graudit
Overview
Abschnitt betitelt „Overview“graudit (grep rough audit) is a lightweight, open-source static application security testing (SAST) tool that performs source code analysis using grep patterns. It identifies potential vulnerabilities, dangerous coding practices, code smells, and security issues by pattern matching against customizable rule sets. graudit is language-agnostic and supports multiple programming languages including Python, PHP, Java, C/C++, JavaScript, Ruby, and others.
The tool is designed for rapid security audits during penetration testing, code review processes, and continuous integration/continuous deployment (CI/CD) pipelines. It’s particularly useful for identifying common vulnerability patterns without requiring sophisticated semantic analysis.
Installation
Abschnitt betitelt „Installation“Linux (Debian/Ubuntu)
Abschnitt betitelt „Linux (Debian/Ubuntu)“# Install from repository
sudo apt-get update
sudo apt-get install graudit
# Or install from source
git clone https://github.com/presidentbeef/graudit.git
cd graudit
sudo ./install.sh
# Verify installation
graudit -v# Using Homebrew
brew install graudit
# Or from source
git clone https://github.com/presidentbeef/graudit.git
cd graudit
sudo bash install.shWindows
Abschnitt betitelt „Windows“# Using Git Bash or WSL
git clone https://github.com/presidentbeef/graudit.git
cd graudit
bash install.sh
# Alternative: Use WSL (Windows Subsystem for Linux)
wsl
sudo apt-get install grauditBasic Usage
Abschnitt betitelt „Basic Usage“Simple File Scan
Abschnitt betitelt „Simple File Scan“# Scan single file
graudit myfile.php
# Scan all PHP files in directory
graudit *.php
# Scan entire directory recursively
graudit -r /path/to/code
# Quiet mode (findings only)
graudit -q file.pyOutput Formats
Abschnitt betitelt „Output Formats“# Standard output
graudit file.php
# Verbose output (more context)
graudit -v file.php
# Log output to file
graudit -l results.log file.php
# XML output
graudit -x results.xml file.phpDatabase Selection
Abschnitt betitelt „Database Selection“Available Graudit Databases
Abschnitt betitelt „Available Graudit Databases“| Database | Language | Focus | Command |
|---|---|---|---|
| default | Multi | General vulnerabilities | graudit -d default file |
| php | PHP | PHP-specific issues | graudit -d php file.php |
| python | Python | Python vulnerabilities | graudit -d python file.py |
| java | Java | Java security issues | graudit -d java file.java |
| c | C/C++ | Memory, buffer issues | graudit -d c file.c |
| js | JavaScript | JS/Node issues | graudit -d js file.js |
| ruby | Ruby | Ruby vulnerabilities | graudit -d ruby file.rb |
| custom | Any | User-defined patterns | graudit -d ./custom.db file |
Database Management
Abschnitt betitelt „Database Management“# List available databases
graudit -l
# Using specific database
graudit -d php index.php
# View database location
graudit -g
# List all rules in database
graudit -s php | head -20Language-Specific Scanning
Abschnitt betitelt „Language-Specific Scanning“PHP Auditing
Abschnitt betitelt „PHP Auditing“# Scan PHP file with PHP database
graudit -d php index.php
# Scan all PHP files
find . -name "*.php" -exec graudit -d php {} \;
# Common PHP vulnerabilities detected:
# - SQL injection (mysql_query, mysqli, PDO)
# - Command injection (exec, system, passthru)
# - XSS (echo, print without escaping)
# - File inclusion (include, require)
# - Insecure functions (eval, create_function)Python Auditing
Abschnitt betitelt „Python Auditing“# Scan Python file
graudit -d python script.py
# Scan all Python files
find . -name "*.py" | xargs graudit -d python
# Python vulnerabilities detected:
# - SQL injection (execute, query)
# - Command execution (os.system, subprocess)
# - Insecure deserialization (pickle)
# - Hardcoded credentials
# - Unsafe importsJava Auditing
Abschnitt betitelt „Java Auditing“# Scan Java source files
