Pathros Local — Free IAM and CI/CD Access Path Scanner
Skip to content<br>Request Scan
Pathros Local is live<br>Secure what you build.<br>Pathros Local is a free, read-only scanner for hidden IAM and CI/CD access paths in your local repo. No cloud credentials. No writes. No telemetry. One command.<br>Run the scan Read the docs<br>Published on PyPI<br>Command: pathros<br>Package: pathros-local<br>Mode: read-only by default
Hero command<br>Copy<br>uvx --from pathros-local pathros scan .
Pathros Local<br>read-only, offline
Files scanned: 42<br>Findings: 2 high, 3 medium
HIGH PATHROS-GHA-PRT-001<br>pull_request_target workflow can reach AWS role.
Evidence<br>.github/workflows/deploy.yml<br>infra/iam/github-oidc.tf
Safer fix<br>Restrict the OIDC subject to repo, branch, and environment.
The problem<br>Everyone can build now. Not everyone builds with care.<br>AI made it easier to create software. That is beautiful. It also means more people are shipping apps, automations, workflows, tokens, deploy keys, and cloud roles without always seeing the access paths they created.<br>Security is not the opposite of building fast. Security is how you prove you care about the people who will use what you built.<br>If your app touches data, it deserves an access check.<br>What builders see<br>app works<br>deploy passed<br>feature shipped
What access paths may exist<br>workflow can request OIDC token<br>repo can assume cloud role<br>role can reach production resource<br>secret reference sits in deploy path
What it is<br>A first step toward real identity security.<br>Pathros Local scans your repo for access-risk paths that can start in code and end in cloud permissions. It does not ask for admin access. It does not call your cloud account by default. It does not fix anything behind your back. It reads local evidence, shows the path, and gives you a safer configuration to review.<br>Local<br>Runs from your machine or CI.
Read-only<br>No repo writes during scan.
Evidence-first<br>Every finding points back to files and config.
Free<br>Built for individual builders, engineers, and teams that want to start.
What Pathros Local checks<br>The access paths that start near your app.<br>GitHub Actions risk<br>Find workflows that create risky deployment paths.<br>Examples<br>pull_request_target<br>id-token: write<br>write-all permissions<br>cloud role assumption
AWS IAM and trust policy patterns<br>Find local IAM policy and trust relationships that may be too broad.<br>Examples<br>wildcard principals<br>wildcard resources<br>sts:AssumeRole<br>iam:PassRole
Secret and token references<br>Find risky references to long-lived credentials in deploy paths.<br>Examples<br>AWS_ACCESS_KEY_ID<br>AWS_SECRET_ACCESS_KEY<br>GH_TOKEN<br>NPM_TOKEN
Evidence reports<br>Export findings in formats humans and tools can use.<br>Examples<br>console<br>markdown<br>json<br>sarif
Pathros Local focuses on local repo and config evidence. The full Pathros platform handles deeper enterprise graph analysis.
Start here<br>One command. No account.<br>Run without installing<br>Copy<br>uvx --from pathros-local pathros scan . Use uvx when you want to run Pathros without installing it permanently.
Persistent install<br>Copy<br>pipx install pathros-local<br>pathros doctor<br>pathros scan . Use pipx when you want Pathros available as a regular command. The installed command is pathros.
How it works<br>Scan. Read the evidence. Fix with care. Run it again.<br>01Scan locally<br>pathros scan .Pathros reads supported local files and config.
02Review the path<br>Each finding explains what Pathros found, where it found it, and why the path matters.
03Export the report<br>pathros scan . --format markdown > PATHROS_REPORT.md<br>pathros scan . --format sarif > pathros.sarif<br>pathros scan . --format json > pathros-report.json
04Fix manually<br>Pathros Local does not change your repo or cloud environment.
05Re-run before release<br>pathros scan .Make it part of how you ship.
Default posture<br>It should not become another risk.<br>A security tool should not surprise you. By default, Pathros Local does not upload results, does not call cloud APIs, does not write to your repo, and does not send telemetry. It shows what it found and lets you decide what to do next.<br>No cloud credentials<br>You can run the local scanner without connecting AWS, GitHub, Okta, Entra, or Snowflake.
No writes<br>Pathros Local does not change your files during scan.
No telemetry<br>Your scan results stay local by default.
Secret-like values redacted<br>Pathros Local is built to avoid printing secret values in output.
Doctor command<br>pathros doctor helps inspect install mode, version, safety defaults, and reporter readiness.
Why it exists<br>Do not play pretend with other people’s data.<br>A true developer is not just someone who can make an app work. A true developer cares what the app can reach. A true developer cares who can deploy it. A true developer cares what happens when a token leaks, a workflow runs, or a role gets assumed. Pathros Local exists for the builder who wants to be real about that.<br>Whether you are a vibe coder, student, solo founder, security engineer, or team lead: if you build software that touches data, identity...