Machine Identity Security Platform

Secure every machine identity across your clouds

TrustFix detects misconfigured machine identities across AWS, GCP, and Azure — then ships formally-verified Terraform fixes as pull requests on GitHub, GitLab, or Bitbucket. Slack-routed for the engineers who need to know.

3 clouds · 3 code hosts · 18 (cloud × host × fix-kind) combinations live. 451 detectors. 181 PIE contracts. Z3 SMT formal verification on every fix.

Multi-cloud (AWS · GCP · Azure)Z3 SMT formal verificationAES-256-GCM encryptionSOC2-ready audit trail

Backed by research across 10,000+ repositories and 54,767 workflows

trustfix-scan.log

$ trustfix scan --aws-account 123456789012

✓ Connected to AWS account

✓ Scanning 47 IAM roles...

CRITICALOIDC Trust Policy Overly Permissive

Role: github-actions-deploy-role

Issue: Trust policy uses StringLike: "repo:*:*" allowing any GitHub repo

TrustFix Confidence Score™:

94/100

→ Terraform fix PR opened: #142

10,000+

Repos scanned in our research

TrustFix NHI Research

54,767

Workflows analyzed

TrustFix NHI Research

743

Critical misconfigs found

pytorch, supabase, botpress, aws/karpenter

80.7%

Still use static credentials

TrustFix NHI Research

The machine identity problem

Machine identities now outnumber humans 50:1. Most are misconfigured.

CI/CD federation, service principals, workload identity, OAuth tokens, role assumptions across accounts — every team adds them, almost no team audits them. One overly broad trust policy and a fork PR becomes a production incident.

The Problem

Vulnerable by Default

OIDC trust gaps, over-privileged IAM, custom RBAC drift, exposed Workload Identity Federation — across AWS, GCP, and Azure.
A wildcard sub claim or a missing ExternalId turns one CI runner into the whole cloud account.
Most teams find out during the SOC2 audit — or after the post-incident retro.

vulnerable-trust-policy.json

{
  "Condition": {
    "StringLike": {
      "token.actions.githubusercontent.com:sub": "repo:*:*"
    }
  }
}

The Fix

Detect, prove, ship.

Continuous scan of every machine identity across AWS, GCP, and Azure — 451 detectors covering 24+ finding families.
Every fix passes 8 validation stages including Z3 SMT formal verification — proves access narrowed, never widened.
Ships as a native PR on GitHub, GitLab, or Bitbucket. Routed to Slack with severity, confidence score, and reviewer hint.
You review, merge, done. Finding auto-closes. SOC2 evidence packaged automatically.

secure-trust-policy.json

{
  "Condition": {
    "StringEquals": {
      "token.actions.githubusercontent.com:sub":
        "repo:acme-corp/api:ref:refs/heads/main"
    }
  }
}

How It Works

Three steps. Every cloud. Every code host.

012 min

Install

Add TrustFix as a GitHub Action to your repository.

name: TrustFix Scan
on:
  schedule:
    - cron: '0 0 * * *'
  workflow_dispatch:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: trustfix/scan@v1
        with:
          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}

02instant

Detect

TrustFix analyzes your IAM roles and detects misconfigurations.

CRITICAL

OIDC Trust Policy Overly Permissive

Role: github-actions-deploy-role

Score:

94/100

03auto

Fix

A validated Terraform fix PR is automatically opened.

# TrustFix Generated Fix
# PR #142 | Confidence: 94/100

- condition {
-   test = "StringLike"
-   values = ["repo:*:*"]
- }
+ condition {
+   test = "StringEquals"
+   values = ["repo:acme-corp/api:ref:refs/heads/main"]
+ }

Policy Intelligence Engine™

Every fix validated before it reaches your PR

Not a guess. Not a suggestion. Proprietary, deterministic validation.

Code-Aware Generation

Analyzes your existing Terraform and generates fixes that match your codebase patterns and conventions.

Structural Verification

Every generated fix is verified for structural correctness and compatibility with your infrastructure.

Security Rule Validation

Proprietary security rules built from production IAM incident experience verify every fix before deployment.

Permission Proof

Mathematically proves access was narrowed, never widened. No false sense of security.

Pro

Cross-Model Review

A second AI model independently validates the fix, catching edge cases the first missed.

TrustFix Confidence Score™

0–100 score in every PR. Below 50 = blocked. Full transparency for your reviewers.

Average TrustFix Confidence Score™ across all generated fixes:94/100

Capability comparison

What other platforms don't do

Detection without remediation is a backlog. TrustFix is the only platform that proves the fix and ships it across all three major code hosts.

