Skip to content

0xpatroot/Devaudit

Repository files navigation

πŸ›‘οΈ DevAudit

Open Source Developer Security & Privacy Audit CLI

MIT License PRs Welcome Cross Platform Language Multilingual

"Security shouldn't be a privilege. DevAudit is free, local, and built for every developer."


Getting Started β€’ Features β€’ Why DevAudit β€’ Contribute β€’ Roadmap β€’ Community


πŸ“– What is DevAudit?

DevAudit is a free, offline, open-source command-line tool that helps developers and individuals audit their:

  • πŸ” Code repositories β€” detect exposed secrets, API keys, and hardcoded passwords
  • πŸ“¦ Project dependencies β€” identify packages with known CVEs
  • πŸ–₯️ System configuration β€” find dangerous open ports, weak permissions, and outdated services
  • 🌐 Network & SSL β€” verify TLS configurations and detect DNS issues
  • πŸ” Git history β€” scan commit history for accidentally pushed credentials
  • πŸ“Š Privacy settings β€” identify apps sending data without consent

Everything runs 100% locally. No data is ever uploaded. No account required. No subscription.


🌍 Why DevAudit?

The Problem

Security tools are either:

  • πŸ’Έ Expensive β€” Enterprise tools cost thousands of dollars per year
  • ☁️ Cloud-dependent β€” They upload your code to third-party servers
  • 🧩 Complex β€” Hard to install, configure, and use for individual developers
  • 🌐 English-only β€” Excludes hundreds of millions of non-English developers

Our Solution

DevAudit is:

  • βœ… 100% Free β€” MIT licensed, forever
  • βœ… Fully Offline β€” All checks run locally, nothing leaves your machine
  • βœ… Simple β€” One command to get started
  • βœ… Multilingual β€” Arabic, English, French, Spanish, Hindi, and 10+ more languages
  • βœ… Actionable β€” Doesn't just report issues β€” it helps you fix them

Who Is This For?

User Type How DevAudit Helps
πŸ‘¨β€πŸ’» Independent Developers Audit projects before going to production
🏒 Small Businesses Affordable security without hiring a consultant
πŸ“° Journalists & Activists Protect sensitive digital communications
πŸŽ“ Students Learn security best practices hands-on
🌍 Developers in Emerging Markets Access enterprise-grade security for free
πŸ₯ NGOs & Nonprofits Secure sensitive beneficiary and donor data

✨ Features

πŸ” 1. Secret Scanner

Detect accidentally exposed credentials in your codebase before they reach production or public repositories.

devaudit secrets ./my-project

Detects:

  • AWS / GCP / Azure API keys
  • GitHub / GitLab tokens
  • Private keys (RSA, DSA, EC)
  • Database connection strings
  • JWT secrets
  • .env file exposure
  • 200+ secret patterns (and growing)

πŸ“¦ 2. Dependency Vulnerability Scanner

Scan your project's dependencies against the National Vulnerability Database (NVD) and OSV.

devaudit deps ./package.json
devaudit deps ./requirements.txt
devaudit deps ./Cargo.toml
devaudit deps ./go.mod

Supports: npm, PyPI, crates.io, RubyGems, Maven, Go modules


πŸ–₯️ 3. System Security Audit

Check your operating system configuration for common security misconfigurations.

devaudit system

Checks:

  • Open ports and listening services
  • File and directory permissions
  • Outdated software with known CVEs
  • SSH configuration weaknesses
  • Firewall rules
  • User account security
  • Disk encryption status

πŸ” 4. Git History Audit

Scan your entire git commit history β€” not just the current state β€” for credentials that may have been removed but still exist in history.

devaudit git .
devaudit git . --depth=500

🌐 5. Network & SSL Inspector

Verify your server's SSL/TLS configuration, check for weak cipher suites, and validate DNS security settings.

devaudit network example.com
devaudit ssl example.com:443

πŸ“Š 6. Privacy Audit

Identify applications and processes on your system that are making unexpected network connections or accessing sensitive data without clear justification.

devaudit privacy

πŸ“ 7. Report Generation

Export a full audit report in multiple formats β€” useful for sharing with your team or keeping records.

devaudit report --format=pdf --output=audit-report.pdf
devaudit report --format=html --output=audit-report.html
devaudit report --format=json --output=audit-report.json

πŸ”§ 8. Auto-Remediation

Don't just detect β€” fix. DevAudit can automatically fix certain common issues with your permission.

devaudit fix --issue=ssh-weak-keys
devaudit fix --issue=open-ports

πŸ”Œ 9. CI/CD Integration

Integrate DevAudit into your pipeline to prevent security issues from reaching production.

