Skip to content

Pathros Local is live

Secure what you build.

Pathros Local is a free, read-only scanner for hidden IAM and CI/CD access paths in your local repo. No cloud credentials. No writes. No telemetry. One command.

Run the scan Read the docs

Published on PyPI

Command: pathros

Package: pathros-local

Mode: read-only by default

Hero command

uvx --from pathros-local pathros scan .

Pathros Local

read-only, offline

Files scanned: 42

Findings: 2 high, 3 medium

HIGH PATHROS-GHA-PRT-001

pull_request_target workflow can reach AWS role.

Evidence

  • .github/workflows/deploy.yml
  • infra/iam/github-oidc.tf

Safer fix

Restrict the OIDC subject to repo, branch, and environment.

The problem

Everyone can build now. Not everyone builds with care.

AI made it easier to create software. That is beautiful. It also means more people are shipping apps, automations, workflows, tokens, deploy keys, and cloud roles without always seeing the access paths they created.

Security is not the opposite of building fast. Security is how you prove you care about the people who will use what you built.

If your app touches data, it deserves an access check.

What builders see

  • app works
  • deploy passed
  • feature shipped

What access paths may exist

  • workflow can request OIDC token
  • repo can assume cloud role
  • role can reach production resource
  • secret reference sits in deploy path

What it is

A first step toward real identity security.

Pathros Local scans your repo for access-risk paths that can start in code and end in cloud permissions. It does not ask for admin access. It does not call your cloud account by default. It does not fix anything behind your back. It reads local evidence, shows the path, and gives you a safer configuration to review.

Local

Runs from your machine or CI.

Read-only

No repo writes during scan.

Evidence-first

Every finding points back to files and config.

Free

Built for individual builders, engineers, and teams that want to start.

What Pathros Local checks

The access paths that start near your app.

GitHub Actions risk

Find workflows that create risky deployment paths.

Examples

  • pull_request_target
  • id-token: write
  • write-all permissions
  • cloud role assumption

AWS IAM and trust policy patterns

Find local IAM policy and trust relationships that may be too broad.

Examples

  • wildcard principals
  • wildcard resources
  • sts:AssumeRole
  • iam:PassRole

Secret and token references

Find risky references to long-lived credentials in deploy paths.

Examples

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • GH_TOKEN
  • NPM_TOKEN

Evidence reports

Export findings in formats humans and tools can use.

Examples

  • console
  • markdown
  • json
  • sarif

Pathros Local focuses on local repo and config evidence. The full Pathros platform handles deeper enterprise graph analysis.

Start here

One command. No account.

Run without installing

uvx --from pathros-local pathros scan .

Use uvx when you want to run Pathros without installing it permanently.

Persistent install

pipx install pathros-local
pathros doctor
pathros scan .

Use pipx when you want Pathros available as a regular command. The installed command is pathros.

How it works

Scan. Read the evidence. Fix with care. Run it again.

  1. 01

    Scan locally

    pathros scan .

    Pathros reads supported local files and config.

  2. 02

    Review the path

    Each finding explains what Pathros found, where it found it, and why the path matters.

  3. 03

    Export the report

    pathros scan . --format markdown > PATHROS_REPORT.md
pathros scan . --format sarif > pathros.sarif
pathros scan . --format json > pathros-report.json
  4. 04

    Fix manually

    Pathros Local does not change your repo or cloud environment.

  5. 05

    Re-run before release

    pathros scan .

    Make it part of how you ship.

Default posture

It should not become another risk.

A security tool should not surprise you. By default, Pathros Local does not upload results, does not call cloud APIs, does not write to your repo, and does not send telemetry. It shows what it found and lets you decide what to do next.

No cloud credentials

You can run the local scanner without connecting AWS, GitHub, Okta, Entra, or Snowflake.

No writes

Pathros Local does not change your files during scan.

No telemetry

Your scan results stay local by default.

Secret-like values redacted

Pathros Local is built to avoid printing secret values in output.

Doctor command

pathros doctor helps inspect install mode, version, safety defaults, and reporter readiness.

Why it exists

Do not play pretend with other people’s data.

A true developer is not just someone who can make an app work. A true developer cares what the app can reach. A true developer cares who can deploy it. A true developer cares what happens when a token leaks, a workflow runs, or a role gets assumed. Pathros Local exists for the builder who wants to be real about that.

Whether you are a vibe coder, student, solo founder, security engineer, or team lead: if you build software that touches data, identity access is part of your work now.

The first step is not becoming an IAM expert. The first step is running the scan.

uvx --from pathros-local pathros scan .

Released carefully

Public package. Signed release. Working command.

Pathros Local was released as a real Python package, not a zip file and not a private script. The release path verifies the tag, builds the package, publishes to PyPI, and creates a GitHub release. The command stays simple: pathros. The package name is: pathros-local.

PyPI

Install with pipx or run with uvx.

GitHub Release

Release artifacts are attached for verification.

Signed Tag

The release is tied to a signed Git tag.

Checksums

Release artifacts include SHA-256 checksums.

Local vs Full Pathros

Start local. Go deeper when the graph matters.

Pathros Local

For builders and teams that want a free local access-path check.

Includes

  • • local repo scan
  • • GitHub Actions patterns
  • • AWS IAM policy patterns
  • • evidence paths
  • • markdown/json/sarif reports
  • • doctor command
  • • read-only defaults

Does not include

  • • live enterprise connectors
  • • Okta or Entra graph ingestion
  • • Snowflake graph enrichment
  • • hyperbolic ranking engine
  • • remediation simulation
  • • hosted audit workflow

Full Pathros

For teams that need to understand access paths across the real enterprise environment.

Includes

  • • read-only enterprise audit
  • • identity graph
  • • cross-system access paths
  • • advanced ranking
  • • human-reviewed remediation planning
  • • audit-ready evidence
Book a read-only audit

FAQ

Questions before you run it.

Is Pathros Local free?

Yes. Pathros Local is free to run.

Does Pathros Local upload my code?

No. The default local scan does not upload your code or scan results.

Does it call AWS, GitHub, Okta, Entra, or Snowflake?

No. Pathros Local does not call cloud or identity APIs by default.

Does it fix my IAM policies?

No. Pathros Local does not remediate automatically. It shows evidence and safer configurations for you to review.

Who is this for?

Builders, vibe coders, security engineers, students, founders, and teams who want to check the access paths near their app before they ship.

What is the difference between Pathros Local and Pathros?

Pathros Local is the free local scanner. Pathros is the full access-risk intelligence platform for enterprise identity systems.

Why does this matter?

Because software is easier to build now. That makes care more important, not less.

Run the first access check.

You do not need an account. You do not need a sales call. You do not need cloud credentials. Start with your repo.

Run Pathros Local

uvx --from pathros-local pathros scan .
Read the docsView on PyPIView GitHub releaseBook a full Pathros audit