GitHub: [https://github.com/gopinath2866/sis-rules-engine](https://github.com/gopinath2866/sis-rules-engine)

I built *SIS (Security Inspection System)* to catch security issues in rule-based and policy-driven systems before they reach production.

While auditing systems using things like OPA/Rego, IAM policies, and custom RBAC logic, I kept seeing the same class of problems: overly permissive rules, missing deny paths, wildcard conditions, and logic that looked correct but created security risk.

SIS is a *static analyzer* (Go CLI) that lets you:

* Define security rules in YAML / JSON * Scan policy and configuration files * Catch common misconfigurations deterministically (no runtime access)

Key characteristics:

* Static analysis only (no credentials, no runtime hooks) * Extensible rule engine * Designed for CI/CD or pre-deployment checks * Explicitly scoped (not a vuln scanner, not runtime monitoring)

This is the *v1.0.0 stable release* — semver starts here, with documented guarantees and non-guarantees.

I’d especially appreciate feedback from people working with:

* OPA / Rego * Cloud IAM (AWS / GCP / Azure) * Custom RBAC / ABAC systems * Policy-as-code pipelines

I’m also offering a *free static audit* for a small number of teams using SIS, if you want real-world feedback.

Happy to answer technical questions or discuss design tradeoffs.