pathros-local 0.4.0

Read-only access-path scanning for GitHub Actions, CI/CD, and cloud IAM risk.

Pathros Local

Read-only access-path scanning for GitHub Actions, CI/CD, and cloud IAM risk.

uvx --from pathros-local pathros scan .

Pathros maps hidden access paths and shows the evidence.

Default behavior:

• no writes
• no cloud API calls
• no telemetry
• no upload
• secret-like values redacted

Run Pathros locally. No cloud account required. No network calls by default. No writes. Evidence-rich output in one command.

Quick demo

uvx --from pathros-local pathros scan examples/phase-3/vulnerable/v01-pr-target-checkout-aws-role

Persistent install

pipx install pathros-local
pathros doctor
pathros scan .

Verify your install

pathros doctor
pathros version
pathros --version

pathros doctor reports the installed version, distribution name, install mode, Python version, safety defaults, reporter availability, and the next command to run.

Output formats

pathros scan . --format console
pathros scan . --format json
pathros scan . --format markdown
pathros scan . --format sarif

Markdown is the human report. JSON and SARIF are machine-readable reports for CI and review workflows. Pathros Local generates SARIF; it does not upload SARIF or scan results by default.

What Pathros Local currently detects

• GitHub Actions workflows that expose cloud deployment paths
• pull_request_target risk patterns
• AWS role assumption from CI/CD
• broad AWS trust-policy and permission patterns
• long-lived cloud credential references

Findings include evidence hops back to local files, rules, and source locations. A finding without evidence is not emitted.

What Pathros Local does not do yet

• no live AWS scan by default
• no Okta / Entra connector in the local package
• no Snowflake connector in the local package
• no automatic remediation
• no hosted upload unless explicitly added later

Local development

git clone https://github.com/pathros/pathros-python.git
cd pathros-python
uv sync --all-extras --dev
uv run pathros doctor
uv run pathros scan examples/phase-3/vulnerable/v01-pr-target-checkout-aws-role

Configuration

Create local defaults explicitly:

uv run pathros init

pathros init writes pathros.toml and .pathrosignore. pathros scan does not create config files.

Use pathros.toml for report defaults, scan scope, safety posture, enabled rules, and CI fail behavior. CLI flags override config values.

Ignore rules

Pathros automatically applies built-in ignore rules for generated, dependency, cache, and local secret files. It reads .pathrosignore from the scan root when present. .env is ignored by default; .env.example is allowed.

Safety posture

Pathros Local reads local GitHub Actions workflows, Terraform IAM configuration, and supported policy/config files. It does not read .env values by default. It writes nothing during scan unless --output names an explicit report file. It does not call GitHub, AWS, Okta, Entra, Snowflake, Terraform, or any hosted Pathros service by default.

CI fail thresholds

pathros scan . --fail-on high

Exit codes are stable: 0 means the scan completed and no finding met the threshold, 1 means at least one finding met the threshold, 2 means invalid user input, and 3 means an internal error.

Release verification

Release artifacts include a wheel, source distribution, checksums.txt, and GitHub build provenance attestations. See docs/release-verification.md.

More docs

• Installation
• Quickstart
• Security behavior
• Limitations
• Releasing