graudit -d java *.java
# Recursive Java scan
find . -name "*.java" | xargs graudit -d java
# Java issues detected:
# - SQL injection patterns
# - Weak cryptography
# - Insecure deserialization
# - Command injectionJavaScript/Node.js Auditing
Abschnitt betitelt „JavaScript/Node.js Auditing“# Scan JavaScript files
graudit -d js app.js
# Scan Node.js project
find . -name "*.js" | xargs graudit -d js
# Common findings:
# - eval() usage
# - require() with variables
# - Insecure crypto
# - Command executionAdvanced Scanning Techniques
Abschnitt betitelt „Advanced Scanning Techniques“Recursive Directory Scan
Abschnitt betitelt „Recursive Directory Scan“# Scan entire project
graudit -r /path/to/project
# Recursive with specific database
graudit -r -d php /var/www/html
# Recursive excluding directories
find /path -type f -name "*.php" ! -path "*/vendor/*" ! -path "*/node_modules/*" | xargs graudit -d phpMultiple File Types
Abschnitt betitelt „Multiple File Types“# Scan mixed PHP and JavaScript project
graudit -r -d default /var/www/app
# Sequential scanning with different databases
for file in $(find . -name "*.php"); do graudit -d php "$file"; done
for file in $(find . -name "*.js"); do graudit -d js "$file"; doneLimiting Results
Abschnitt betitelt „Limiting Results“# Show only first 10 matches per file
graudit file.php | head -10
# Filter specific vulnerability type
graudit -v file.php | grep "SQL"
# Count total vulnerabilities
graudit -r /code | grep -c "Found"Custom Pattern Rules
Abschnitt betitelt „Custom Pattern Rules“Creating Custom Database
Abschnitt betitelt „Creating Custom Database“# View default database structure
cat /usr/share/graudit/databases/default.db
# Create custom database
cat > custom.db << 'EOF'
# Custom Security Rules
# Format: regex_pattern
# Detect hardcoded API keys
[A-Za-z0-9]{40}
# Detect TODO comments
TODO.*FIXME
# Detect insecure protocols
http://[^s]
# Detect weak encryption
MD5|SHA1
EOF
# Use custom database
graudit -d ./custom.db file.phpDatabase Format
Abschnitt betitelt „Database Format“# Database syntax:
# Lines starting with # are comments
# Each rule is a grep regex pattern
# Patterns are case-sensitive by default
# Example rule for SQL injection
SELECT.*FROM.*WHERE
# Pattern for command execution
exec\s*\(|system\s*\(|passthru\s*\(
# Pattern for file operations
fopen|file_get_contents|readfile
# Pattern for eval
eval\s*\(|create_functionPattern Development
Abschnitt betitelt „Pattern Development“# Test patterns with grep before adding to database
grep -n "SELECT.*FROM" *.php
# Test regex pattern syntax
grep -E "[0-9]{3}-[0-9]{2}-[0-9]{4}" *.txt
# Use graudit's verbose output
graudit -v -d custom.db file.phpIntegration with Penetration Testing
Abschnitt betitelt „Integration with Penetration Testing“Code Review Workflow
Abschnitt betitelt „Code Review Workflow“# 1. Extract source code from target
scp -r user@target:/var/www/app ./target_code
# 2. Run graudit audit
graudit -r -d default ./target_code > audit_results.txt
# 3. Review findings
cat audit_results.txt | sort | uniq
# 4. Verify with manual inspection
vim target_code/vulnerable_file.phpAutomated Assessment
Abschnitt betitelt „Automated Assessment“#!/bin/bash
# Comprehensive code audit script
PROJECT_PATH=$1
REPORT_FILE="graudit_report_$(date +%Y%m%d_%H%M%S).txt"
echo "=== graudit Security Audit Report ===" > $REPORT_FILE
echo "Project: $PROJECT_PATH" >> $REPORT_FILE
echo "Date: $(date)" >> $REPORT_FILE
echo "" >> $REPORT_FILE
echo "[PHP Files]" >> $REPORT_FILE
find $PROJECT_PATH -name "*.php" | xargs graudit -d php >> $REPORT_FILE
echo "[Python Files]" >> $REPORT_FILE
find $PROJECT_PATH -name "*.py" | xargs graudit -d python >> $REPORT_FILE
echo "[JavaScript Files]" >> $REPORT_FILE
find $PROJECT_PATH -name "*.js" | xargs graudit -d js >> $REPORT_FILE
