Metadata-Version: 2.4
Name: trustfix
Version: 1.0.1
Summary: Non-Human Identity Security Platform — detect OIDC trust policy misconfigurations, validate fixes with a 6-layer Policy Intelligence Engine, and auto-generate Terraform PRs.
Home-page: https://trustfix.dev
Author: Vikavi Security LLC
Author-email: Vikavi Security LLC <security@trustfix.dev>
License: MIT
Project-URL: Homepage, https://trustfix.dev
Project-URL: Repository, https://github.com/trustfix/trustfix-action
Project-URL: Bug Tracker, https://github.com/trustfix/trustfix-action/issues
Keywords: nhi,non-human-identity,oidc,aws,iam,security,github-actions,terraform,devsecops,trust-policy,cloud-security
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Topic :: Security
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Requires-Python: >=3.8
Description-Content-Type: text/markdown
Dynamic: author
Dynamic: home-page
Dynamic: requires-python

# TrustFix — Non-Human Identity Security Platform

Secure Every Non-Human Identity in Your Cloud.

TrustFix detects OIDC trust policy misconfigurations, validates fixes
with a 6-layer Policy Intelligence Engine, and auto-generates Terraform
PRs — so your CI/CD pipelines never have more access than they need.

Starting with GitHub Actions + AWS. GitLab CI, Azure AD, and GCP
Workload Identity coming Q3-Q4 2026.

## Quick Start

- **Platform:** [trustfix.dev](https://trustfix.dev)
- **Free GitHub Action:** [GitHub Marketplace](https://github.com/marketplace/actions/trustfix-oidc-security-scanner)
- **CLI:** `npx oidc-audit scan`

## What It Detects — 10 Finding Types

| Finding | Severity |
|---------|----------|
| Missing sub condition — any repo can assume your role | CRITICAL |
| Overly broad wildcard trust (StringLike) | HIGH |
| Fork PR risk (hardcoded ARN + pull_request trigger) | HIGH |
| Wildcard environment | HIGH |
| Missing audience (aud) condition | HIGH |
| Expired OIDC provider | MEDIUM |
| Overprivileged CI/CD role | HIGH |
| Admin access in CI/CD role | CRITICAL |
| AI agent overprivileged role | CRITICAL |
| AI agent missing scope condition | HIGH |

## Research

We scanned 10,000 public GitHub repositories and 54,767 workflows:

- **80.7%** still use static AWS credentials
- **743 repos** are critically vulnerable
- **Only 13.9%** use GitHub environment protection
- Named repos include pytorch, supabase, botpress, and AWS's own karpenter

Full report: [trustfix.dev/blog/static-credentials-2026](https://trustfix.dev/blog/static-credentials-2026)

## The NHI Security Platform for DevSecOps

Detect, validate, and auto-remediate trust policy misconfigurations
across CI/CD pipelines and cloud providers.

**How It Works:**
1. Install free GitHub Action → scans every PR
2. Connect AWS account → maps IAM roles to workflows
3. View findings with severity ratings
4. AI generates validated Terraform fix with Confidence Score (Pro/Team)

**Policy Intelligence Engine™** — every fix validated through 6 layers:
- Structural validation
- 150+ semantic contract assertions
- Permission delta (proves access was narrowed, not widened)
- Multi-model adversarial review (Team tier)
- TrustFix Confidence Score™ (0-100) in every PR

## NHI Security at Every Scale

| | Free | Pro ($499/mo) | Team ($799/mo) |
|---|---|---|---|
| Scanning | Unlimited | Unlimited | Unlimited |
| Finding types | 10 | 10 | 10 |
| AWS accounts | 1 | 5 | Unlimited |
| AI fix credits | — | 50 credits/month | 200 credits/month |
| Confidence Score | — | ✓ | ✓ |
| Adversarial review | — | — | ✓ |
| SOC2 CC6 evidence | — | — | ✓ |

## TrustFix vs. NHI & IAM Security Tools

| Feature | TrustFix | IAM Access Analyzer | Checkov / Trivy | Astrix / Oasis |
|---------|----------|--------------------|-----------------| --------------|
| OIDC-specific detection | ✓ (10 types) | Partial | ~1 (buggy) | — |
| Terraform fix generation | ✓ | — | — | — |
| Confidence Score | ✓ | — | — | — |
| Multi-provider roadmap | ✓ | — | — | — |
| Free tier | ✓ | ✓ | ✓ | — |

## Links

- [trustfix.dev](https://trustfix.dev)
- [Blog](https://trustfix.dev/blog)
- [GitHub Marketplace](https://github.com/marketplace/actions/trustfix-oidc-security-scanner)
- [npm: oidc-audit](https://www.npmjs.com/package/oidc-audit)
- [Docs](https://trustfix.dev/docs)

© 2026 Vikavi Security LLC. All rights reserved.
