GitHub: [https://github.com/gopinath2866/sis-rules-engine](https://github.com/gopinath2866/sis-rules-engine)
I built *SIS (Security Inspection System)* to catch security issues in rule-based and policy-driven systems before they reach production.
While auditing systems using things like OPA/Rego, IAM policies, and custom RBAC logic, I kept seeing the same class of problems: overly permissive rules, missing deny paths, wildcard conditions, and logic that looked correct but created security risk.
SIS is a *static analyzer* (Go CLI) that lets you:
* Define security rules in YAML / JSON * Scan policy and configuration files * Catch common misconfigurations deterministically (no runtime access)
Key characteristics:
* Static analysis only (no credentials, no runtime hooks) * Extensible rule engine * Designed for CI/CD or pre-deployment checks * Explicitly scoped (not a vuln scanner, not runtime monitoring)
This is the *v1.0.0 stable release* — semver starts here, with documented guarantees and non-guarantees.
I’d especially appreciate feedback from people working with:
* OPA / Rego * Cloud IAM (AWS / GCP / Azure) * Custom RBAC / ABAC systems * Policy-as-code pipelines
I’m also offering a *free static audit* for a small number of teams using SIS, if you want real-world feedback.
Happy to answer technical questions or discuss design tradeoffs.