{"id":40928164,"url":"https://github.com/DenizParlak/heimdall","last_synced_at":"2026-01-31T09:00:52.102Z","repository":{"id":325917478,"uuid":"1104002552","full_name":"DenizParlak/heimdall","owner":"DenizParlak","description":"AWS Attack Path Scanner - Discover privilege escalation paths across 10+ AWS services","archived":false,"fork":false,"pushed_at":"2025-12-04T16:53:47.000Z","size":8645,"stargazers_count":11,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-13T19:50:54.513Z","etag":null,"topics":["aws","aws-security","cloud","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DenizParlak.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-25T16:08:15.000Z","updated_at":"2026-01-02T20:12:45.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/DenizParlak/heimdall","commit_stats":null,"previous_names":["denizparlak/heimdall"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/DenizParlak/heimdall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DenizParlak%2Fheimdall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DenizParlak%2Fheimdall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DenizParlak%2Fheimdall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DenizParlak%2Fheimdall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DenizParlak","download_url":"https://codeload.github.com/DenizParlak/heimdall/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DenizParlak%2Fheimdall/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28936100,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-31T08:53:31.997Z","status":"ssl_error","status_checked_at":"2026-01-31T08:51:38.521Z","response_time":128,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-security","cloud","security"],"created_at":"2026-01-22T04:00:40.914Z","updated_at":"2026-01-31T09:00:52.093Z","avatar_url":"https://github.com/DenizParlak.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/logo.svg\" alt=\"Heimdall Logo\" width=\"140\"\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eHeimdall\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eAWS Attack Path Scanner\u003c/strong\u003e\u003cbr\u003e\n  \u003cem\u003eThe Bifröst Guardian for Your Cloud Security\u003c/em\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#-quick-start\"\u003eQuick Start\u003c/a\u003e •\n  \u003ca href=\"#-real-world-examples\"\u003eExamples\u003c/a\u003e •\n  \u003ca href=\"#-features\"\u003eFeatures\u003c/a\u003e •\n  \u003ca href=\"#-installation\"\u003eInstallation\u003c/a\u003e •\n  \u003ca href=\"#-commands\"\u003eCommands\u003c/a\u003e •\n  \u003ca href=\"#%EF%B8%8F-roadmap\"\u003eRoadmap\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/python-3.9+-blue.svg\" alt=\"Python\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/license-MIT-green.svg\" alt=\"License\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/AWS-IAM%20Security-orange.svg\" alt=\"AWS\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/patterns-50+-purple.svg\" alt=\"Patterns\"\u003e\n\u003c/p\u003e\n\n---\n\n## What is Heimdall?\n\nHeimdall is an **AWS security scanner** that discovers privilege escalation paths attackers could exploit to gain admin access.\n\n**By the numbers:**\n- 🎯 **50+ IAM privilege escalation patterns** detected\n- 🔗 **85+ attack chain patterns** with MITRE ATT\u0026CK mapping  \n- 🌐 **10 AWS services** analyzed for cross-service escalation\n- ✅ **Low false-positive rate** - tested on production accounts with 50+ roles\n- ⚡ **One command** to assess your entire security posture\n\nIn Norse mythology, Heimdall stands at Bifröst and sees all paths between realms.  \nIn AWS, Heimdall watches your environment and reveals all paths to compromise.