NHI security research, OIDC misconfiguration patterns, and CI/CD security insights.
Get OIDC security research and AWS IAM insights delivered to your inbox. 2-3 posts per month.
AWS quietly added immutable condition keys for OIDC trust policies in January 2026. If you're still using repository names in your trust policies, you're using mutable identifiers that can be changed without your knowledge.
AI can generate Terraform code. But should you trust it with IAM policies? We built a 6-layer Policy Intelligence Engine that validates every AI-generated fix before it becomes a pull request. Here's how it works.
Checkov's only OIDC check has a confirmed bug that misclassifies non-OIDC roles. Even when it works, it covers just 1 of 5 OIDC providers and detects 1 of 10 misconfiguration patterns. Here's what it misses.
We scanned 10,000 public GitHub repos and 54,767 workflows. The results are alarming: 80.7% still use static credentials, 743 repos are critically vulnerable, and even AWS's own repos have exposed role ARNs.
Introducing the TrustFix blog — your source for OIDC security research, AWS IAM best practices, and GitHub Actions security insights.
