For ZPA admins inheriting a mess.

ZPA, but you can actually read it.

Search what you have. Simulate before you change. Audit without delay._

Get started View source

Not affiliated with Zscaler scroll

Maintainer

SaaS bills

Vendor add-ons to unlock features

Lines of Go. Read it. Audit it. Fork it.

Questions it answers

The portal won't tell you.

Companion to ZPA, not a replacement. The features you assumed were already there.

Who has access to this app?

> Reachability search. Resolves the segment to every SCIM identity that lands on it, with the policy that lets them in.

What can this user reach?

> Reverse reachability. Walk a SCIM user through every segment they qualify for. No filter trees.

What breaks if I delete this connector?

> Blast radius. Server groups left stranded, segments newly unreachable, policies pointing at nothing.

What does this policy actually do?

> Walk the FSM. Every rule, every operand, every SCIM lookup the engine touched.

What it does

Four primitives. One binary.

Simulate

Dry-run any policy change against the live snapshot. See the decision and the reasoning chain before you touch prod.

Search any string - IP, app, user, group. No filter trees, no guessing which dropdown.

Audit

Pre-built queries for the questions audit asks you. Orphans, shadows, blast radius, overlap.

Visualize

Stop reading column tables. See the path from user to app, drawn end-to-end.

How it works

Fetch. Index. Serve.

Three layers. Each one boring on purpose. The interesting work is in the index, not the plumbing.

Fetch

Seventeen ZPA endpoints, fetched concurrently. Snapshot held in one struct, persisted to SQLite.

internal/fetcher

Index

Build the index ZPA never gave you. Inverted lookup over every field.

internal/index

Serve

Gin on :8080. Codegen routes. Caddy + Authelia for auth. Distroless container.

internal/server

Read the docs

Pick a thread.

Start

Getting started

Native and Docker first-run. ZPA credentials. Five-minute setup.

Read->

Feature

Policy simulator

Walk a change through the policy engine. See the decision and the path that produced it.

Read->

Feature

Analytics reports

Six pre-built queries. Blast radius, shadows, orphans, overlap, connector load, SCIM reach.

Read->

Deploy

Docker compose

Four-container stack. Caddy, Authelia, API, frontend. Make targets.

Read->

Reference

API

37 typed endpoints. Generated OpenAPI spec. Generated TypeScript client.

Read->

ZPA

Data model quirks

The traps. RHS field, RuleOrder string, Disabled encoding, SCIM ID drift.

Read->