"
+version = "1.10.3"
 description = "Validate AWS IAM policies for correctness and security using AWS Service Reference API"
 readme = "README.md"
 requires-python = ">=3.10"

{iam_policy_validator-1.10.2 → iam_policy_validator-1.10.3}/tests/test_wildcard_resource_check.py

@@ -347,3 +347,138 @@ class TestWildcardResourceCheck:
 
         # ARN with wildcard pattern is not the same as Resource: "*"
         assert len(issues) == 0
+
+    @pytest.mark.asyncio
+    async def test_wildcard_actions_in_policy_with_allowed_wildcards(self, check, fetcher):
+        """Test that wildcard actions in policy match against allowed_wildcards config.
+
+        This is a regression test for the bug where policy actions like "iam:Get*"
+        were not being expanded before comparison with the expanded allowed_wildcards list.
+
+        Config: allowed_wildcards: ["iam:Get*", "iam:List*"]
+        Policy: Action: ["iam:Get*", "iam:List*"], Resource: "*"
+        Expected: No issues (wildcards should be allowed)
+        """
+        config = CheckConfig(
+            check_id="wildcard_resource",
+            enabled=True,
+            config={"allowed_wildcards": ["iam:Get*", "iam:List*"]},
+        )
+
+        statement = Statement(
+            Sid="GeneralReadOnly",
+            Effect="Allow",
+            Action=["iam:Get*", "iam:List*"],
+            Resource=["*"],
+        )
+
+        issues = await check.execute(statement, 0, fetcher, config)
+
+        # Both wildcard actions should be allowed because they match the allowed patterns
+        assert len(issues) == 0
+
+    @pytest.mark.asyncio
+    async def test_wildcard_actions_partial_match_with_allowed_wildcards(self, check, fetcher):
+        """Test that only partially matching wildcard actions are flagged.
+
+        Config: allowed_wildcards: ["iam:Get*"]
+        Policy: Action: ["iam:Get*", "iam:Delete*"], Resource: "*"
+        Expected: Issue flagged (iam:Delete* is not in allowed list)
+        """
+        config = CheckConfig(
+            check_id="wildcard_resource",
+            enabled=True,
+            config={"allowed_wildcards": ["iam:Get*"]},
+        )
+
+        statement = Statement(
+            Effect="Allow",
+            Action=["iam:Get*", "iam:Delete*"],
+            Resource=["*"],
+        )
+
+        issues = await check.execute(statement, 0, fetcher, config)
+
+        # iam:Delete* doesn't match iam:Get*, so should be flagged
+        assert len(issues) == 1
+
+    @pytest.mark.asyncio
+    async def test_literal_match_without_expansion(self, check, fetcher):
+        """Test literal pattern matching (fast path) without AWS API expansion.
+
+        When policy actions exactly match config patterns (literal string match),
+        the check should pass without needing to expand via AWS API.
+
+        Config: allowed_wildcards: ["iam:Get*"]
+        Policy: Action: ["iam:Get*"], Resource: "*"
+        Expected: No issues (literal match: "iam:Get*" == "iam:Get*")
+        """
+        config = CheckConfig(
+            check_id="wildcard_resource",
+            enabled=True,
+            config={"allowed_wildcards": ["iam:Get*"]},
+        )
+
+        statement = Statement(
+            Effect="Allow",
+            Action=["iam:Get*"],
+            Resource=["*"],
+        )
+
+        issues = await check.execute(statement, 0, fetcher, config)
+
+        # Should pass via literal match (fast path)
+        assert len(issues) == 0
+
+    @pytest.mark.asyncio
+    async def test_specific_action_with_wildcard_config_expansion(self, check, fetcher):
+        """Test specific actions matched against wildcard config (expansion path).
+
+        When policy has specific actions and config has wildcards, the config
+        should expand to match the specific actions.
+
+        Config: allowed_wildcards: ["iam:Get*"] -> expands to ["iam:GetUser", "iam:GetRole", ...]
+        Policy: Action: ["iam:GetUser"], Resource: "*"
+        Expected: No issues (iam:GetUser is in expanded list)
+        """
+        config = CheckConfig(
+            check_id="wildcard_resource",
+            enabled=True,
+            config={"allowed_wildcards": ["iam:Get*"]},
+        )
+
+        statement = Statement(
+            Effect="Allow",
+            Action=["iam:GetUser"],
+            Resource=["*"],
+        )
+
+        issues = await check.execute(statement, 0, fetcher, config)
+
+        # Should pass via expansion match
+        assert len(issues) == 0
+
+    @pytest.mark.asyncio
+    async def test_mixed_literal_and_expanded_match(self, check, fetcher):
+        """Test mix of literal and expanded actions.
+
+        Policy: Action: ["iam:Get*", "iam:GetUser"], Resource: "*"
+        Config: allowed_wildcards: ["iam:Get*"]
+        Expected: No issues (iam:Get* matches literally, iam:GetUser matches via expansion)
+        """
+        config = CheckConfig(
+            check_id="wildcard_resource",
+            enabled=True,
+            config={"allowed_wildcards": ["iam:Get*"]},
+        )
+
+        statement = Statement(
+            Effect="Allow",
+            Action=["iam:Get*", "iam:GetUser"],
+            Resource=["*"],
+        )
+
+        issues = await check.execute(statement, 0, fetcher, config)
+
+        # Should pass: iam:Get* matches literally, triggers fast path
+        assert len(issues) == 0