echo "Report saved to: $REPORT_FILE"Output Analysis
Abschnitt betitelt „Output Analysis“Understanding Results
Abschnitt betitelt „Understanding Results“# Typical graudit output format:
# /path/to/file.php:123: Found: dangerous_pattern
graudit file.php
/path/to/file.php:45: Found: exec(
/path/to/file.php:67: Found: $_GET
/path/to/file.php:89: Found: eval(Parsing Output
Abschnitt betitelt „Parsing Output“# Count findings by type
graudit -r /code | awk -F': Found: ' '{print $2}' | sort | uniq -c | sort -rn
# Extract filename and line number
graudit -r /code | awk -F':' '{print $1":"$2}' | sort -u
# Create CSV report
graudit -r /code | awk -F': Found: ' '{print $1","$2}' > audit.csvCommon Vulnerability Patterns
Abschnitt betitelt „Common Vulnerability Patterns“SQL Injection Detection
Abschnitt betitelt „SQL Injection Detection“# Graudit detects:
$query = "SELECT * FROM users WHERE id=" . $_GET['id'];
$db->query("SELECT * FROM users WHERE id=".$_POST['id']);
mysqli_query($conn, "SELECT * FROM WHERE id=$id");
# Grep pattern to find vulnerable code
grep -n "SELECT.*FROM.*WHERE.*\$" *.phpCommand Injection Detection
Abschnitt betitelt „Command Injection Detection“# Graudit identifies:
system($_GET['cmd']);
exec($_POST['command']);
passthru(user_input);
shell_exec($cmd);
# Manual verification
grep -n "exec\|system\|passthru\|shell_exec" *.phpXSS Vulnerability Detection
Abschnitt betitelt „XSS Vulnerability Detection“# Detected patterns:
echo $_GET['name'];
print $_POST['comment'];
<div><?php echo $user_input; ?></div>
# Find echo/print with user input
grep -n "echo\s*\$_\|print\s*\$_" *.phpInsecure Deserialization
Abschnitt betitelt „Insecure Deserialization“# Python detection
pickle.loads(user_data)
json.loads(untrusted_json)
# PHP detection
unserialize($_GET['data']);
# Search for patterns
grep -n "unserialize\|pickle.loads" *.php *.pyWorkflow Integration
Abschnitt betitelt „Workflow Integration“Git Pre-Commit Hook
Abschnitt betitelt „Git Pre-Commit Hook“#!/bin/bash
# .git/hooks/pre-commit
echo "Running graudit security audit..."
CHANGED_FILES=$(git diff --cached --name-only)
for file in $CHANGED_FILES; do
if [[ $file == *.php ]]; then
graudit -d php "$file" && {
echo "Security issues found in $file"
exit 1
}
fi
done
exit 0CI/CD Integration
Abschnitt betitelt „CI/CD Integration“# Example GitHub Actions workflow
name: Code Security Audit
on: [push, pull_request]
jobs:
graudit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Install graudit
run: sudo apt-get install graudit
- name: Run graudit
run: graudit -r . > audit_results.txt
- name: Upload results
uses: actions/upload-artifact@v2
with:
name: graudit-report
path: audit_results.txtFalse Positives and Filtering
Abschnitt betitelt „False Positives and Filtering“Common False Positives
Abschnitt betitelt „Common False Positives“# graudit may flag legitimate code:
# False positive 1: Comment containing SQL
# "TODO: Implement SELECT query for users table"
# False positive 2: String literal
$example = "SELECT * FROM users";
# False positive 3: Log messages
echo "System executing backup script";Filtering False Positives
Abschnitt betitelt „Filtering False Positives“# Exclude comment-only matches
graudit -r /code | grep -v "^[[:space:]]*//"
# Exclude specific files
find /code -name "*.php" ! -path "*/test/*" ! -path "*/vendor/*" | xargs graudit -d php
# Manual review and whitelist
graudit -v file.php | less
# Use 'v' flag for contextPerformance Optimization
Abschnitt betitelt „Performance Optimization“Scanning Large Projects
Abschnitt betitelt „Scanning Large Projects“# Exclude large directories
graudit -r /code --exclude=vendor,node_modules,dist
# Parallel scanning
find . -name "*.php" | parallel graudit -d php
# Sample scanning (10% of files)
find . -name "*.php" | shuf | head -10% | xargs graudit -d phpPerformance Metrics
Abschnitt betitelt „Performance Metrics“# Measure scan time