\n\n### ✨ Key Features\n\n| Feature | Description |\n|---------|-------------|\n| 🔗 **Attack Chain Analysis** | Multi-step privilege escalation paths with MITRE ATT\u0026CK mapping |\n| 🌐 **Cross-Service Scanner** | Analyze 10 AWS services (EC2, RDS, S3, Lambda, KMS, Secrets Manager, STS, SNS, SQS, DynamoDB) |\n| 🏗️ **Terraform Engine** ⭐ | Detect IAM attack paths in Terraform plans before deployment |\n| 🎨 **Interactive TUI** | Cosy Nordic-themed terminal interface |\n| 📊 **One-Command Dashboard** | `heimdall dashboard` - instant security overview |\n| 🎯 **50+ Privesc Patterns** | Comprehensive IAM privilege escalation coverage |\n| 📤 **CI/CD Ready** | SARIF export for GitHub Security, CSV for spreadsheets |\n| 🔒 **Baseline System** | Ignore known/accepted risks with `.heimdall-ignore` |\n\n### 🏢 Enterprise Edition (Preview)\n\n\u003e 🔒 **Limited Access** - Web UI is currently in private preview.  \n\u003e Interested in a demo? Contact: **denizparlak@protonmail.ch**\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e🖼️ Click to see Web UI Screenshots\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n**Attack Simulator** - Interactive privilege escalation visualization\n![Attack Simulator](docs/screenshots/web-attack-simulator.png)\n\n**Live Graph** - Real-time security posture with auto-refresh\n![Live Graph](docs/screenshots/web-live-graph.png)\n\n**Trust Graph** - IAM trust relationship explorer\n![Trust Graph](docs/screenshots/web-trust-graph.png)\n\n\u003c/details\u003e\n\n---\n\n## 🚀 Quick Start\n\n```bash\n# 1. Install\npip install -e .\n\n# 2. One-command security overview\nheimdall dashboard\n\n# 3. Deep privilege escalation analysis\nheimdall iam detect-privesc --profile prod\n```\n\n**That's it!** You'll see a complete security posture in seconds.\n\n---\n\n## 🧪 Real World Examples\n\n### ✅ Well-Configured Account (No False Positives)\n```bash\n$ heimdall iam scan --profile prod --summary\n\n✓ Scanned 52 IAM roles\n✓ Scanned 40 IAM users\n✓ Found 55 assume-role relationships\n✓ Identified 0 privilege escalation paths\n\nSummary:\n  Roles: 52\n  Users: 40\n  Service principals: 29\n  Federated principals: 1\n  Human→Role paths: 1\n  Risky paths: 0 (Critical: 0, High: 0)\n\n✅ Good security posture detected:\n   - Admin access via SSO only (federated)\n   - Minimal user→role permissions\n   - Service roles properly isolated\n```\n\n### ⚠️ Account with Privilege Escalation Risks\n```bash\n$ heimdall iam detect-privesc --profile prod\n\n🔐 Heimdall Privilege Escalation Detector\n\n✓ Scanned 52 IAM roles\n✓ Scanned 40 IAM users\n✓ Detected 14 privilege escalation opportunities\n\n⚠️  Privilege Escalation Opportunities:\n\nCRITICAL (8):\n  • user/admin-user\n    Method: passrole_lambda\n    Create Lambda with privileged role, execute code with elevated permissions\n\n  • user/admin-user\n    Method: attach_user_policy\n    Attach AdministratorAccess policy to self or other user\n\nHIGH (6):\n  • user/admin-user\n    Method: create_policy_version\n    Modify existing policy to grant admin access\n```\n\n### 🔗 Multi-Hop Attack Path Detection\n```bash\n$ heimdall iam detect-privesc --include-indirect --max-depth 2\n\n🔗 Indirect Privilege Escalation Paths (Multi-Hop):\n\nCRITICAL:\n  • user/junior → DevRole → ProdRole\n    Path length: 2 hops\n    Target: attach_user_policy (CRITICAL)\n\n  • user/contractor → IntegrationRole → DeployerRole → AdminRole\n    Path length: 3 hops\n    Target: put_user_policy (CRITICAL)\n\nWhat's detected:\n  ✓ Devs who can assume roles leading to admin\n  ✓ Contractors with indirect paths through role chains\n  ✓ Hidden escalation paths not obvious from direct permissions\n```\n\n---\n\n## 📸 Screenshots\n\n### 📊 Security Dashboard\n\u003e One command to see everything: IAM stats, privilege escalation risks, and recommendations.\n\n```bash\nheimdall dashboard --quick\n```\n\n![Dashboard](docs/screenshots/dashboard.png)\n\n### 🎨 Interactive TUI\n\u003e Navigate findings, explore attack chains, and drill down into details with keyboard shortcuts.\n\n```bash\nheimdall iam tui\n```\n\n![TUI](docs/screenshots/tui.png)\n\n### 🔗 Attack Chain Analysis\n\u003e Multi-step privilege escalation paths with risk scores and quick fix suggestions.\n\n```bash\nheimdall iam attack-chain --format tree --top 5 --steps\n```\n\n![Attack Chain](docs/screenshots/attack-chain.png)\n\n### 🌐 Cross-Service Analysis\n\u003e Detect privilege escalation across 10 AWS services (S3, Lambda, EC2, KMS, and more).