Open source · Apache-2.0

oidc-audit

The open-source OIDC trust-policy scanner for AWS. Runs in your terminal, on your laptop, against your AWS account. Same finding types as the TrustFix platform — JSON output, no account required.

GitHubSee the full platform

Quick start

  1. 1

    Install

    npm install -g oidc-audit
  2. 2

    Scan

    oidc-audit scan --account 123456789012
  3. 3

    JSON output

    oidc-audit scan --json > findings.json

AWS credentials must be configured locally (e.g. aws sso login). oidc-audit only requires read-only IAM permissions — never any write or assume-role to a TrustFix-controlled role.

What it detects

A subset of the TrustFix detector catalog focused on the OIDC trust-policy attack surface — the highest-impact, lowest- false-positive checks we ship.

  • OIDC trust policies missing repository-specific sub conditions
  • OIDC StringLike-instead-of-StringEquals (wildcard tolerance)
  • OIDC missing audience condition
  • GitHub Actions fork-PR risk in trust policies
  • Cross-account trust without ExternalId
  • Wildcard principal in trust policy

What it doesn’t do (yet)

oidc-audit is the open-source subset. The full TrustFix platform handles these:

  • ·Generate Terraform / CloudFormation fixes (full TrustFix platform)
  • ·GCP Workload Identity Federation scanning
  • ·Azure Entra ID Workload Identity Federation scanning
  • ·GitLab + Bitbucket CI/CD pipeline scanning
  • ·PIE 8-stage validation including Z3 SMT formal verification
  • ·PR-shipped fixes to GitHub / GitLab / Bitbucket

Want the full platform?

451 detectors across 5 platforms, 8-stage validation including Z3 formal verification, fixes shipped as PRs to your code host. Currently invitation-only.

Request access