Fix Inventory: Open-Source Cloud Security Posture Management for Multi-Cloud

Summary

Fix Inventory is an open-source tool for cloud and security engineers, designed to identify and remediate critical risks across AWS, GCP, Azure, and Kubernetes. It provides a graph-based data model to collect, normalize, and triage security risks in multi-cloud infrastructure, offering a powerful alternative to proprietary cloud security solutions. Written in Python, it supports over 300 cloud services and various security use cases.

Use at your own risk

OSRepos shares public repositories for knowledge and discovery only. Any installation, execution, configuration, or use of code from these repositories is the user's own responsibility. Always review the repository, source code, dependencies, licenses, and security implications before running or installing anything. OSRepos is not responsible for issues, damages, or losses resulting from third-party repositories.

Introduction

Fix Inventory is an open-source project by Some Engineering, built for cloud and security engineers. It helps identify and remove critical security risks and compliance issues across various cloud platforms, including AWS, GCP, Azure, Kubernetes, DigitalOcean, Hetzner, and GitHub. This tool acts as an open-source alternative to commercial cloud security solutions like Orca Security, Prisma Cloud, or Wiz, providing comprehensive visibility and risk management for cloud-native infrastructure. It operates by collecting inventory data, normalizing it into a graph schema, and triaging security risks using custom and pre-configured compliance frameworks.

Installation

Getting started with Fix Inventory is straightforward. The project provides a detailed Quick Start Guide to walk you through the initial setup and configuration steps. This guide covers everything needed to begin collecting data and identifying risks in your cloud environments.

Examples

Fix Inventory features a human-readable query language accessible via its CLI, enabling users to explore infrastructure and answer security-related questions. It supports complex searches, including leveraging the dependency and access graph to understand relationships between resources.

Finding unencrypted volumes:
```
search is(volume) and volume_encrypted=false
```
This command identifies all unencrypted volumes across supported cloud providers.
Generating compliance reports:
```
report benchmark run iso27001
```
This command generates a report based on industry-standard benchmarks like ISO-27001.
Traversing the dependency and access graph:
```
search --with-edges is(aws_iam_user) and name=matthias -iam[0:]{permissions[*].level==write}-> is(aws_iam_user, aws_s3_bucket) | format --dot
```
This advanced query helps visualize access paths, for example, showing which S3 buckets a specific user has write access to.

Why Use It

Fix Inventory stands out due to its cloud-native, graph-based approach to security. It addresses the challenges of dynamic cloud environments by focusing on rapid identification and remediation of critical risks.

Key differentiators include:

Graph-based Data Model: It stores dependency and access metadata in a graph database, allowing for rapid traversal and analysis of interconnected risks across cloud platforms.
Multi-Cloud Abstractions: A unified data model with over 40 "base kinds" enables a single set of policies to work consistently across all supported clouds.
Resource Lifecycle Tracking: Hourly snapshots track configuration changes, providing a timeline and diff view for every resource.
Comprehensive Use Cases: Supports Cloud Security Posture Management (CSPM), AI Security Posture Management (AI-SPM), Cloud Compliance, Cloud Infrastructure Entitlement Management (CIEM), Cloud Asset Inventory, Container & Kubernetes Security, Security Data Fabric, and Policy-as-Code.
Performance and Scalability: Optimized for performance, it scales across thousands of cloud accounts and collects data in parallel while respecting API quotas.