Open Source Developer Security & Privacy Audit CLI
"Security shouldn't be a privilege. DevAudit is free, local, and built for every developer."
Getting Started β’ Features β’ Why DevAudit β’ Contribute β’ Roadmap β’ Community
DevAudit is a free, offline, open-source command-line tool that helps developers and individuals audit their:
- π Code repositories β detect exposed secrets, API keys, and hardcoded passwords
- π¦ Project dependencies β identify packages with known CVEs
- π₯οΈ System configuration β find dangerous open ports, weak permissions, and outdated services
- π Network & SSL β verify TLS configurations and detect DNS issues
- π Git history β scan commit history for accidentally pushed credentials
- π Privacy settings β identify apps sending data without consent
Everything runs 100% locally. No data is ever uploaded. No account required. No subscription.
Security tools are either:
- πΈ Expensive β Enterprise tools cost thousands of dollars per year
- βοΈ Cloud-dependent β They upload your code to third-party servers
- π§© Complex β Hard to install, configure, and use for individual developers
- π English-only β Excludes hundreds of millions of non-English developers
DevAudit is:
- β 100% Free β MIT licensed, forever
- β Fully Offline β All checks run locally, nothing leaves your machine
- β Simple β One command to get started
- β Multilingual β Arabic, English, French, Spanish, Hindi, and 10+ more languages
- β Actionable β Doesn't just report issues β it helps you fix them
| User Type | How DevAudit Helps |
|---|---|
| π¨βπ» Independent Developers | Audit projects before going to production |
| π’ Small Businesses | Affordable security without hiring a consultant |
| π° Journalists & Activists | Protect sensitive digital communications |
| π Students | Learn security best practices hands-on |
| π Developers in Emerging Markets | Access enterprise-grade security for free |
| π₯ NGOs & Nonprofits | Secure sensitive beneficiary and donor data |
Detect accidentally exposed credentials in your codebase before they reach production or public repositories.
devaudit secrets ./my-projectDetects:
- AWS / GCP / Azure API keys
- GitHub / GitLab tokens
- Private keys (RSA, DSA, EC)
- Database connection strings
- JWT secrets
- .env file exposure
- 200+ secret patterns (and growing)
Scan your project's dependencies against the National Vulnerability Database (NVD) and OSV.
devaudit deps ./package.json
devaudit deps ./requirements.txt
devaudit deps ./Cargo.toml
devaudit deps ./go.modSupports: npm, PyPI, crates.io, RubyGems, Maven, Go modules
Check your operating system configuration for common security misconfigurations.
devaudit systemChecks:
- Open ports and listening services
- File and directory permissions
- Outdated software with known CVEs
- SSH configuration weaknesses
- Firewall rules
- User account security
- Disk encryption status
Scan your entire git commit history β not just the current state β for credentials that may have been removed but still exist in history.
devaudit git .
devaudit git . --depth=500Verify your server's SSL/TLS configuration, check for weak cipher suites, and validate DNS security settings.
devaudit network example.com
devaudit ssl example.com:443Identify applications and processes on your system that are making unexpected network connections or accessing sensitive data without clear justification.
devaudit privacyExport a full audit report in multiple formats β useful for sharing with your team or keeping records.
devaudit report --format=pdf --output=audit-report.pdf
devaudit report --format=html --output=audit-report.html
devaudit report --format=json --output=audit-report.jsonDon't just detect β fix. DevAudit can automatically fix certain common issues with your permission.
devaudit fix --issue=ssh-weak-keys
devaudit fix --issue=open-portsIntegrate DevAudit into your pipeline to prevent security issues from reaching production.
GitHub Actions:
# .github/workflows/security.yml
name: DevAudit Security Check
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install DevAudit
run: pip install devaudit
- name: Run Security Audit
run: devaudit scan . --fail-on=HIGHGitLab CI:
security_audit:
stage: test
script:
- pip install devaudit
- devaudit scan . --fail-on=HIGHpip install devauditnpm install -g devauditcargo install devauditbrew install devauditwinget install devauditgit clone https://github.com/0xpatroot/Devaudit
cd devaudit
pip install -e .# Audit your entire current project
devaudit scan .
# Quick secrets check only
devaudit secrets .
# Full system audit
devaudit system
# Check a specific dependency file
devaudit deps ./package.json
# Get help
devaudit --help
# Set language (Arabic example)
devaudit --lang=ar scan .π‘οΈ DevAudit v1.0.0 β Security Audit Report
============================================
π Project: ./my-awesome-app
π
Date: 2025-08-01 14:32:11
π SCANNING FOR SECRETS...
β οΈ HIGH .env (line 12): AWS_SECRET_KEY detected
β οΈ HIGH config/db.js (line 3): Database password hardcoded
βΉοΈ INFO .gitignore: .env is properly excluded β
π¦ CHECKING DEPENDENCIES...
β
142 packages scanned
β 3 vulnerabilities found:
β’ lodash@4.17.15 β CVE-2021-23337 (HIGH)
β’ axios@0.21.0 β CVE-2021-3749 (MEDIUM)
β’ glob-parent@5.1.0 β CVE-2020-28469 (MEDIUM)
π₯οΈ SYSTEM AUDIT...
