Metadata-Version: 2.4
Name: trustfix
Version: 1.0.2
Summary: Non-Human Identity Security Platform — detect OIDC trust policy misconfigurations, validate fixes with a 6-layer Policy Intelligence Engine, and auto-generate Terraform PRs.
Home-page: https://trustfix.dev
Author: Vikavi Security LLC
Author-email: Vikavi Security LLC <security@trustfix.dev>
License: MIT
Project-URL: Homepage, https://trustfix.dev
Project-URL: Repository, https://github.com/trustfix/trustfix-action
Project-URL: Bug Tracker, https://github.com/trustfix/trustfix-action/issues
Keywords: nhi,non-human-identity,oidc,aws,iam,security,github-actions,terraform,devsecops,trust-policy,cloud-security
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Topic :: Security
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Requires-Python: >=3.8
Description-Content-Type: text/markdown
Dynamic: author
Dynamic: home-page
Dynamic: requires-python

# TrustFix — Non-Human Identity Security Platform

Secure Every Non-Human Identity in Your Cloud.

TrustFix detects OIDC trust policy misconfigurations, validates fixes
with a 6-layer Policy Intelligence Engine, and auto-generates Terraform
PRs — so your CI/CD pipelines never have more access than they need.

Starting with GitHub Actions + AWS. GitLab CI, Azure AD, and GCP
Workload Identity coming Q3-Q4 2026.

## Quick Start

- **Platform:** [trustfix.dev](https://trustfix.dev)
- **Free GitHub Action:** [GitHub Marketplace](https://github.com/marketplace/actions/trustfix-oidc-security-scanner)
- **CLI:** `npx oidc-audit scan`

## What It Detects — 10 Finding Types

| Finding | Severity |
|---------|----------|
| Missing sub condition — any repo can assume your role | CRITICAL |
| Overly broad wildcard trust (StringLike) | HIGH |
| Fork PR risk (hardcoded ARN + pull_request trigger) | HIGH |
| Wildcard environment | HIGH |
| Missing audience (aud) condition | HIGH |
| Expired OIDC provider | MEDIUM |
| Overprivileged CI/CD role | HIGH |
| Admin access in CI/CD role | CRITICAL |
| AI agent overprivileged role | CRITICAL |
| AI agent missing scope condition | HIGH |

## Research

We scanned 10,000 public GitHub repositories and 54,767 workflows:

- **80.7%** still use static AWS credentials
- **743 repos** are critically vulnerable
- **Only 13.9%** use GitHub environment protection
- Named repos include pytorch, supabase, botpress, and AWS's own karpenter

Full report: [trustfix.dev/blog/static-credentials-2026](https://trustfix.dev/blog/static-credentials-2026)

## The NHI Security Platform for DevSecOps

Detect, validate, and auto-remediate trust policy misconfigurations
across CI/CD pipelines and cloud providers.

**How It Works:**
1. Install free GitHub Action → scans every PR
2. Connect AWS account → maps IAM roles to workflows
3. View findings with severity ratings
4. AI generates validated Terraform fix with Confidence Score (Pro/Team/Enterprise)

**Policy Intelligence Engine™** — every fix validated before it reaches your repo:
- AI-generated Terraform verified through multiple proprietary validation layers
- Mathematically proves access is narrowed, never widened
- Cross-model adversarial review catches edge cases (Team & Enterprise)
- TrustFix Confidence Score™ (0-100) in every PR

## NHI Security at Every Scale

| Feature | Free | Pro ($499/mo) | Team ($799/mo) | Enterprise |
|---|---|---|---|---|
| AWS accounts | 1 | 5 | 15 | Custom |
| GitHub repo connects | — | 10 | 25 | Custom |
| Scanning | Initial + CLI | On-demand | On-demand | On-demand |
| Finding types | All | All | All | All |
| AI fix credits | — | 50/month | 200/month | Custom |
| Confidence Score | — | Up to 80/100 | Up to 100/100 | Up to 100/100 |
| Validation layers | — | 5 of 6 | All 6 | All 6 |
| Adversarial review | — | — | ✓ | ✓ |
| SOC2 CC6 export | — | — | ✓ | ✓ |
| SSO / SAML | — | — | — | ✓ |
| Support | Community | Email | Slack | Dedicated |

## TrustFix vs. NHI & IAM Security Tools

| Feature | TrustFix | IAM Access Analyzer | Checkov / Trivy | Astrix / Oasis |
|---------|----------|--------------------|-----------------| --------------|
| OIDC-specific detection | ✓ (10 types) | Partial | ~1 (buggy) | — |
| Terraform fix generation | ✓ | — | — | — |
| Confidence Score | ✓ | — | — | — |
| Multi-provider roadmap | ✓ | — | — | — |
| Free tier | ✓ | ✓ | ✓ | — |

## Links

- [trustfix.dev](https://trustfix.dev)
- [Blog](https://trustfix.dev/blog)
- [GitHub Marketplace](https://github.com/marketplace/actions/trustfix-oidc-security-scanner)
- [npm: oidc-audit](https://www.npmjs.com/package/oidc-audit)
- [Docs](https://trustfix.dev/docs)
- Enterprise: security@trustfix.dev

© 2026 Vikavi Security LLC. All rights reserved.