GitHub Actions:

# .github/workflows/security.yml
name: DevAudit Security Check

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Install DevAudit
        run: pip install devaudit
      - name: Run Security Audit
        run: devaudit scan . --fail-on=HIGH

GitLab CI:

security_audit:
  stage: test
  script:
    - pip install devaudit
    - devaudit scan . --fail-on=HIGH

πŸ“¦ Installation

Using pip (Python)

pip install devaudit

Using npm (Node.js)

npm install -g devaudit

Using cargo (Rust)

cargo install devaudit

Using Homebrew (macOS/Linux)

brew install devaudit

Using winget (Windows)

winget install devaudit

From Source

git clone https://github.com/0xpatroot/Devaudit
cd devaudit
pip install -e .

πŸš€ Quick Start

# Audit your entire current project
devaudit scan .

# Quick secrets check only
devaudit secrets .

# Full system audit
devaudit system

# Check a specific dependency file
devaudit deps ./package.json

# Get help
devaudit --help

# Set language (Arabic example)
devaudit --lang=ar scan .

Example Output

πŸ›‘οΈ  DevAudit v1.0.0 β€” Security Audit Report
============================================
πŸ“ Project: ./my-awesome-app
πŸ“… Date: 2025-08-01 14:32:11

πŸ” SCANNING FOR SECRETS...

  ⚠️  HIGH   .env (line 12): AWS_SECRET_KEY detected
  ⚠️  HIGH   config/db.js (line 3): Database password hardcoded
  ℹ️  INFO   .gitignore: .env is properly excluded βœ“

πŸ“¦ CHECKING DEPENDENCIES...

  βœ… 142 packages scanned
  ❌  3 vulnerabilities found:
     β€’ lodash@4.17.15 β€” CVE-2021-23337 (HIGH)
     β€’ axios@0.21.0  β€” CVE-2021-3749  (MEDIUM)
     β€’ glob-parent@5.1.0 β€” CVE-2020-28469 (MEDIUM)

πŸ–₯️  SYSTEM AUDIT...

  βœ… Firewall: Active
  ⚠️  SSH: PasswordAuthentication is enabled (risk: brute force)
  βœ… Disk encryption: Enabled
  ⚠️  Port 3306 (MySQL): Open to all interfaces

πŸ“Š SUMMARY
  πŸ”΄ Critical: 0   🟠 High: 2   🟑 Medium: 2   🟒 Low: 1
  
πŸ’‘ Run `devaudit fix` to automatically remediate fixable issues.
πŸ“ Full report saved to: devaudit-report-20250801.html

πŸ—ΊοΈ Roadmap

v1.0 β€” Foundation βœ… (Current)

  • Secret scanner (200+ patterns)
  • Dependency vulnerability check (npm, PyPI, cargo, rubygems)
  • System security audit (Linux, macOS, Windows)
  • Git history scanning
  • Report export (PDF, HTML, JSON)
  • English & Arabic language support

v1.5 β€” Integration & Expansion

  • GitHub Actions marketplace action
  • Pre-commit hook integration
  • VS Code extension
  • Docker container scan
  • Kubernetes configuration audit
  • 10+ additional languages

v2.0 β€” Intelligence

  • AI-powered remediation suggestions
  • Custom rule engine (write your own patterns)
  • Team dashboard (local, self-hosted)
  • Historical trend tracking
  • Compliance templates (GDPR, SOC 2, ISO 27001, PCI DSS)

v2.5 β€” Community & Ecosystem

  • Community-contributed security checks database
  • Plugin system for third-party integrations
  • Mobile companion app (iOS/Android)

🀝 Contributing

We welcome contributions from everyone β€” beginners and experts alike!