β
Firewall: Active
β οΈ SSH: PasswordAuthentication is enabled (risk: brute force)
β
Disk encryption: Enabled
β οΈ Port 3306 (MySQL): Open to all interfaces
π SUMMARY
π΄ Critical: 0 π High: 2 π‘ Medium: 2 π’ Low: 1
π‘ Run `devaudit fix` to automatically remediate fixable issues.
π Full report saved to: devaudit-report-20250801.html
- Secret scanner (200+ patterns)
- Dependency vulnerability check (npm, PyPI, cargo, rubygems)
- System security audit (Linux, macOS, Windows)
- Git history scanning
- Report export (PDF, HTML, JSON)
- English & Arabic language support
- GitHub Actions marketplace action
- Pre-commit hook integration
- VS Code extension
- Docker container scan
- Kubernetes configuration audit
- 10+ additional languages
- AI-powered remediation suggestions
- Custom rule engine (write your own patterns)
- Team dashboard (local, self-hosted)
- Historical trend tracking
- Compliance templates (GDPR, SOC 2, ISO 27001, PCI DSS)
- Community-contributed security checks database
- Plugin system for third-party integrations
- Mobile companion app (iOS/Android)
We welcome contributions from everyone β beginners and experts alike!
DevAudit's strength comes from its community. Here are ways you can contribute:
Perfect for first-time contributors:
| Task | Difficulty | Skills Needed |
|---|---|---|
| Add a new secret pattern | β Easy | Regex basics |
| Fix a typo or improve docs | β Easy | None |
| Translate to your language | β Easy | Your native language |
| Write a unit test | ββ Medium | Python/JS/Rust |
| Add OS-specific security check | ββ Medium | OS knowledge |
| Improve report formatting | ββ Medium | HTML/CSS |
# 1. Fork the repo
# 2. Clone your fork
git clone https://github.com/0xpatroot/devaudit
# 3. Create a branch
git checkout -b feature/add-gitlab-token-pattern
# 4. Make your changes
# 5. Run the tests
pytest tests/
# 6. Commit and push
git add .
git commit -m "feat: add GitLab personal access token detection"
git push origin feature/add-gitlab-token-pattern
# 7. Open a Pull Request β we'll review within 48 hours!DevAudit should be accessible to developers worldwide. Help us translate:
translations/
en/ β English (complete)
ar/ β Arabic (complete)
fr/ β French (in progress)
es/ β Spanish (needs help!)
zh/ β Chinese (needs help!)
hi/ β Hindi (needs help!)
pt/ β Portuguese (needs help!)
de/ β German (needs help!)
ru/ β Russian (needs help!)
... your language here!
No coding skills required! Just edit a JSON file.
Please read our CONTRIBUTING.md before opening a PR. Key points:
- Follow the existing code style
- Write tests for new features
- Update documentation
- Add your name to CONTRIBUTORS.md
DevAudit is built by the community, for the community.
Want to see your name here? Check out our good first issues!
DevAudit is designed to be modular, making it easy to add new checks:
devaudit/
βββ core/
β βββ scanner.py
β βββ reporter.py
β βββ config.py
βββ modules/
β βββ secrets/
β βββ dependencies/
β βββ system/
β βββ network/
β βββ git/
β βββ privacy/
βββ translations/
β βββ en.json
β βββ ar.json
β βββ ...
βββ plugins/
βββ tests/
βββ cli.py
from devaudit.core.base_check import BaseCheck, Severity
class MyNewCheck(BaseCheck):
"""
Detects [describe what it detects].
Reference: [link to vulnerability documentation]
"""
name = "my-new-check"
description = "Detects [what it detects]"
severity = Severity.HIGH
patterns = [
r"my_secret_pattern_[A-Z0-9]{32}",
]That's all you need to add a new security check! Open a PR and we'll merge it. β
If you discover a security vulnerability in DevAudit itself, please do not open a public issue.
We'll respond within 72 hours and credit you in our security advisories.
See SECURITY.md for details.
DevAudit is committed to maintaining the highest security standards for an open-source project:
- π OpenSSF Best Practices Badge: [Passing]
- π OpenSSF Scorecard: [Score]
- π OpenSSF Criticality Score: Targeting 0.4+
- π Signed releases with GPG
- π¦ SBOM (Software Bill of Materials) published with every release
- π€ Automated dependency updates via Dependabot
- β Two-person review required for all merges to main
We believe in building an inclusive, welcoming community:
- π¬ Discussions: GitHub Discussions
- π Bug Reports: GitHub Issues
- π‘ Feature Requests: GitHub Issues (feature)
- π Translations: See translations/
- π’ Announcements: Watch this repo for releases
Code of Conduct: We follow the Contributor Covenant. Be kind, be inclusive, be excellent to each other. π€
MIT License β Free for everyone, forever.
Copyright (c) 2025 DevAudit Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
DevAudit stands on the shoulders of giants:
- TruffleHog β Inspiration for git scanning
- Safety β Python dependency checking approach
- Lynis β System audit methodology
- OSV β Open vulnerability database
- All our amazing contributors β€οΈ
β If DevAudit helped you, please star this repo! It helps others find it. β
Made with β€οΈ by developers, for developers β across the globe.
Report Bug β’ Request Feature β’ Contribute