\n\n```bash\nheimdall iam cross-service --compact\n```\n\n![Cross-Service](docs/screenshots/cross-service.png)\n\n---\n\n## ⚡ Features\n\n### 🔍 Core Scanning\n- **50+ Privilege Escalation Patterns** - Most comprehensive coverage\n- **Trust Graph Analysis** - Map all AssumeRole relationships\n- **Multi-Hop Detection** - Find indirect escalation paths (A→B→C→Admin)\n\n### 🔗 Attack Chain Analysis\n- **85+ Attack Patterns** with MITRE ATT\u0026CK mapping\n- **Blast Radius Scoring** (0-100) - Impact assessment\n- **Step-by-Step Narratives** - How attacks unfold\n- **3 Output Formats** - Table, JSON, Tree\n\n### 🌐 Cross-Service Engine\nAnalyze privilege escalation across **10 AWS services**:\n\n| Service | Checks |\n|---------|--------|\n| 🖥️ EC2 | Instance profiles, IMDSv1, public IPs |\n| 🛢️ RDS | Public instances, snapshot sharing |\n| 🪣 S3 | Public buckets, cross-account, sensitive data |\n| ⚡ Lambda | Execution roles, env vars, code injection |\n| 🔐 KMS | Key policies, grants, cross-account |\n| 🔑 Secrets | Resource policies, rotation status |\n| 🔀 STS | Trust policies, cross-account assumptions |\n| 📢 SNS | Topic policies, public access |\n| 📬 SQS | Queue policies, encryption |\n| 🗄️ DynamoDB | Encryption, sensitive tables |\n\n### 🏗️ Terraform Attack Path Engine\n\n**Shift-left security** - Detect IAM privilege escalation in Terraform plans **before deployment**.\n\n```bash\n# Generate plan JSON\nterraform plan -out=plan.tfplan\nterraform show -json plan.tfplan \u003e plan.json\n\n# Scan for attack paths\nheimdall terraform scan plan.json\nheimdall terraform scan plan.json --fail-on critical  # CI/CD gate\n```\n\n**What makes it different from tfsec/checkov/trivy?**\n\n| Tool | Approach | Focus |\n|------|----------|-------|\n| tfsec, checkov, trivy | Static config checks | \"Is this bucket encrypted?\" |\n| **Heimdall** | Attack path analysis | \"Does this IAM change create an escalation path to admin?\" |\n\n**Key capabilities:**\n- **45+ IAM attack patterns** - PassRole chains, trust policy hijacks, credential creation\n- **Before/After comparison** - Shows security posture change, not just violations\n- **Multi-hop chain detection** - Developer → Lambda Role → Admin\n- **Cross-service triggers** - S3 → Lambda, SNS → Lambda, API Gateway → Lambda\n- **Risk delta scoring** - Quantifies security impact of changes\n\n**Example output:**\n```\n╔═══════════════════════════╤══════════════╤══════════════╤═════════════════╗\n║ Metric                    │    Before    │    After     │     Change      ║\n╟───────────────────────────┼──────────────┼──────────────┼─────────────────╢\n║ ⚔️ Attack Paths            │      2       │      7       │       +5        ║\n║ 🎯 Risk Score             │      10      │      60      │       +50       ║\n╚═══════════════════════════╧══════════════╧══════════════╧═════════════════╝\n\n⛔ BLOCKING ISSUES:\n  • CHAIN: 'dev-role' → PassRole → admin role 'prod-admin'\n  • CRITICAL: Role 'deploy-role' can create credentials (iam:CreateAccessKey)\n```\n\n![Terraform Sample Scan](docs/screenshots/tfs.png)\n\n### 🎨 Interactive TUI\n- **Nordic-themed** beautiful terminal interface\n- **Real-time** finding exploration\n- **Keyboard navigation** - vim-style bindings\n- **Live scan** progress with logs\n\n### 📊 Dashboard\n- **One-command** security overview\n- **Risk scoring** (0-100)\n- **Severity breakdown** with visual bars\n- **Actionable recommendations**\n\n### 📤 Export \u0026 Integration\n- **SARIF** - GitHub Security Code Scanning\n- **CSV** - Excel/Sheets analysis\n- **JSON** - CI/CD pipelines\n- **Baseline** - Ignore known/accepted risks\n\n---\n\n## 📦 Installation\n\n### Requirements\n- Python 3.9+\n- AWS credentials configured (`~/.aws/credentials` or environment)\n\n### Install from Source\n```bash\ngit clone https://github.com/DenizParlak/heimdall.git\ncd heimdall\npip install -e .