Skip to main content
EnforceAuth
Back to Blog
Press Release

We Open-Sourced Zift: A Code Scanner for the Authorization Gap

Press release: we open-sourced Zift under Apache 2.0. It scans your code, finds the authorization decisions buried in it, and emits OPA-ready Rego stubs. AP wire link inside.

EnforceAuth, Inc.2 min read
Illustration of source code being scanned with authorization decision points highlighted and converted into policy stubs

Quick news from us. On May 6, 2026 we open-sourced Zift, a code scanner built to find the authorization decisions hiding in your application source — the role checks, ORM filters, middleware guards, and feature gates that quietly add up to most of your access control.

It is live on GitHub right now under Apache 2.0. No feature gating, no telemetry, no commercial license to negotiate.

Read the full announcement on the AP wire here.

So what is Zift?

Zift is a static analyzer with one job: discover where your application is making authorization decisions. Point it at a repo and it surfaces the role-based checks, attribute predicates, ownership filters in database queries, framework middleware, and bespoke policy logic that piles up over years of shipping. For every decision point it finds, it emits an Open Policy Agent (OPA) Rego policy stub, so the output is something a platform team can actually move into a policy engine instead of another spreadsheet.

One quick stat from our v0.1 benchmark against a clean financial services codebase: only 20% of enforcement points consulted a policy engine. The other 80% were buried in code. That number is going to surprise people.

Why we open-sourced it

Discovery is too important to gate behind a procurement cycle. If we want enterprises to take the authorization gap seriously, they need to be able to measure it without first signing an MSA. So we shipped it Apache 2.0 and walked away from the telemetry. Run it on whatever you want. The output is yours.

The commercial EnforceAuth platform is still the runtime fabric that enforces decisions across applications, infrastructure, and AI workloads. Zift is the on-ramp. The two are intentionally separate.

Try it

Clone the repo, run it against a service you own, and see what comes back. The roadmap adds Cedar output next, with AuthZEN-compatible decision modeling to follow.

If you want to talk about what to do once you have the scan results, the runtime enforcement layer is where we come in.

About EnforceAuth

EnforceAuth is the AI Security Fabric for the agentic era. We provide decision-centric authorization across applications, infrastructure, data, and AI workloads. Write policy once. Enforce everywhere.

Follow us on LinkedIn

All posts