Trust Network

@mccormick/trust-networkv2026.05.21.2· 1d agoMODELS·REPORTS

01README

Inventory and report on OIDC trust policies and workload-identity federation across GitHub, Google Cloud, and Cloudflare One. Three read-only models compose into a cross-platform trust graph. The github model discovers GitHub Actions OIDC subject-claim customization and classified Actions secrets; the gcp model discovers Workload Identity Federation pools, providers, service accounts, and user-managed keys; the graph model normalizes the three providers into a graph of trust domains, identities, and credential edges annotated with conditional access and severity-rated findings. Cloudflare One / Zero Trust Access scanning is provided by the @mccormick/cloudflare extension, a declared dependency — the trust-inventory and trust-gate workflows wire its zerotrust model into the graph. The @mccormick/trust-network/posture report scores the graph: the share of trust edges using ephemeral credentials, the share gated by conditional access, and a severity-grouped finding list. A trust-inventory workflow runs the three scans, builds the graph, and emits the report on a schedule. A trust-gate workflow turns that posture into a CI pass/fail check, failing the build when findings or coverage breach configured thresholds. Read-only: models only read provider APIs. No credential material is written to swamp data — only configuration metadata. API tokens are supplied through a vault; GCP uses a short-lived gcloud access token (no stored key).

02Models3

@mccormick/trust-network/githubv2026.05.19.1github_identity.ts

Global Arguments

Argument	Type	Required	Description
orgs	array	yes	GitHub organizations to scan in full
repos	array	yes	Explicit `owner/repo` entries to scan in addition to the orgs
githubToken	string	yes	GitHub token; supply via ${{ vault.get("trust-network", "GITHUB_TOKEN") }}
apiBaseUrl	string	yes	GitHub REST API base URL (override for GitHub Enterprise Server)
includeArchived	boolean	yes	Include archived repositories in org scans
scanEnvironments	boolean	yes	Also enumerate per-environment secrets and variables

fn scan()

Fan-out scan of GitHub Actions OIDC config and Actions

Resources

oidc_subject(7d)— GitHub Actions OIDC subject-claim customization at org or repo scope

actions_secret(7d)— An Actions secret or variable (name and metadata only), classified

identity_summary(7d)— Roll-up of one GitHub identity scan

@mccormick/trust-network/gcpv2026.05.19.1gcp_federation.ts

Global Arguments

Argument	Type	Required	Description
projects	array	yes	GCP project IDs to scan
iamBaseUrl	string	yes	Google Cloud IAM API base URL

fn scan()

Fan-out scan of Workload Identity Federation pools/providers,

Resources

wif_pool(7d)— A Workload Identity Pool

wif_provider(7d)— A Workload Identity Pool Provider — the federation trust config

service_account(7d)— A service account and the federated principals allowed to assume it

sa_key(7d)— A user-managed service-account key (long-lived credential)

federation_summary(7d)— Roll-up of one GCP federation scan

@mccormick/trust-network/graphv2026.05.21.2trust_graph.ts

fn build(githubOidcSubjects: array, githubSecrets: array, gcpWifPools: array, gcpWifProviders: array, gcpServiceAccounts: array, gcpSaKeys: array, cfAccessApps: array, cfAccessPolicies: array, cfIdentityProviders: array, cfServiceTokens: array)

Normalize the provider scans into a trust graph of domains and

Argument	Type	Required	Description
githubOidcSubjects	array	yes	GitHub `oidc_subject` resources from the github scan
githubSecrets	array	yes	GitHub `actions_secret` resources from the github scan
gcpWifPools	array	yes	GCP `wif_pool` resources from the gcp scan
gcpWifProviders	array	yes	GCP `wif_provider` resources from the gcp scan
gcpServiceAccounts	array	yes	GCP `service_account` resources from the gcp scan
gcpSaKeys	array	yes	GCP `sa_key` resources from the gcp scan
cfAccessApps	array	yes	Cloudflare `access_app` resources from the cloudflare scan
cfAccessPolicies	array	yes	Cloudflare `access_policy` resources from the cloudflare scan
cfIdentityProviders	array	yes	Cloudflare `identity_provider` resources from the cloudflare scan
cfServiceTokens	array	yes	Cloudflare `service_token` resources from the cloudflare scan

fn assert_posture(maxCritical: number, maxHigh: number, maxMedium: number, minEphemeralPct: number, minConditionalAccessPct: number)

Fail when the trust-graph posture breaches configured thresholds.

Argument	Type	Required	Description
maxCritical	number	yes	Maximum allowed `critical` findings
maxHigh	number	yes	Maximum allowed `high` findings
maxMedium	number	yes	Maximum allowed `medium` findings (unbounded by default)
minEphemeralPct	number	yes	Minimum required ephemeral-credential coverage, 0-100
minConditionalAccessPct	number	yes	Minimum required conditional-access coverage, 0-100

Resources

trust_domain(7d)— A node in the trust graph (org, project, account, issuer)

trust_edge(7d)— A directed trust/credential relationship

inventory(7d)— Trust-graph roll-up and scorecard

03Reports1

@mccormick/trust-network/posturemodel

trust_report.ts

Scores the trust graph: share of edges using ephemeral credentials,

securityidentitytrustaudit

04Previous Versions3

2026.05.21.1May 21, 2026

Removed 1 models. updated dependencies

2026.05.20.1May 20, 2026

Modified 1 models

2026.05.19.1May 20, 2026

05Stats

100 / 100

Downloads

Archive size

75.9 KB

Has README or module doc2/2earned
README has a code example1/1earned
README is substantive1/1earned
Most symbols documented1/1earned
No slow types1/1earned
Dependencies pass trust audit2/2earned
Has description1/1earned
Platform support declared (or universal)2/2earned
License declared1/1earned
Verified public repository2/2earned

Repository

https://github.com/mccormickt/swamp-extensions

06Platforms

linux · x86_64 linux · aarch64 macOS · x86_64 macOS · aarch64

07Labels

#oidc #workload-identity #federation #trust #security #github #gcp #cloudflare