{"id":16199436,"url":"https://github.com/dadrus/heimdall","last_synced_at":"2026-04-19T02:16:42.565Z","repository":{"id":36966994,"uuid":"480728437","full_name":"dadrus/heimdall","owner":"dadrus","description":"A cloud native Identity Aware Proxy and Access Control Decision service","archived":false,"fork":false,"pushed_at":"2025-08-19T15:35:45.000Z","size":29639,"stargazers_count":202,"open_issues_count":50,"forks_count":23,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-08-19T16:35:04.960Z","etag":null,"topics":["access-control","access-management","api-gateway","auth-api","auth-proxy","authentication","authorization","decision-api","golang","identity-aware-proxy","oauth2","openid-connect","policy-enforcement"],"latest_commit_sha":null,"homepage":"https://dadrus.github.io/heimdall/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dadrus.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-04-12T08:54:37.000Z","updated_at":"2025-08-19T14:31:40.000Z","dependencies_parsed_at":"2024-01-06T22:25:12.888Z","dependency_job_id":"4d24e89e-7ef9-467d-a1e2-fa3b8d9bab0b","html_url":"https://github.com/dadrus/heimdall","commit_stats":null,"previous_names":[],"tags_count":48,"template":false,"template_full_name":null,"purl":"pkg:github/dadrus/heimdall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadrus%2Fheimdall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadrus%2Fheimdall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadrus%2Fheimdall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadrus%2Fheimdall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dadrus","download_url":"https://codeload.github.com/dadrus/heimdall/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadrus%2Fheimdall/sbom","scorecard":{"id":480860,"data":{"date":"2025-08-19T14:32:08Z","repo":{"name":"github.com/dadrus/heimdall","commit":"06b0b145cfe9cbe713e295738b6f8cb27fd3ebe3"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":8.2,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/27 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: RenovateBot: renovate.json:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Maintained","score":10,"reason":"25 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/please-release-pr.yaml:17","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/please-release.yaml:17","Info: jobLevel 'actions' permission set to 'read': .github/workflows/release.yaml:212","Info: jobLevel 'actions' permission set to 'read': .github/workflows/release.yaml:228","Info: jobLevel 'actions' permission set to 'read': .github/workflows/release.yaml:309","Info: jobLevel permissions set to 'read-all': .github/workflows/release.yaml:331","Info: jobLevel 'actions' permission set to 'read': .github/workflows/release.yaml:71","Info: topLevel permissions set to 'read-all': .github/workflows/ci.yaml:27","Info: topLevel 'contents' permission set to 'read': .github/workflows/please-release-pr.yaml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/please-release.yaml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yaml:18","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:19","Info: topLevel permissions set to 'read-all': .github/workflows/security.yaml:16"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  34 out of  34 GitHub-owned GitHubAction dependencies pinned","Info:  81 out of  81 third-party GitHubAction dependencies pinned","Info:   4 out of   4 goCommand dependencies pinned","Info:   3 out of   3 npmCommand dependencies pinned","Info:   3 out of   3 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":5,"reason":"badge detected: Passing","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/ci.yaml:316"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}},{"name":"CI-Tests","score":-1,"reason":"internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: non-200 OK status code: 502 Bad Gateway body: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e502 Bad Gateway\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e502 Bad Gateway\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx\u003c/center\u003e\\r\\n\u003c/body\u003e\\r\\n\u003c/html\u003e\\r\\n\"","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}},{"name":"SAST","score":-1,"reason":"internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: non-200 OK status code: 502 Bad Gateway body: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e502 Bad Gateway\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e502 Bad Gateway\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx\u003c/center\u003e\\r\\n\u003c/body\u003e\\r\\n\u003c/html\u003e\\r\\n\"","details":null,"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"Signed-Releases","score":10,"reason":"5 