<div align="center">

🔍 NHInsight

Discover risky non-human identities and privilege paths across AWS, Azure, GCP, GitHub, and Kubernetes.

</div>

Why NHInsight?

Non-human identities outnumber humans 80:1 in most orgs — and growing 44% year-over-year. Enterprise NHI tools charge $50K+/year. NHInsight does it for free — open source, runs locally, no telemetry.

Quick Start

pip install nhinsight          # install from PyPI
nhinsight demo                 # see it in action (no credentials needed)

Try it in 30 seconds — nhinsight demo runs with built-in sample data so you can see findings, attack paths, and risk scores instantly.

Scan a real environment

# Single provider
nhinsight scan --aws

# Multi-provider with attack path analysis
nhinsight scan --all --attack-paths

# CI/CD workflow scanning (no cloud creds required)
nhinsight scan --github-workflows .github/workflows --attack-paths

# Docker (zero install)
docker run --rm chvemula/nhinsight demo

Run in Your CI/CD Pipeline

Add NHInsight to any GitHub Actions workflow — no cloud credentials needed for workflow scanning:

# .github/workflows/nhi-scan.yml
name: NHI Security Scan
on: [push, pull_request]

jobs:
  nhi-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: cvemula1/NHInsight@main
        with:
          attack-paths: "true"       # enable attack path analysis
          fail-on: "high"            # block PRs with high+ severity findings

The action scans your .github/workflows directory, writes findings to the PR summary, and fails the check if any identity risk meets the severity threshold. Add cloud provider credentials to also scan live infrastructure:

      - uses: cvemula1/NHInsight@main
        with:
          providers: "--aws --azure"
          attack-paths: "true"
          fail-on: "critical"
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}

Example: Identity Risk Findings

| Severity | Identity | Provider | Risk | |:--------:|----------|:--------:|------| | 🔴 CRITICAL | deploy-bot | AWS | AdministratorAccess policy attached | | 🔴 CRITICAL | terraform-deployer | GCP | Service account has roles/owner | | 🟠 HIGH | aks-cluster-sp | Azure | SP has Contributor at subscription scope | | 🟡 MEDIUM | ci-runner-mi | Azure | Self-hosted runner MI accesses Key Vault + AKS + ACR | | 🟡 MEDIUM | deploy-sa | K8s | Bound to cluster-admin ClusterRole |

Example: Attack Paths Detected

| Blast | Path | Risk | |:-----:|------|------| | 86 | GitHub Actions → Managed Identity → Key Vault → AKS → K8s Secrets | PR trigger can reach production secrets via MI | | 83 | GitHub Actions → Managed Identity → Terraform Apply | Self-hosted runner MI can modify infrastructure | | 80 | GitHub Actions → OIDC → AWS IAM Role → S3 + Secrets Manager | Workflow assumes admin role via OIDC federation | | 75 | K8s ServiceAccount → IRSA → IAM Role (AdministratorAccess) | Pod escape leads to full AWS account access |

What It Finds

• Overprivileged service accounts and roles (admin, owner, contributor)
• Stale or unrotated credentials (access keys, SA keys, app secrets)
• Wildcard trust relationships and open role assumptions
• Dangerous Kubernetes service account bindings (cluster-admin, legacy tokens)
• Risky GitHub deploy keys, app permissions, and admin-scoped tokens
• GitHub Actions CI/CD risks — OIDC misconfigurations, Managed Identity abuse, self-hosted runner exposure
• Cloud resource access from workflows — Key Vault, ACR, AKS, Storage, SQL, Terraform, Helm, and 40+ resource patterns
• Cross-cloud attack paths from entry points to privileged resources

42 risk checks across 5 providers + CI/CD workflows. See all risk codes.