Feature	TrustFix	IAM Access Analyzer	Checkov / Trivy	NHI governance tools
Cross-cloud detection (AWS · GCP · Azure)		Partial	Partial
# Detector implementations	451	—	~3	—
Z3 SMT formal verification
Multi-host PR delivery (GitHub · GitLab · Bitbucket)
TrustFix Confidence Score™ on every PR
SOC2-ready evidence export				Partial

* Based on publicly available feature documentation, April 2026. NHI governance platforms (Astrix/Oasis) focus on identity lifecycle — not IaC remediation.

Features

One platform. Every machine identity.

From detection to formal verification to native pull-request delivery — TrustFix is the end-to-end remediation platform for non-human identity risk across AWS, GCP, Azure, GitHub, GitLab, Bitbucket, and Slack.

Multi-cloud detection at depth

451 detector implementations across AWS, GCP, and Azure — IAM trust, custom RBAC, service principals, Workload Identity Federation, AI-agent identities, cross-account trust. 24+ finding families.

Z3 SMT formal verification

5 narrowing-direction invariants prove every fix narrows access — never widens it. A FALSIFIED verdict blocks the PR before it reaches your code host. Patent-pending cross-cloud canonical form.

Native PRs on every code host

Fixes ship as native pull requests on GitHub, GitLab, or Bitbucket — including self-hosted GitLab. 18 (cloud × host × fix-kind) combinations live, with HMAC-signed PR-merge webhooks closing the feedback loop.

Per-tenant encryption by design

AES-256-GCM envelope encryption with per-tenant data keys and organizationId bound into the encryption context. A breach against stolen ciphertext fails KMS authentication-tag verification.

SOC2 evidence in one click

6-section audit bundle — access logs, credential audit, finding state changes, fix attempts, KMS rotation, encryption evidence. HMAC-signed download URL with 7-day expiry, 365-day default retention.

Slack-routed for the right team

Per-channel filtering by severity, cloud, host, and finding type. Block Kit composition for finding-created, fix-PR-opened, and Layer-7-falsified events. HMAC-verified, idempotent.

Open-source

Try TrustFix free — no account required

oidc-audit is the developer on-ramp to TrustFix — the same OIDC trust-policy detection engine that powers the platform, running locally in under two minutes. Apache-2.0 licensed. Hosted platform extends to GCP, Azure, full PR delivery, formal verification, and SOC2 evidence.

Same detection engine as the hosted platform — no feature stub
Runs on your laptop or in CI — credentials never leave your environment
Ships as a GitHub Action for pull-request gating

~/your-repo

$npx oidc-audit scan

✓ Detected AWS profile · region us-east-1

✓ Scanning 47 IAM roles…

✓ Parsed 12 OIDC trust policies

▲ 3 critical · ▲ 7 high · ▲ 4 medium

Report → ./oidc-audit-report.json

Talk to us

Custom enterprise contracts

We're invitation-only while we onboard our first enterprise customers. Tell us about your team and we'll respond within two business days.

Custom enterprise contracts

TrustFix is invitation-only while we onboard our first enterprise customers. Tell us about your team — cloud(s) in scope, security- review timeline, expected user count — and we'll respond within two business days with terms scoped to your environment.

Multi-cloud (AWS, GCP, Azure) with multi-account caps
Code-host PR delivery (GitHub, GitLab, Bitbucket)
SOC2 evidence export + customer audit log
SAML 2.0 / OIDC SSO via Clerk
Z3 formal verification on every fix
Per-customer entitlements + scoped retention

Request access [email protected]

Testimonials

What Security Engineers Say

“We had over-privileged service principals in Azure and untracked Workload Identity bindings in GCP. TrustFix found both in the first scan and shipped clean Terraform PRs we could merge.”

Senior Platform Engineer

Series B Fintech

“Finally a security tool that ships PRs to the same code host my team already uses. Not another dashboard to ignore — an actual diff I can review and merge.”

Staff SRE

HealthTech Scale-up

“The SOC2 evidence export alone justified the engagement. Our auditor was impressed by the cross-tenant isolation invariants and the cryptographic chain of custody.”

Head of Security

Enterprise SaaS

Every machine identity, every cloud, verified end-to-end.

The Machine Identity Security platform for AWS, GCP, and Azure — with formally-verified fixes shipped as PRs to your code host of choice.

Currently invitation-only. Try the open-source CLI while you wait.