time graudit -r /code
# Count files scanned
find /code -type f \( -name "*.php" -o -name "*.js" \) | wc -l
# Generate statistics
echo "Total files: $(find /code -type f | wc -l)"
echo "PHP files: $(find /code -name "*.php" | wc -l)"
echo "Findings: $(graudit -r /code | wc -l)"Troubleshooting
Abschnitt betitelt „Troubleshooting“Common Issues
Abschnitt betitelt „Common Issues“| Issue | Cause | Solution |
|---|---|---|
| Database not found | Wrong path | Check /usr/share/graudit/databases/ |
| No results | Empty file list | Verify file extensions match database |
| Too many false positives | Overly broad patterns | Use more specific database |
| Permission denied | File access issue | Check file permissions, use sudo |
| Pattern not matching | Regex syntax error | Test with grep first |
Debug Mode
Abschnitt betitelt „Debug Mode“# Verbose output for debugging
graudit -v -d php file.php
# Show pattern matching details
graudit -v file.php 2>&1 | tee debug_output.txt
# List all patterns in database
graudit -s default | head -20Security Considerations
Abschnitt betitelt „Security Considerations“Responsible Disclosure
Abschnitt betitelt „Responsible Disclosure“# When auditing third-party code:
1. Get written permission before auditing
2. Report findings responsibly
3. Use secure channels for reporting
4. Allow time for patching before disclosure
5. Keep findings confidentialLegal Compliance
Abschnitt betitelt „Legal Compliance“# Ensure compliance with regulations:
# - Only audit code you have permission to audit
# - Document your authorization
# - Follow responsible disclosure practices
# - Adhere to CFAA and local regulations
# - Obtain client approval for testingAdvanced Pattern Creation
Abschnitt betitelt „Advanced Pattern Creation“Complex Regex Patterns
Abschnitt betitelt „Complex Regex Patterns“# Pattern: Detect unescaped output
<\?php\s+echo\s+\$(?!.*htmlspecialchars)
# Pattern: Detect hardcoded credentials
(password|api_key|secret)\s*=\s*['"][^'"]{8,}['"]
# Pattern: Detect weak algorithms
(md5|sha1|base64_encode)\s*\(
# Pattern: Detect remote code inclusion
(include|require)_once\s*\(\s*\$
# Test patterns
grep -E "pattern_here" file.phpDatabase Customization for Projects
Abschnitt betitelt „Database Customization for Projects“# Create project-specific database
cat > project_security.db << 'EOF'
# Project-specific vulnerabilities
# Custom API endpoints check
/api/admin
# Framework-specific issues
Django.*raw_sql
Flask.*render_template_string
# Database ORM issues
.filter\(.*user_input\)
.execute\(.*user_input\)
# Logging sensitive data
logger\.debug.*password
console\.log.*token
EOF
graudit -d ./project_security.db -r ./srcIntegration with Other Tools
Abschnitt betitelt „Integration with Other Tools“Combining with Other SAST Tools
Abschnitt betitelt „Combining with Other SAST Tools“# Use graudit alongside other tools
graudit -r /code > graudit_results.txt
semgrep -c p/security-audit /code > semgrep_results.txt
bandit -r /code > bandit_results.txt
# Merge and deduplicate results
cat *_results.txt | sort | uniq > combined_audit.txtExporting Results
Abschnitt betitelt „Exporting Results“# Export to HTML report
graudit -r /code | awk '{print "<tr><td>" $0 "</td></tr>"}' | \
sed '1i<table>' | sed '$a</table>' > report.html
# Export to JSON
graudit -v -r /code | jq -R -s '{findings: split("\n")}'
# Export to Slack
graudit -r /code | while read line; do
curl -X POST -H 'Content-type: application/json' \
--data "{'text':'$line'}" $SLACK_WEBHOOK_URL
doneResources and References
Abschnitt betitelt „Resources and References“- GitHub Repository: https://github.com/presidentbeef/graudit
- Pattern Database Documentation: https://github.com/presidentbeef/graudit/wiki
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- CWE Top 25: https://cwe.mitre.org/top25/
- Regular Expressions Guide: https://www.regular-expressions.info/