Package Exports
- trustfix
- trustfix/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (trustfix) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
TrustFix — Non-Human Identity Security Platform
Secure Every Non-Human Identity in Your Cloud.
TrustFix detects OIDC trust policy misconfigurations, validates fixes with a 6-layer Policy Intelligence Engine, and auto-generates Terraform PRs — so your CI/CD pipelines never have more access than they need.
Starting with GitHub Actions + AWS. GitLab CI, Azure AD, and GCP Workload Identity coming Q3-Q4 2026.
Quick Start
- Platform: trustfix.dev
- Free GitHub Action: GitHub Marketplace
- CLI:
npx oidc-audit scan
What It Detects — 10 Finding Types
| Finding | Severity |
|---|---|
| Missing sub condition — any repo can assume your role | CRITICAL |
| Overly broad wildcard trust (StringLike) | HIGH |
| Fork PR risk (hardcoded ARN + pull_request trigger) | HIGH |
| Wildcard environment | HIGH |
| Missing audience (aud) condition | HIGH |
| Expired OIDC provider | MEDIUM |
| Overprivileged CI/CD role | HIGH |
| Admin access in CI/CD role | CRITICAL |
| AI agent overprivileged role | CRITICAL |
| AI agent missing scope condition | HIGH |
Research
We scanned 10,000 public GitHub repositories and 54,767 workflows:
- 80.7% still use static AWS credentials
- 743 repos are critically vulnerable
- Only 13.9% use GitHub environment protection
- Named repos include pytorch, supabase, botpress, and AWS's own karpenter
Full report: trustfix.dev/blog/static-credentials-2026
The NHI Security Platform for DevSecOps
Detect, validate, and auto-remediate trust policy misconfigurations across CI/CD pipelines and cloud providers.
How It Works:
- Install free GitHub Action → scans every PR
- Connect AWS account → maps IAM roles to workflows
- View findings with severity ratings
- AI generates validated Terraform fix with TrustFix Confidence Score™ (Pro/Team/Enterprise)
Policy Intelligence Engine™ — every fix validated before it reaches your repo:
- Code-aware generation matches your existing Terraform patterns
- Structural verification ensures fix compatibility with your infrastructure
- Proprietary security rules built from production IAM experience
- Mathematically proves access was narrowed, never widened
- Cross-model adversarial review catches edge cases (Team & Enterprise)
- TrustFix Confidence Score™ (0-100) in every PR
NHI Security at Every Scale
| Feature | Free | Pro ($499/mo) | Team ($799/mo) | Enterprise |
|---|---|---|---|---|
| AWS accounts | 1 | 5 | 15 | Custom |
| GitHub repo connects | — | 10 | 25 | Custom |
| Scanning | Initial + CLI | On-demand | On-demand | On-demand |
| Finding types | All | All | All | All |
| AI fix credits | — | 50/month | 200/month | Custom |
| TrustFix Confidence Score™ | — | Up to 80/100 | Up to 100/100 | Up to 100/100 |
| Validation layers | — | 5 of 6 | All 6 | All 6 |
| Adversarial review | — | — | ✓ | ✓ |
| SOC2 CC6 export | — | — | ✓ | ✓ |
| SSO / SAML | — | — | — | ✓ |
| Support | Community | Slack | Dedicated |
TrustFix vs. NHI & IAM Security Tools
| Feature | TrustFix | IAM Access Analyzer | Checkov / Trivy | Astrix / Oasis |
|---|---|---|---|---|
| OIDC-specific detection | ✓ (10 types) | Partial | ~1 (buggy) | — |
| Terraform fix generation | ✓ | — | — | — |
| TrustFix Confidence Score™ | ✓ | — | — | — |
| Multi-provider roadmap | ✓ | — | — | — |
| Free tier | ✓ | ✓ | ✓ | — |
Links
© 2026 Vikavi Security LLC. All rights reserved.