DevAudit's strength comes from its community. Here are ways you can contribute:

🌟 Good First Issues

Perfect for first-time contributors:

Task Difficulty Skills Needed
Add a new secret pattern ⭐ Easy Regex basics
Fix a typo or improve docs ⭐ Easy None
Translate to your language ⭐ Easy Your native language
Write a unit test ⭐⭐ Medium Python/JS/Rust
Add OS-specific security check ⭐⭐ Medium OS knowledge
Improve report formatting ⭐⭐ Medium HTML/CSS

How to Contribute

# 1. Fork the repo
# 2. Clone your fork
git clone https://github.com/0xpatroot/devaudit

# 3. Create a branch
git checkout -b feature/add-gitlab-token-pattern

# 4. Make your changes
# 5. Run the tests
pytest tests/

# 6. Commit and push
git add .
git commit -m "feat: add GitLab personal access token detection"
git push origin feature/add-gitlab-token-pattern

# 7. Open a Pull Request β€” we'll review within 48 hours!

🌍 Help Us Translate DevAudit

DevAudit should be accessible to developers worldwide. Help us translate:

translations/
  en/  ← English (complete)
  ar/  ← Arabic (complete)
  fr/  ← French (in progress)
  es/  ← Spanish (needs help!)
  zh/  ← Chinese (needs help!)
  hi/  ← Hindi (needs help!)
  pt/  ← Portuguese (needs help!)
  de/  ← German (needs help!)
  ru/  ← Russian (needs help!)
  ... your language here!

No coding skills required! Just edit a JSON file.

πŸ“‹ Contribution Guidelines

Please read our CONTRIBUTING.md before opening a PR. Key points:

  • Follow the existing code style
  • Write tests for new features
  • Update documentation
  • Add your name to CONTRIBUTORS.md

πŸ† Contributors

DevAudit is built by the community, for the community.

Want to see your name here? Check out our good first issues!


πŸ—οΈ Architecture

DevAudit is designed to be modular, making it easy to add new checks:

devaudit/
β”œβ”€β”€ core/
β”‚   β”œβ”€β”€ scanner.py
β”‚   β”œβ”€β”€ reporter.py
β”‚   └── config.py
β”œβ”€β”€ modules/
β”‚   β”œβ”€β”€ secrets/
β”‚   β”œβ”€β”€ dependencies/
β”‚   β”œβ”€β”€ system/
β”‚   β”œβ”€β”€ network/
β”‚   β”œβ”€β”€ git/
β”‚   └── privacy/
β”œβ”€β”€ translations/
β”‚   β”œβ”€β”€ en.json
β”‚   β”œβ”€β”€ ar.json
β”‚   └── ...
β”œβ”€β”€ plugins/
β”œβ”€β”€ tests/
└── cli.py

Adding a New Security Check

from devaudit.core.base_check import BaseCheck, Severity

class MyNewCheck(BaseCheck):
    """
    Detects [describe what it detects].
    Reference: [link to vulnerability documentation]
    """
    
    name = "my-new-check"
    description = "Detects [what it detects]"
    severity = Severity.HIGH
    
    patterns = [
        r"my_secret_pattern_[A-Z0-9]{32}",
    ]

That's all you need to add a new security check! Open a PR and we'll merge it. βœ…


πŸ›‘οΈ Security Policy

If you discover a security vulnerability in DevAudit itself, please do not open a public issue.

We'll respond within 72 hours and credit you in our security advisories.

See SECURITY.md for details.


πŸ“Š Project Stats & OpenSSF

DevAudit is committed to maintaining the highest security standards for an open-source project:

  • πŸ“‹ OpenSSF Best Practices Badge: [Passing]
  • πŸ” OpenSSF Scorecard: [Score]
  • πŸ“ˆ OpenSSF Criticality Score: Targeting 0.4+
  • πŸ”’ Signed releases with GPG
  • πŸ“¦ SBOM (Software Bill of Materials) published with every release
  • πŸ€– Automated dependency updates via Dependabot
  • βœ… Two-person review required for all merges to main

πŸ’¬ Community

We believe in building an inclusive, welcoming community:

Code of Conduct: We follow the Contributor Covenant. Be kind, be inclusive, be excellent to each other. 🀝


πŸ“„ License

MIT License β€” Free for everyone, forever.

Copyright (c) 2025 DevAudit Contributors

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

πŸ™ Acknowledgments

DevAudit stands on the shoulders of giants:

  • TruffleHog β€” Inspiration for git scanning
  • Safety β€” Python dependency checking approach
  • Lynis β€” System audit methodology
  • OSV β€” Open vulnerability database
  • All our amazing contributors ❀️

⭐ If DevAudit helped you, please star this repo! It helps others find it. ⭐

Made with ❀️ by developers, for developers β€” across the globe.

Report Bug β€’ Request Feature β€’ Contribute

About

No description, website, or topics provided.

Resources

License

Code of conduct

Contributing

Security policy

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages