Show HN: Fix – An open source cloud asset inventory for cloud security engineers
fix.securityHi, we’re Lukas, Lars and Matthias, and we're building “Fix” (https://fix.security). Fix is an open source cloud asset inventory for developers to track their infrastructure’s security posture aka “cloud security posture management” (CSPM).
How Fix works:
Fix takes a snapshot of your inventory on an hourly basis by calling the cloud APIs, runs policy and compliance checks such as the CIS benchmark against that inventory, and provides the findings in a dashboard, via .csv export or API so that developers can use the raw data and build workflows. We’re also working on data sync to S3 and RDBMS like Postgres, MySQL and Snowflake.
One of Fix’s unique feature is our graph-based inventory, highlighting the connections between resources. Unlike traditional cloud security tools that just list assets, Fix also displays their interconnections. We maintain a large graph, where nodes are indexed JSON documents representing your cloud resources, and different edges signify various dependencies. This allows flexible searches and policy creation using our search syntax.
For example:
Find large EC2 instances:
search is(aws_ec2_instance) and instance_cores > 8
Find unused EBS volumes with last reading IOPS more than 30d ago:
search is(aws_ec2_volume) and volume_status = available and last_access > 30d
Find IAM policies that are attached to users instead of groups or roles:
search is(aws_iam_user) {attached_policy: --> is(aws_iam_policy)} user_policies!=[] or attached_policy!=null
Find SNS topics that are not encrypted at rest using KMS CMKs:
search is(aws_sns_topic) with(empty, --> is(aws_kms_key))
We also have a CLI tool (https://github.com/someengineering/fixctl) where you can use the raw json or yaml formatted results from the searches as an input into your pipelines. We also support full text search. For example, some developers like to tag their resources with their name:
search “lukas”
will produce a list of all resources that contain the string “lukas”.
Full text search comes in handy when you want find a particular string (e.g. an IP address) across all your cloud accounts to figure out which account and region a resource is located in.
There are existing security tools that use a graph, e.g. Wiz or Cisco with Lightspin (now Panoptica). Those enterprise tools have a few characteristics that we think make them less attractive for developers:
- They require talking to a sales rep
- They run you through a procurement process
- They try to lock you into their platform
Fix on the other hand is:
- self-service sign-up with a free tier
- available through the AWS Marketplace (coming soon)
- open source
We price Fix based on # of cloud accounts you collect data from, with a fair-usage limit of 200,000 (two hundred thousand) resources per account. Our lowest paid tier starts at $90 / month with three cloud accounts included.
Fix Security is built with our open source project “Fix Inventory”:
https://github.com/someengineering/fixinventory
The open source has richer functionality than our SaaS app. It's multi-cloud and supports AWS, GCP, Azure, DigitalOcean, VMWare and Kubernetes. Over time, our plan is to support all these platforms in our SaaS app as well.
Fix Inventory can update resources, including tags, and clean resources up based on age, usage, or policy non-compliance. Currently, this "mutating" function is not in the SaaS version. Fix Inventory is read-write, Fix Security is read-only.
Fix Inventory was born in D2iQ (now Nutanix). It was Lukas' solution to managing and securing a growing cloud infrastructure.
I would love your feedback on our solution. We’re here to help write your first queries. Just ping us on Discord (https://discord.gg/fixsecurity) and let us know you’re coming from HN. Also, I would love to hear what security tooling you use today and what you like / dislike about it.
Cheers
> It's also important to note that while FIX frontend is open source, it utilizes commercial Material UI components. As such, to use it, you'd need your own Material UI license.
That is an odd choice for an open-source project. I'm curious to know what Material UI provided that any other open-source UI library did not.
The reasoning is explained in the very section of our Github org README you quoted this sentence from. Our main open source project is Fix Inventory (https://github.com/someengineering/fixinventory) and that is very well documented (https://inventory.fix.security) and uses no commercial 3rd party libraries.
The Fix SaaS frontend that you're referring to and that you find at https://fix.security builds upon Fix Inventory. We could have just made it closed-source like every other SaaS (think Grafana Cloud). But because I'm a big proponent of OSS we decided to open source our entire SaaS stack, frontend, backend as well as all internal tooling. The main intend here is transparency, not so you spin up your own SaaS environment.
Essentially we develop the SaaS for ourselves first and foremost, but saw no reason to make it closed source. So that is why it might be using any number of commercial 3rd party add-ons.
> I'm curious to know what Material UI provided that any other open-source UI library did not.
I believe it was some MUI X table features like multi row sorting that we didn't feel like re-implementing. I'm sure there's other open source libs that would do that, but we've settled on MUI and are not going to start mixing different UI libraries for different visual elements if we don't absolutely have to.
I dunno if this interests you, but you actually have influence over the formatting of https://github.com/someengineering/fix-cf/blob/main/fix-role... via .gitattributes communicating to GH that it's actually yaml: https://github.com/github-linguist/linguist/blob/master/docs...
Neat! Done. Thank you!
I also removed the old lambda based callback template from the repo. We're now using an SNS topic as part of a CustomFunction, to know when a user has deployed the stack (https://github.com/someengineering/fix-cf/blob/main/fix-role...). More work on our side, but less sketchy than executing code just to receive a callback that tells us the role name and account id.
> We price Fix
;-)
but, in seriousness
> Currently, Fix Inventory can collect AWS, Google Cloud, DigitalOcean, VMWare Vsphere, OneLogin, and Slack resources
That's kind of a weird mix of control planes, and it seems that Azure is actually present, just just not listed in the readme: https://github.com/someengineering/fixinventory/tree/4.0.1/p...
(AGPLv3 for those interested in such things)
We're currently working on Azure, but it's not stable enough to be listed here.
> > AWS, Google Cloud, DigitalOcean, VMWare Vsphere, OneLogin, and Slack > kind of a weird mix of control planes
:D agreed. Two of these things are not like the others. There are also Github, Posthog and Scarf plugins.
To explain, Fix Inventory doesn't care about Cloud resources per se. It can create an inventory of whatever kind of resources. fixcore maintains a large graph of resources and makes them searchable. fixworker runs collector plugins and ships their results to the core. In theory you could build a plugin that monitors the sensors of your farm's greenhouses and run automations and reporting on them.
Slack for instance is there because when you want to notify a user on Slack it makes it convenient to lookup their internal Slack ID based on e.g. their Email address. So you might do lookups like: AWS resource tag -> OneLogin User -> Email -> Slack UID.
Any comparison to the other CSPM vendors out there? (Eg Wiz, Orca, etc)
well my formatting sure as heck doesn't look great....