Integrate Pike with Vulnetix. Analyse Terraform code to generate the minimal IAM permissions required and identify over-permissive configurations.
Install & scan
$ go install github.com/JamesWoolfenden/pike@latest # Verify pike --version $ pike scan -d ./terraform/ --output json > pike-report.json
Run Pike in CI
Scan on every push and upload the results to Vulnetix:
- name: Install Pike run: go install github.com/JamesWoolfenden/pike@latest - name: Analyze IAM permissions run: pike scan -d ./terraform/ --output json > pike-report.json - name: Upload to Vulnetix run: vulnetix upload --file pike-report.json
How Vulnetix compares — better together
Vulnetix does not replace Pike. Keep running it. Vulnetix sits on top of Pike — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Pike is strongest at its core category and also carries features in Cloud Security & CSPM — just like Vulnetix spans categories.
| Capability | Vulnetix | Pike |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✓ Core: parses Terraform/OpenTofu resource configs to generate least-privilege IAM policies; also detects deprecated resources/datasources |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✗ |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ~ inspect command flags over-permissive ambient AWS credentials and compares deployed cloud IAM roles against code — least-privilege/IAM hygiene, not full CSPM |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Pike does well
- Solves a genuinely hard problem: statically computes the minimum IAM permissions required to deploy Terraform/OpenTofu code, enabling true least-privilege without trial-and-error
- Multi-cloud resource-to-permission mapping across AWS (most mature), GCP and Azure, output as JSON policy or ready-to-apply Terraform
- Least-privilege lifecycle tooling: compare deployed roles vs code requirements, inspect ambient sessions for over-permissive credentials, and a two-role escalation-class pattern for safer CI/CD
- Fully static and offline-capable, plus deprecated-resource detection and README permission documentation
Where Vulnetix adds to it: Pike is a specialist least-privilege IAM generator for IaC — a capability Vulnetix does not attempt to replicate. Vulnetix instead provides broad native security scanning (IaC misconfig, SAST, SCA, container, secrets, cloud, SBOM) and can consolidate Pike's IAM/over-permission findings into its unified prioritised queue with exploit intel, VEX and SSVC policy. They are complementary: Pike right-sizes deployment permissions, Vulnetix orchestrates the wider vulnerability and misconfiguration posture on top.
No migration, no rip-and-replace. Pike keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Pike results in Vulnetix
Upload Pike JSON output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.