out of the last 5 releases have a total of 10 signed artifacts.","details":["Info: signed release artifact: heimdall_v0.17.1_checksums.txt.sig: https://github.com/dadrus/heimdall/releases/tag/v0.17.1","Info: signed release artifact: heimdall_v0.17.0_checksums.txt.sig: https://github.com/dadrus/heimdall/releases/tag/v0.17.0","Info: signed release artifact: heimdall_v0.16.8_checksums.txt.sig: https://github.com/dadrus/heimdall/releases/tag/v0.16.8","Info: signed release artifact: heimdall_v0.16.7_checksums.txt.sig: https://github.com/dadrus/heimdall/releases/tag/v0.16.7","Info: signed release artifact: heimdall_v0.16.6_checksums.txt.sig: https://github.com/dadrus/heimdall/releases/tag/v0.16.6","Info: provenance for release artifact: heimdall_v0.17.1.intoto.jsonl: https://github.com/dadrus/heimdall/releases/tag/v0.17.1","Info: provenance for release artifact: heimdall_v0.17.0.intoto.jsonl: https://github.com/dadrus/heimdall/releases/tag/v0.17.0","Info: provenance for release artifact: heimdall_v0.16.8.intoto.jsonl: https://github.com/dadrus/heimdall/releases/tag/v0.16.8","Info: provenance for release artifact: heimdall_v0.16.7.intoto.jsonl: https://github.com/dadrus/heimdall/releases/tag/v0.16.7","Info: provenance for release artifact: heimdall_v0.16.6.intoto.jsonl: https://github.com/dadrus/heimdall/releases/tag/v0.16.6"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}}]},"last_synced_at":"2025-08-19T16:35:15.326Z","repository_id":36966994,"created_at":"2025-08-19T16:35:15.326Z","updated_at":"2025-08-19T16:35:15.326Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271604718,"owners_count":24788760,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-22T02:00:08.480Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","access-management","api-gateway","auth-api","auth-proxy","authentication","authorization","decision-api","golang","identity-aware-proxy","oauth2","openid-connect","policy-enforcement"],"created_at":"2024-10-10T09:25:25.905Z","updated_at":"2026-04-05T13:03:58.745Z","avatar_url":"https://github.com/dadrus.png","language":"Go","readme":"# Heimdall\n[![CI](https://github.com/dadrus/heimdall/actions/workflows/ci.yaml/badge.svg?branch=main)](https://github.com/dadrus/heimdall/actions/workflows/ci.yml)\n[![Security-Scan](https://github.com/dadrus/heimdall/actions/workflows/security.yaml/badge.svg)](https://github.com/dadrus/heimdall/actions/workflows/security.yml)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/7738/badge)](https://www.bestpractices.dev/projects/7738)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/dadrus/heimdall/badge)](https://securityscorecards.dev/viewer/?uri=github.com/dadrus/heimdall)\n[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)\n[![Go Report Card](https://goreportcard.com/badge/github.com/dadrus/heimdall)](https://goreportcard.com/report/github.com/dadrus/heimdall)\n[![codecov](https://codecov.io/gh/dadrus/heimdall/branch/main/graph/badge.svg)](https://codecov.io/gh/dadrus/heimdall)\n[![Docker](https://img.shields.io/badge/image-0.17.13-blue?logo=docker)](https://hub.docker.com/r/dadrus/heimdall)\n[![Helm Chart](https://img.shields.io/badge/dynamic/yaml.svg?label=chart\u0026url=https://dadrus.github.io/heimdall/charts/index.yaml\u0026query=$.entries.heimdall[0].version\u0026logo=helm\u0026logoColor=white)](https://github.com/dadrus/heimdall/tree/main/charts/heimdall)\n[![Discord](https://img.shields.io/discord/1100447190796742698?logo=discord\u0026logoColor=white\u0026label=community)](https://discord.gg/qQgg8xKuyb)\n\n## Background\n\nHeimdall is inspired by the Zero Trust idea and also by [Pomerium](https://www.pomerium.com/docs) and [Ory's OAthkeeper](https://www.ory.sh/docs/oathkeeper). Some experience with both and my inability to update the latter one to include the desired functionality and behavior was Heimdall's born hour. \n\n## What is heimdall\n\nHeimdall authenticates and authorizes incoming HTTP (HTTP 1.x and HTTP 2.0) requests as well as enriches these with further contextual information and finally transforms resulting subject information into a format, required by the upstream services.\n\nIt can do so:\n\n* Standalone as a proxy in front of your service or web server that rejects unauthorized requests and forwards authorized ones to your end points, or \n* Integrated into any other proxy, ingress controller or API gateway, like Kong, NGNIX, Envoy, Traefik, Contour, Ambassador and many more. Here that other proxy will forward the incoming request to heimdall and depending on its response either forward the original request, verified and updated by heimdall to your upstream service, or reject it with the information provided by heimdall.