\n```\n\n### Verify Installation\n```bash\nheimdall doctor\nheimdall --version\n```\n\n---\n\n## 🔧 Commands\n\n### Quick Overview\n```bash\nheimdall dashboard                    # 🎯 One-command security overview\nheimdall dashboard --quick            # Skip cross-service (faster)\n```\n\n### IAM Scanning\n```bash\nheimdall iam scan                     # Scan IAM, build trust graph\nheimdall iam detect-privesc           # Find privilege escalation\nheimdall iam detect-privesc --explain # AI-powered explanations\n```\n\n### Attack Analysis\n```bash\nheimdall iam attack-chain             # Multi-step attack paths\nheimdall iam attack-chain --top 10    # Top 10 chains\nheimdall iam cross-service            # Cross-service escalation\nheimdall iam cross-service --compact  # Summary only\n```\n\n### Interactive Mode\n```bash\nheimdall iam tui                      # Interactive terminal UI\nheimdall iam tui --graph scan.json    # Load existing scan\n```\n\n### Terraform Security\n```bash\n# Scan Terraform plan for attack paths\nheimdall terraform scan plan.json                    # Full analysis\nheimdall terraform scan plan.json --quick            # Skip AWS state fetch\nheimdall terraform scan plan.json --json             # JSON output\nheimdall terraform scan plan.json --fail-on critical # CI/CD gate\n\n# Detailed report\nheimdall terraform report plan.json --format markdown\n```\n\n### Export \u0026 CI/CD\n```bash\n# SARIF for GitHub Security\nheimdall iam detect-privesc --format sarif -o findings.sarif\n\n# CSV for spreadsheets\nheimdall iam detect-privesc --format csv -o findings.csv\n\n# With baseline (ignore known risks)\nheimdall iam detect-privesc --baseline .heimdall-ignore\nheimdall iam detect-privesc --init-baseline  # Create sample file\n```\n\n### Utilities\n```bash\nheimdall quickstart                   # Interactive setup guide\nheimdall doctor                       # Health check\nheimdall aws profiles                 # List AWS profiles\nheimdall completion zsh               # Shell completion\n```\n\n---\n\n## 🔐 Required IAM Permissions\n\nMinimum permissions for Heimdall to scan your account:\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"iam:List*\",\n        \"iam:Get*\",\n        \"sts:GetCallerIdentity\"\n      ],\n      \"Resource\": \"*\"\n    }\n  ]\n}\n```\n\nFor cross-service scanning, add:\n```json\n{\n  \"Action\": [\n    \"s3:ListAllMyBuckets\",\n    \"s3:GetBucketPolicy\",\n    \"lambda:ListFunctions\",\n    \"lambda:GetFunction\",\n    \"ec2:DescribeInstances\",\n    \"kms:ListKeys\",\n    \"secretsmanager:ListSecrets\"\n  ],\n  \"Resource\": \"*\"\n}\n```\n\n---\n\n## 🗺️ Roadmap\n\n### ✅ Completed\n- [x] 50+ IAM privilege escalation patterns\n- [x] Attack chain analysis with MITRE mapping\n- [x] Cross-service scanner (10 services)\n- [x] Interactive TUI\n- [x] One-command dashboard\n- [x] SARIF/CSV export\n- [x] Baseline/ignore system\n- [x] **Terraform Attack Path Engine** ⭐ NEW\n\n### 🔜 Coming Soon\n- [ ] Slack/Teams alerts\n- [ ] Multi-account organization scanning\n- [ ] Compliance framework mapping (CIS, PCI-DSS)\n- [ ] Auto-remediation suggestions\n\n---\n\n## 🤝 Contributing\n\nContributions welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) first.\n\n```bash\n# Run tests\npytest\n\n# Run linting\nruff check heimdall/\n```\n\n---\n\n## 📄 License\n\nMIT License - see [LICENSE](LICENSE) for details.\n\n---\n\n## 🙏 Credits\n\nBuilt with:\n- [Python](https://python.org/) - 3.9+\n- [boto3](https://boto3.amazonaws.com/) - AWS SDK for Python\n- [Click](https://click.palletsprojects.com/) - CLI framework\n- [Rich](https://rich.readthedocs.io/) - Terminal formatting\n- [Textual](https://textual.textualize.io/) - TUI framework\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/logo.svg\" alt=\"Heimdall\" width=\"24\" style=\"vertical-align: middle;\"\u003e \u003cstrong\u003eGuard your cloud like Heimdall guards Bifröst\u003c/strong\u003e\u003cbr\u003e\n  \u003cem\u003eMade with ❤️ for the AWS security community\u003c/em\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDenizParlak%2Fheimdall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDenizParlak%2Fheimdall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDenizParlak%2Fheimdall/lists"}