Home

Awesome

Fix Shell

Version Build Docs Discord Known Vulnerabilities CodeCoverage

Fix Inventory detects compliance and security risks in cloud infrastructure accounts.

We built Fix Inventory for cloud and security engineers as an open source alternative to proprietary cloud security tools like Orca Security, Prisma Cloud or Wiz.

Check out our Quick Start Guide for step-by-step instructions on getting started.

💡Why Fix Inventory?

Fix Inventory was built from the ground up for cloud-native infrastructure. Fix Inventory is open source and supports over 300 cloud services across:

If you want to collect data for resources that are not supported yet, you can use our example collector to write your own collectors.

The tool works in three phases:

  1. Collect inventory data: Fix Inventory queries cloud infrastructure APIs (aka “agentless”) for metadata about the resources in your cloud accounts.

  2. Normalize cloud data: Fix Inventory creates a graph schema to normalize the universe of detected cloud resources, their configurations, and relationships.

  3. Triage security risks: Fix Inventory scans the collected data with custom and pre-configured compliance frameworks to search for misconfigurations, risks, and other security issues.

Fix Inventory also provides ways to export and integrate the data it collects to build alerting and remediation workflows.

🍀 How is Fix Inventory different?

In cloud-native infrastructure, misconfigurations from developer activity and frequent updates through automation are a fact of life. It's impossible to catch all misconfigurations before they reach production, so the key question becomes: how quickly can you identify and fix (hence the name…) the most critical risks?

Traditional cloud security tools struggle to answer basic questions such as “what’s the blast radius of this public resource?” or “is there a path to get from this resource to a privileged role?”, because they lack the context from the hidden dependencies between cloud resources.

We believe that the only effective approach is to use a graph-based data model that works across all cloud platforms.

🛠️ Use cases

Fix Inventory supports common cloud security use cases.

Please also see Fix Security, our hosted SaaS offering that is built on top of Fix Inventory.

🏄 Key concepts

Three concepts are helpful to understand how Fix Inventory works and how it’s different from other cloud security tools.

1. Normalized cloud data

Fix Inventory has knowledge of the provider-specific data model for every resource. To collect metadata from every cloud, Fix Inventory uses a pluggable architecture. Each collector plugin includes logic to extract data from the cloud provider APIs.

Post-collection, Fix Inventory normalizes the data and maps it to our unified data model with common properties, static typing and inheritance.

In Fix Inventory, everything is a resource - cloud services, users, policies, etc.

The mapping with common properties, static typing and inheritance allow you to interact with resources across cloud providers in a consistent fashion.

For example, resource time stamps in Fix Inventory are normalized, which allows the use of relative times. Assume we want to find resources created in the last 3 days, no matter which cloud. Then we could express this with a relative duration string:

search age < "3d”

2. Query language & policies

Fix Inventory comes with a human-readable query language, and the user interface is our CLI. The CLI provides an easy way to explore your infrastructure and get answers to security-related questions such as:

Due to its statically typed data model, you can search for names, strings, or numbers in any combination. You can also leverage the dependency and access graph to include the relationships between resources, users, and permissions in your searches. Fix Inventory also supports full-text search.

One key purpose of our query language is to define rules and policies that govern how your infrastructure should behave and then automatically trigger alerts and actions when these rules are violated.

For example, if you have a policy that all volumes must be encrypted, the following search will return all unencrypted volumes:

> search is(volume) and volume_encrypted=false

The search leverages the common kind volume and will return results for all clouds. Turning a search into a policy and setting up alerting is also possible.

Fix Inventory ships with industry-standard benchmarks, like the CIS Benchmarks for AWS or Azure, the ISO-27001 or NIS-2. A report can be generated by invoking the report command:

> report benchmark run iso27001

Dependency and access graph

Fix Inventory stores relationships between resources in your cloud environment to understand logical dependencies and detect hidden pathways to potential breaches. You can:

For example, suppose I want to understand which S3 buckets in my infrastructure a user “Matthias” has write access to. In that case, I can write a query that uses the IAM (identity access management) graph to find out. I can pipe the search results into a DOT file and create a visualization that explains relationships to people without cloud or security expertise.

 > search --with-edges is(aws_iam_user) and name=matthias -iam[0:]{permissions[*].level==write}-> is(aws_iam_user, aws_s3_bucket) | format --dot

Fix Graph

Read more about traversing the graph in our docs. Fix Security, our hosted SaaS product, offers these visualizations out of the box.

💖 Community

Fix Inventory is an open-source project by Some Engineering. Contact us on our Discord server for:

🙏 Contributing

Feel free to open a GitHub issue for small fixes and changes. For bigger changes and new plugins, please open an issue first to prevent duplicated work and to have the relevant discussions first.

Please follow our contribution guidelines to get started.

🎟 License

See LICENSE for details.