Zift Policy Discovery
Zift finds authorization logic buried in application code and helps you extract it into Policy as Code — Rego for OPA (what EnforceAuth deploys today) or Cedar for AWS Verified Permissions and other Cedar engines.
Use Zift before or during your EnforceAuth rollout when you are migrating from embedded if checks, not when OPA is already your sole enforcement layer.
Source repository and deep docs: github.com/EnforceAuth/zift
Why Zift matters
Most enterprises adopting Policy as Code do not start with a clean Rego repo. They have:
- Role checks in controllers and middleware
- Permission guards in React routes or API handlers
- Framework annotations (
@PreAuthorize, Pundit, CanCanCan, etc.) - Business rules that secretly encode access control
That sprawl is the Authorization Gap — see The authorization gap. Zift maps it so you can externalize rules into Git-backed Rego that EnforceAuth builds, tests, and promotes.
Application code ──zift scan──► findings JSON
│
▼ zift extract
Rego / Cedar stubs
│
▼ git push
EnforceAuth deploy ──► OPA bundle
Zift is not a runtime PDP and not a replacement for EnforceAuth. It accelerates the authoring step.
When to use Zift
| Scenario | Use Zift? |
|---|---|
| Greenfield OPA with policies already in Git | No — start at Quickstart |
| Monolith or microservices with scattered auth checks | Yes — structural scan first |
| DAS/EOPA migration with Rego already centralized | Maybe — for straggler app code only |
| Compliance audit needs inventory of auth decisions | Yes — zift report |
| Want AI-assisted classification of business-rule auth | Yes — --deep mode |
How it works
Pass 1 — Structural scan (fast, free)
Tree-sitter parsers find known patterns: role comparisons, permission middleware, security annotations.
# Install (macOS/Linux)
brew install enforceauth/tap/zift
# Scan current repo
zift .
# JSON report
zift report ./src --format json > findings.json
Supported languages include TypeScript/JavaScript, Java, Python, Go, C#, Kotlin, Ruby, and PHP. See the Zift README for framework hints (Express, Spring, Django, Rails, etc.).
Pass 2 — Deep scan (optional, LLM-assisted)
Finds implicit authorization in business logic the structural pass missed.
# Local model (Ollama)
ollama pull qwen2.5-coder:14b
zift scan ./src --deep \
--base-url http://localhost:11434/v1 \
--model qwen2.5-coder:14b
Deep mode also supports OpenAI-compatible HTTP endpoints, subprocess agents (--agent-cmd), and MCP (zift mcp) for Cursor/Claude Code integration.
Extract Policy as Code
zift extract ./findings.json --engine rego -o ./policies/generated/
Review generated Rego, add tests, commit to the repo connected as your EnforceAuth policy source, and deploy.
Zift + EnforceAuth workflow
- Discover —
zift .on each service repo (or monorepo) - Prioritize — sort findings by sensitivity (admin paths, PII, payment flows)
- Extract — generate Rego stubs; human-review every rule
- Test —
opa testlocally; add to CI - Connect — policy source on EnforceAuth system entity
- Deploy — manual, GitHub Actions, or webhook
- Enforce — point PDP at bundle; wire PEP per Application integration
- Prove — decision logs in console; retire embedded checks service by service
Read Your Policy as Code journey for architecture decisions (OPA vs EOPA, sidecar vs agent) while you extract.
MCP integration (Cursor / Claude Code)
Run Zift as an MCP tool provider so your IDE agent can scan and suggest policies in context:
zift mcp --scan-root /path/to/your/repo
Exposed tools include scan_authz, suggest_policy, validate_policy, and analyze_snippet. Full MCP setup: Zift README § MCP server.
What stays in the Zift repo
This documentation site explains why and where Zift fits in the EnforceAuth story. For operational detail, use the upstream repo:
| Topic | Location |
|---|---|
| Install, languages, CLI reference | Zift README |
| Deep mode walkthrough | DEEP_MODE_WALKTHROUGH.md |
| Contributing, releases | Zift GitHub |
Next
- MCP Authorization Gateway — govern AI agent MCP tool calls
- 15-minute quickstart
- Policy authoring best practices
- Testing policies
- Rego patterns