Supported Providers

• AWS — IAM users, roles, access keys, policies, MFA, trust relationships
• Azure — Service principals, managed identities, app secrets/certs, RBAC
• GCP — Service accounts, SA keys, project IAM bindings
• GitHub — Apps, deploy keys, webhooks, permissions
• Kubernetes — ServiceAccounts, RBAC, Secrets, IRSA/Workload Identity

Key Capabilities

• Attack path analysis — cross-cloud identity chains with blast radius scoring
• NIST SP 800-53 scoring — compliance mapping with letter grades
• IGA governance scores — ownership, rotation, least-privilege hygiene
• AI explanations — optional OpenAI-powered risk summaries (--explain)
• SARIF output — plug into GitHub Security tab or CI/CD (-f sarif)
• Zero agents — read-only API calls, nothing installed in your infra

Install Options

pip install nhinsight              # Core (AWS included by default)
pip install nhinsight[all]         # All 5 providers + AI explanations
pip install nhinsight[azure]       # Just Azure
pip install nhinsight[gcp,k8s]     # Mix and match

<details> <summary><b>Docker examples</b></summary>

# Scan AWS
docker run --rm -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY \
  chvemula/nhinsight scan --aws

# Scan Azure
docker run --rm \
  -e AZURE_TENANT_ID -e AZURE_CLIENT_ID \
  -e AZURE_CLIENT_SECRET -e AZURE_SUBSCRIPTION_ID \
  chvemula/nhinsight scan --azure

# Scan GCP
docker run --rm -e GCP_PROJECT=my-project \
  -v ~/.config/gcloud:/root/.config/gcloud:ro \
  chvemula/nhinsight scan --gcp

# Scan Kubernetes
docker run --rm -v ~/.kube/config:/root/.kube/config:ro \
  chvemula/nhinsight scan --k8s

# Scan GitHub
docker run --rm -e GITHUB_TOKEN \
  chvemula/nhinsight scan --github --github-org acme-corp

# Multi-provider + JSON
docker run --rm -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY \
  -e GCP_PROJECT=my-project -v ~/.config/gcloud:/root/.config/gcloud:ro \
  chvemula/nhinsight scan --aws --gcp --attack-paths -f json

</details>

Authentication

NHInsight uses read-only access via each provider's standard SDK credentials. No agents, no custom auth.

| Provider | Quick Auth | |----------|-----------| | AWS | aws configure or env vars or instance role | | Azure | az login or service principal env vars | | GCP | gcloud auth application-default login or SA key | | GitHub | export GITHUB_TOKEN=ghp_... | | Kubernetes | Uses ~/.kube/config current context |

<details> <summary><b>Detailed auth setup per provider</b></summary>

AWS

Uses the standard boto3 credential chain:

| Method | How | |--------|-----| | Environment variables | AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY | | Named profile | export AWS_PROFILE=prod or --aws-profile prod | | Instance role / ECS task role | Automatic on EC2/ECS/Lambda | | SSO | aws sso login --profile prod then --aws-profile prod |

# Minimum IAM permissions needed (read-only):
# iam:ListUsers, iam:ListRoles, iam:ListAccessKeys,
# iam:ListMFADevices, iam:GetLoginProfile,
# iam:ListUserPolicies, iam:ListAttachedUserPolicies,
# iam:ListRolePolicies, iam:ListAttachedRolePolicies,
# iam:GetAccessKeyLastUsed

nhinsight scan --aws
nhinsight scan --aws --aws-profile prod --aws-region us-east-1

Azure

Uses Azure Identity DefaultAzureCredential:

| Method | How | |--------|-----| | Azure CLI | az login (simplest for local dev) | | Service Principal | AZURE_CLIENT_ID + AZURE_CLIENT_SECRET + AZURE_TENANT_ID | | Managed Identity | Automatic on Azure VMs/AKS/Functions | | Environment variables | AZURE_TENANT_ID + AZURE_SUBSCRIPTION_ID |

# Required API permissions:
# Microsoft Graph: Application.Read.All, Directory.Read.All
# Azure RBAC: Microsoft.Authorization/roleAssignments/read

az login
nhinsight scan --azure
nhinsight scan --azure --azure-tenant-id TENANT --azure-subscription-id SUB

GCP

Uses Google Application Default Credentials (ADC):

| Method | How | |--------|-----| | gcloud CLI | gcloud auth application-default login (simplest for local dev) | | Service Account key | export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json | | Workload Identity | Automatic on GKE/Cloud Run/Cloud Functions | | Environment variable | export GCP_PROJECT=my-project or --gcp-project my-project |

# Required IAM roles (read-only):
# roles/iam.serviceAccountViewer (list SAs + keys)
# roles/resourcemanager.projectIamViewer (read IAM policy)

gcloud auth application-default login
nhinsight scan --gcp --gcp-project my-project

GitHub

Uses a [Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-you