Tool integration

Pike Integration Guide

Generate minimal IAM permissions for your Terraform code

Get a Free API Key

Integrate Pike with Vulnetix. Analyse Terraform code to generate the minimal IAM permissions required and identify over-permissive configurations.

TerraformCLI toolJSON

Install & scan

$ go install github.com/JamesWoolfenden/pike@latest

# Verify
pike --version
$ pike scan -d ./terraform/ --output json > pike-report.json

Run Pike in CI

Scan on every push and upload the results to Vulnetix:

- name: Install Pike
  run: go install github.com/JamesWoolfenden/pike@latest

- name: Analyze IAM permissions
  run: pike scan -d ./terraform/ --output json > pike-report.json

- name: Upload to Vulnetix
  run: vulnetix upload --file pike-report.json

How Vulnetix compares — better together

Vulnetix does not replace Pike. Keep running it. Vulnetix sits on top of Pike — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

Pike is strongest at its core category and also carries features in Cloud Security & CSPM — just like Vulnetix spans categories.

CapabilityVulnetixPike
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormationCore: parses Terraform/OpenTofu resource configs to generate least-privilege IAM policies; also detects deprecated resources/datasources
Secret scanning1,000+ rules, source + binary + git history
Cloud / CSPMCloud-posture findings, compliance tab~ inspect command flags over-permissive ambient AWS credentials and compares deployed cloud IAM roles against code — least-privilege/IAM hygiene, not full CSPM
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Pike does well

Where Vulnetix adds to it: Pike is a specialist least-privilege IAM generator for IaC — a capability Vulnetix does not attempt to replicate. Vulnetix instead provides broad native security scanning (IaC misconfig, SAST, SCA, container, secrets, cloud, SBOM) and can consolidate Pike's IAM/over-permission findings into its unified prioritised queue with exploit intel, VEX and SSVC policy. They are complementary: Pike right-sizes deployment permissions, Vulnetix orchestrates the wider vulnerability and misconfiguration posture on top.

No migration, no rip-and-replace. Pike keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Pike results in Vulnetix

Upload Pike JSON output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Pike documentation ↗  ·  Source repository ↗

Wire Pike into your CI/CD pipeline →