\n\nIn both cases it acts as a Policy Enforcement and to some degree a Policy Decision Point according to [NIST Zero Trust Architecture (SP 800-207)](https://doi.org/10.6028/NIST.SP.800-207)\n\n## How does authentication, authorization and transformation work\n\nThe decision-making and transformation processes in Heimdall are governed by rules or respectively rule sets. These rule sets can be independently configured and managed by each upstream service. Heimdall dynamically loads these rules from a variety of sources, including:\n\n* `RuleSet` kubernetes resources (a corresponding CRD is shipped with the helm chart)\n* Cloud storages, like AWS S3, Google's GC, etc.\n* Local file system\n* Any HTTP endpoint\n\nThat way, these rule sets cannot only be managed centrally, but be deployed together with each particular upstream service as well without the need to restart or redeploy heimdall. Indeed, these rule sets are optional first class citizens of the upstream service and allow:\n\n* Implementation of secure defaults. If no rule matches the incoming request, a default decision and transformation, if configured, is applied. This is the reason for \"optional first class citizens\" above.\n* Configuration of as many authentication (e.g. OpenID Connect), authorization (e.g. via CEL expressions, or via OPA, or OpenFGA), contextualization (by e.g. communicating to some specific endpoint) and finalization mechanisms (e.g. creation of a JWT out of the available subject information), supported by heimdall, as required for the particular system. So, if your system requires integration with multiple authentication providers, or you want to migrate from one to another, it is just a matter of configuring them in heimdall.\n* Reuse and combination of these mechanisms in as many rules as required for the particular system.\n* Partial reconfiguration of a particular mechanism in a rule if required by the upstream service.\n* Authentication mechanism fallbacks.\n* Implementation of different decision process schemes by combining e.g. authentication mechanisms with error handlers to drive authentication mechanism specific error handling strategies.\n* Execution of authorization and contextualization mechanisms in any order. That way, if the information about your subject, available from the authentication system, is not sufficient to make proper authorization decisions, you can let heimdall call other services to retrieve that additional information.\n* Conditional execution of authorization, contextualization and finalization mechanisms is possible. E.g. if depending on the available information about the subject you would like heimdall to either block the request, or let the upstream return different representations of the requested resource.\n\n## Beyond the functionality\n\nHeimdall's main focus points beyond its functionality are:\n\n* Performance - To achieve this, heimdall does use any http routing frameworks and does not load or convert data during execution whenever possible. This is also true for reflection use.\n* Clear abstractions - To allow extensibility and even replacement of components without side effects.\n* Simplicity - To allow better understanding of code to everybody, who would like to contribute.\n\n## Where can I find more details\n\nHead over to the [documentation](https://dadrus.github.io/heimdall/) for details or if you would like to give it a try.\n\n## Current state\n\n* Production-ready and already in use by multiple organizations worldwide.\n* Code base is stable and well-tested. \n* Some features are still missing, and the development of these features might lead to breaking changes in future updates.\n\nFor information on the currently supported functionality, please refer to the [Release descriptions](https://github.com/dadrus/heimdall/releases). Planned features can be found in the defined [Milestones](https://github.com/dadrus/heimdall/milestones).\n\n\n## If you ...\n\n* ... like the project - please give it a :star:\n* ... miss something, or found a bug, [file a ticket](https://github.com/dadrus/heimdall/issues). You are also very welcome to [contribute](CONTRIBUTING.md) :wink:\n* ... would like to support, reach out to me via [Discord](https://discord.gg/qQgg8xKuyb)\n* ... need help, head over to [Discord](https://discord.gg/qQgg8xKuyb) as well\n","funding_links":[],"categories":["Zero-trust Network"],"sub_categories":["Identifiers"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadrus%2Fheimdall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdadrus%2Fheimdall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadrus%2Fheimdall/lists"}