Skip to main content

Zift Policy Discovery

Zift finds authorization logic buried in application code and helps you extract it into Policy as Code — Rego for OPA (what EnforceAuth deploys today) or Cedar for AWS Verified Permissions and other Cedar engines.

Use Zift before or during your EnforceAuth rollout when you are migrating from embedded if checks, not when OPA is already your sole enforcement layer.

Source repository and deep docs: github.com/EnforceAuth/zift

Why Zift matters

Most enterprises adopting Policy as Code do not start with a clean Rego repo. They have:

  • Role checks in controllers and middleware
  • Permission guards in React routes or API handlers
  • Framework annotations (@PreAuthorize, Pundit, CanCanCan, etc.)
  • Business rules that secretly encode access control

That sprawl is the Authorization Gap — see The authorization gap. Zift maps it so you can externalize rules into Git-backed Rego that EnforceAuth builds, tests, and promotes.

Application code ──zift scan──► findings JSON

▼ zift extract
Rego / Cedar stubs

▼ git push
EnforceAuth deploy ──► OPA bundle

Zift is not a runtime PDP and not a replacement for EnforceAuth. It accelerates the authoring step.

When to use Zift

ScenarioUse Zift?
Greenfield OPA with policies already in GitNo — start at Quickstart
Monolith or microservices with scattered auth checksYes — structural scan first
DAS/EOPA migration with Rego already centralizedMaybe — for straggler app code only
Compliance audit needs inventory of auth decisionsYeszift report
Want AI-assisted classification of business-rule authYes--deep mode

How it works

Pass 1 — Structural scan (fast, free)

Tree-sitter parsers find known patterns: role comparisons, permission middleware, security annotations.

# Install (macOS/Linux)
brew install enforceauth/tap/zift

# Scan current repo
zift .

# JSON report
zift report ./src --format json > findings.json

Supported languages include TypeScript/JavaScript, Java, Python, Go, C#, Kotlin, Ruby, and PHP. See the Zift README for framework hints (Express, Spring, Django, Rails, etc.).

Pass 2 — Deep scan (optional, LLM-assisted)

Finds implicit authorization in business logic the structural pass missed.

# Local model (Ollama)
ollama pull qwen2.5-coder:14b
zift scan ./src --deep \
--base-url http://localhost:11434/v1 \
--model qwen2.5-coder:14b

Deep mode also supports OpenAI-compatible HTTP endpoints, subprocess agents (--agent-cmd), and MCP (zift mcp) for Cursor/Claude Code integration.

Extract Policy as Code

zift extract ./findings.json --engine rego -o ./policies/generated/

Review generated Rego, add tests, commit to the repo connected as your EnforceAuth policy source, and deploy.

Zift + EnforceAuth workflow

  1. Discoverzift . on each service repo (or monorepo)
  2. Prioritize — sort findings by sensitivity (admin paths, PII, payment flows)
  3. Extract — generate Rego stubs; human-review every rule
  4. Testopa test locally; add to CI
  5. Connect — policy source on EnforceAuth system entity
  6. Deploy — manual, GitHub Actions, or webhook
  7. Enforce — point PDP at bundle; wire PEP per Application integration
  8. Prove — decision logs in console; retire embedded checks service by service

Read Your Policy as Code journey for architecture decisions (OPA vs EOPA, sidecar vs agent) while you extract.

MCP integration (Cursor / Claude Code)

Run Zift as an MCP tool provider so your IDE agent can scan and suggest policies in context:

zift mcp --scan-root /path/to/your/repo

Exposed tools include scan_authz, suggest_policy, validate_policy, and analyze_snippet. Full MCP setup: Zift README § MCP server.

What stays in the Zift repo

This documentation site explains why and where Zift fits in the EnforceAuth story. For operational detail, use the upstream repo:

TopicLocation
Install, languages, CLI referenceZift README
Deep mode walkthroughDEEP_MODE_WALKTHROUGH.md
Contributing, releasesZift GitHub

Next