chore: clean up repo and add .gitignore

Author: RkSinghDeo

.github/workflows/test.yml

@@ -0,0 +1,21 @@
+name: test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.10"
+    - name: Install dependencies
+      run: pip install .[dev]
+    - name: Run tests
+      run: pytest

.gitignore

@@ -0,0 +1,16 @@
+# Python
+__pycache__/
+*.pyc
+
+# Env & dependencies
+.venv/
+*.egg-info/
+.env
+
+# IDE
+.vscode/
+.idea/
+
+# OS
+.DS_Store
+Thumbs.db

README.md

@@ -0,0 +1,50 @@
+# devolv-validator
+
+**devolv-validator** is a Python CLI tool that statically validates AWS IAM policies (JSON or YAML) for risky patterns such as wildcards, privilege escalation risks, and bad practices.
+
+## 🚀 Features
+
+- 🚩 Detects wildcards in `Action` and `Resource`
+- 🔐 Flags `iam:PassRole` on wildcard `Resource`
+- 📂 Supports both JSON and YAML formats
+- ⚙️ Clean CLI built with Typer
+- ✅ Ready for CI with GitHub Actions
+
+## 📦 Installation
+
+```bash
+pip install devolv-validator
+```
+
+## 🛠 Usage
+
+```bash
+devolv-validator validate path/to/policy.json
+```
+
+## 📁 Example
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "*",
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+This policy will be flagged with high-severity warnings.
+
+## 🧪 Run Tests
+
+```bash
+pytest
+```
+
+## 🧰 About
+
+This is part of the [devolv](https://github.com/devolvdev) OSS DevOps toolkit.

devolv/__init__.py

@@ -0,0 +1,8 @@
+import typer
+from devolv.iam.validator.cli import app as validate_app
+
+app = typer.Typer(help="Devolv CLI - Modular DevOps Toolkit")
+app.add_typer(validate_app, name="validate")
+
+if __name__ == "__main__":
+    app()

devolv/cli.py

@@ -0,0 +1,17 @@
+import typer
+from devolv.iam.validator.core import validate_policy_file
+
+app = typer.Typer(help="IAM Validator CLI")
+
+@app.command("file")
+def validate_file(path: str):
+    """
+    Validate an AWS IAM policy file (JSON or YAML).
+    """
+    findings = validate_policy_file(path)
+    if not findings:
+        typer.secho("✅ Policy is valid and passed all checks.", fg=typer.colors.GREEN)
+    else:
+        for finding in findings:
+            typer.secho(f"❌ {finding['level'].upper()}: {finding['message']}", fg=typer.colors.RED)
+        raise typer.Exit(code=1)

devolv/iam/__init__.py

@@ -0,0 +1,23 @@
+import json
+import yaml
+from pathlib import Path
+from devolv.iam.validator.rules import RULES
+
+def load_policy(path: str):
+    with open(path, "r") as f:
+        if path.endswith((".yaml", ".yml")):
+            return yaml.safe_load(f)
+        return json.load(f)
+
+def validate_policy_file(path: str):
+    data = load_policy(path)
+    findings = []
+    for rule in RULES:
+        result = rule["check"](data)
+        if result:
+            findings.append({
+                "id": rule["id"],
+                "level": rule["level"],
+                "message": result
+            })
+    return findings

devolv/iam/validator/__init__.py

@@ -0,0 +1,39 @@
+def check_wildcard_actions(policy):
+    statements = policy.get("Statement", [])
+    if not isinstance(statements, list):
+        statements = [statements]
+    for stmt in statements:
+        actions = stmt.get("Action", [])
+        if isinstance(actions, str):
+            actions = [actions]
+        if any(a == "*" or a.endswith(":*") for a in actions):
+            return "Policy uses wildcard in Action, which is overly permissive."
+    return None
+
+def check_passrole_wildcard(policy):
+    statements = policy.get("Statement", [])
+    if not isinstance(statements, list):
+        statements = [statements]
+    for stmt in statements:
+        actions = stmt.get("Action", [])
+        resources = stmt.get("Resource", [])
+        if isinstance(actions, str): actions = [actions]
+        if isinstance(resources, str): resources = [resources]
+        if "iam:PassRole" in actions and "*" in resources:
+            return "iam:PassRole with wildcard resource can lead to privilege escalation."
+    return None
+
+RULES = [
+    {
+        "id": "IAM001",
+        "level": "high",
+        "description": "Wildcard in action",
+        "check": check_wildcard_actions
+    },
+    {
+        "id": "IAM002",
+        "level": "high",
+        "description": "PassRole with wildcard",
+        "check": check_passrole_wildcard
+    }
+]