Secure Every Non-Human Identity in Your Cloud
TrustFix detects OIDC trust policy misconfigurations, validates fixes with a proprietary Policy Intelligence Engine, and auto-generates Terraform PRs — so your CI/CD pipelines never have more access than they need.
Starting with GitHub Actions + AWS. GitLab CI, Azure AD, and GCP Workload Identity coming Q3-Q4 2026.
Analyzing 10,000+ repositories for OIDC misconfigurations
StringLike: "repo:*:*" allowing any GitHub repoGitHub Actions OIDC: The Security Gap No One Talks About
- When you add aws-actions/configure-aws-credentials, you create an IAM trust relationship
- A misconfigured
subcondition means ANY GitHub repo — not just yours — can assume that role - Most teams discover this during a security audit. Or worse, after a breach.
{
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:*:*"
}
}
}- TrustFix scans every IAM role in your AWS account.
- Detects 13 types of IAM & OIDC misconfigurations in seconds.
- Generates a precise Terraform fix, opens a GitHub PR automatically.
- You review, merge, done. Finding auto-closes.
{
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:sub":
"repo:acme-corp/api:ref:refs/heads/main"
}
}
}Three steps to secure IAM
name: TrustFix Scan
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: trustfix/scan@v1
with:
aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}# TrustFix Generated Fix
# PR #142 | Confidence: 94/100
- condition {
- test = "StringLike"
- values = ["repo:*:*"]
- }
+ condition {
+ test = "StringEquals"
+ values = ["repo:acme-corp/api:ref:refs/heads/main"]
+ }Every fix validated before it reaches your PR
Not a guess. Not a suggestion. Proprietary, deterministic validation.
Analyzes your existing Terraform and generates fixes that match your codebase patterns and conventions.
Every generated fix is verified for structural correctness and compatibility with your infrastructure.
Proprietary security rules built from production IAM incident experience verify every fix before deployment.
Mathematically proves access was narrowed, never widened. No false sense of security.
A second AI model independently validates the fix, catching edge cases the first missed.
0–100 score in every PR. Below 50 = blocked. Full transparency for your reviewers.
TrustFix vs. NHI & IAM Security Tools
| Feature | TrustFix | IAM Access Analyzer | Checkov / Trivy | Astrix / Oasis |
|---|---|---|---|---|
| OIDC-specific detection | Partial | Partial | ||
| # Finding types | 10 | — | ~3 | — |
| Terraform fix generation | ||||
| TrustFix Confidence Score™ | ||||
| Multi-provider roadmap | ||||
| Free tier |
* Based on publicly available feature documentation, April 2026. NHI governance platforms (Astrix/Oasis) focus on identity lifecycle — not IaC remediation.
The NHI Security Platform for DevSecOps
Detect, validate, and auto-remediate trust policy misconfigurations across CI/CD pipelines and cloud providers.
Detect missing sub conditions, overly broad trust, fork PR risks, wildcard environments, expired providers, overprivileged roles, AI agent identity misconfigs, cross-account trust issues, and static credential usage.
Every finding gets a validated Terraform PR. Not just detection — actual remediation you can merge.
Every AI-generated fix passes through multiple proprietary validation layers before reaching your repository. Each PR includes a TrustFix Confidence Score™.
From a single AWS account to enterprise multi-account environments. Free tier to get started, Starter and Pro for production.
GitHub Actions + AWS today. GitLab CI, Azure Workload Identity, GCP Workload Identity, and Kubernetes service accounts coming Q3-Q4 2026.
We scanned 10,000 public repos. 80.7% still use static credentials. 743 are critically vulnerable. Our detections are based on real-world data.
NHI security at every scale
Free forever for detection. Pay only when you want automated Terraform fix PRs.
Free
.
Detect OIDC misconfigurations across 1 AWS account. Free CLI & GitHub Action.
- 3 lifetime AI fix credits
- 1 AWS account
- CLI & GitHub Action included
- Auto-scan on connect
- All 13 finding types
- Community support
Starter
.
For engineers who need automated fixes. Credit-card friendly.
- Everything in Free
- 15 AI fix credits/month
- 1 AWS account
- 3 GitHub repo connects
- 1 team member (solo)
- On-demand scanning
- Full blast radius analysis
- Policy Intelligence Engine™ (Layers 1-3)
- Confidence Score (up to 80/100)
- Email support (48hr response)
Pro
.
Full NHI security for engineering teams with compliance needs.
- Everything in Starter
- 50 AI fix credits/month
- 5 AWS accounts
- 25 GitHub repo connects
- 5 team members
- Policy Intelligence Engine™ (all 6 layers)
- Cross-model adversarial review (GPT-4o)
- TrustFix Confidence Score™ (up to 100/100)
- Full audit log
- Priority email support (24hr response)
Enterprise
Custom limits, SSO, SLA, and dedicated support for organizations at scale.
- Everything in Pro
- Custom AWS & GitHub limits
- Custom AI fix credit allocation
- Custom team member seats
- SOC2 CC6/CC8 evidence export
- Compliance mapping (SOC2, ISO 27001, PCI DSS, NIS2, DORA)
- SSO / SAML integration
- Role-based access control (RBAC)
- Dedicated onboarding call
- Dedicated support + SLA
What Security Engineers Say
“We found 3 critical OIDC misconfigurations in our first scan. TrustFix had a Terraform PR ready in under 2 minutes. This should be standard practice for any team using GitHub Actions + AWS.”
“Finally something that speaks developer. Not another dashboard to ignore — an actual PR I can review and merge.”
“The SOC2 evidence export alone justifies the Enterprise plan. Our auditor was impressed.”