Skip to content

lameiro0x/credential-audit-tool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
report
report
 
 
scanners
scanners
 
 
test
test
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
auditor.py
auditor.py
 
 

Repository files navigation

Credential Audit Tool

Credential Audit Tool is a local, offline security auditing tool written in Python that detects insecure credential handling and secret exposure risks on a filesystem. It focuses strictly on detection and risk explanation, not exploitation.

This project is intended as a security engineering portfolio piece, suitable for blue team, SOC, and junior pentesting roles.

What This Tool Does

Credential Audit Tool analyzes a target directory and reports credential-related risks, including:

  • Hardcoded secrets in files
  • Insecure credential artifacts (hashes)
  • World-readable files containing credential material
  • Credential reuse across files and environment variables
  • Common leaked API key patterns (e.g. AWS, GitHub)

All findings include:

  • Risk explanation
  • Realistic abuse scenario
  • Actionable mitigation guidance

The tool is read-only, offline, and deterministic.

What This Tool Does NOT Do

This tool intentionally does not:

  • Crack or brute-force credentials
  • Validate secrets against external services
  • Perform exploitation of any kind
  • Modify files or system state
  • Access the network

Its purpose is to identify risk, not to attack systems.

Installation

Python 3 is required. No external dependencies are used.

git clone https://github.com/<your-username>/credential-audit-tool.git
cd credential-audit-tool

Usage

Basic scan:

python3 auditor.py /path/to/scan

Exclude paths or file patterns:

python3 auditor.py . --exclude ".git/*"

Disable specific scanners:

python3 auditor.py . --no-env --no-perms

Export JSON report:

python3 auditor.py . --json-out report.json

Example Output (Redacted)

Credential Audit Tool Report
Executive Summary
Files scanned: 14
Files skipped: 61
Total findings: 5
Findings by severity: HIGH 1, MEDIUM 4

[HIGH]
HARDCODED_SECRET
Location: test/test.txt:1
Risk: Plaintext secrets can be exfiltrated and reused
Mitigation: Remove the secret and rotate credentials

All evidence is sanitized. Secrets are never fully exposed.

JSON Output

The JSON output uses a stable, versioned schema and includes:

  • Scan metadata (tool version, timestamp, root path)
  • Executive summary
  • Fully structured findings suitable for automation or further analysis

This makes the tool usable in CI pipelines or security review workflows.

Project Structure

credential-audit-tool/
├── auditor.py
├── scanners/
│   ├── base.py
│   ├── file_scan.py
│   ├── env_scan.py
│   ├── perm_scan.py
│   └── reuse_check.py
├── report/
│   ├── formatter.py
│   └── json_writer.py
└── test/
    ├── test.txt
    └── hash_test.txt

Why This Tool Exists

Credential exposure remains one of the most common causes of security incidents. This tool was built to demonstrate how to:

  • Detect credential-related risks responsibly
  • Reduce false positives through context-aware heuristics
  • Communicate security findings clearly and ethically

It reflects a defensive security mindset, prioritizing clarity, correctness, and safe reporting.

About

A Python-based security auditing tool that detects insecure credential handling, hardcoded secrets, and credential reuse on local systems, focusing on risk identification and mitigation without exploitation.

lameiro0x.com

Topics

python security security-audit risk-analysis static-analysis cybersecurity soc secure-coding blue-team defensive-security secret-detection credential-audit

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages