graudit
Overview
Sección titulada «Overview»graudit (grep rough audit) is a lightweight, open-source static application security testing (SAST) tool that performs source code analysis using grep patterns. It identifies potential vulnerabilities, dangerous coding practices, code smells, and security issues by pattern matching against customizable rule sets. graudit is language-agnostic and supports multiple programming languages including Python, PHP, Java, C/C++, JavaScript, Ruby, and others.
The tool is designed for rapid security audits during penetration testing, code review processes, and continuous integration/continuous deployment (CI/CD) pipelines. It’s particularly useful for identifying common vulnerability patterns without requiring sophisticated semantic analysis.
Installation
Sección titulada «Installation»Linux (Debian/Ubuntu)
Sección titulada «Linux (Debian/Ubuntu)»# Install from repository
sudo apt-get update
sudo apt-get install graudit
# Or install from source
git clone https://github.com/presidentbeef/graudit.git
cd graudit
sudo ./install.sh
# Verify installation
graudit -v# Using Homebrew
brew install graudit
# Or from source
git clone https://github.com/presidentbeef/graudit.git
cd graudit
sudo bash install.shWindows
Sección titulada «Windows»# Using Git Bash or WSL
git clone https://github.com/presidentbeef/graudit.git
cd graudit
bash install.sh
# Alternative: Use WSL (Windows Subsystem for Linux)
wsl
sudo apt-get install grauditBasic Usage
Sección titulada «Basic Usage»Simple File Scan
Sección titulada «Simple File Scan»# Scan single file
graudit myfile.php
# Scan all PHP files in directory
graudit *.php
# Scan entire directory recursively
graudit -r /path/to/code
# Quiet mode (findings only)
graudit -q file.pyOutput Formats
Sección titulada «Output Formats»# Standard output
graudit file.php
# Verbose output (more context)
graudit -v file.php
# Log output to file
graudit -l results.log file.php
# XML output
graudit -x results.xml file.phpDatabase Selection
Sección titulada «Database Selection»Available Graudit Databases
Sección titulada «Available Graudit Databases»| Database | Language | Focus | Command |
|---|---|---|---|
| default | Multi | General vulnerabilities | graudit -d default file |
| php | PHP | PHP-specific issues | graudit -d php file.php |
| python | Python | Python vulnerabilities | graudit -d python file.py |
| java | Java | Java security issues | graudit -d java file.java |
| c | C/C++ | Memory, buffer issues | graudit -d c file.c |
| js | JavaScript | JS/Node issues | graudit -d js file.js |
| ruby | Ruby | Ruby vulnerabilities | graudit -d ruby file.rb |
| custom | Any | User-defined patterns | graudit -d ./custom.db file |
Database Management
Sección titulada «Database Management»# List available databases
graudit -l
# Using specific database
graudit -d php index.php
# View database location
graudit -g
# List all rules in database
graudit -s php | head -20Language-Specific Scanning
Sección titulada «Language-Specific Scanning»PHP Auditing
Sección titulada «PHP Auditing»# Scan PHP file with PHP database
graudit -d php index.php
# Scan all PHP files
find . -name "*.php" -exec graudit -d php {} \;
# Common PHP vulnerabilities detected:
# - SQL injection (mysql_query, mysqli, PDO)
# - Command injection (exec, system, passthru)
# - XSS (echo, print without escaping)
# - File inclusion (include, require)
# - Insecure functions (eval, create_function)Python Auditing
Sección titulada «Python Auditing»# Scan Python file
graudit -d python script.py
# Scan all Python files
find . -name "*.py" | xargs graudit -d python
# Python vulnerabilities detected:
# - SQL injection (execute, query)
# - Command execution (os.system, subprocess)
# - Insecure deserialization (pickle)
# - Hardcoded credentials
# - Unsafe importsJava Auditing
Sección titulada «Java Auditing»# Scan Java source files
graudit -d java *.java
# Recursive Java scan
find . -name "*.java" | xargs graudit -d java
# Java issues detected:
# - SQL injection patterns
# - Weak cryptography
# - Insecure deserialization
# - Command injectionJavaScript/Node.js Auditing
Sección titulada «JavaScript/Node.js Auditing»# Scan JavaScript files
graudit -d js app.js
# Scan Node.js project
find . -name "*.js" | xargs graudit -d js
# Common findings:
# - eval() usage
# - require() with variables
# - Insecure crypto
# - Command executionAdvanced Scanning Techniques
Sección titulada «Advanced Scanning Techniques»Recursive Directory Scan
Sección titulada «Recursive Directory Scan»# Scan entire project
graudit -r /path/to/project
# Recursive with specific database
graudit -r -d php /var/www/html
# Recursive excluding directories
find /path -type f -name "*.php" ! -path "*/vendor/*" ! -path "*/node_modules/*" | xargs graudit -d phpMultiple File Types
Sección titulada «Multiple File Types»# Scan mixed PHP and JavaScript project
graudit -r -d default /var/www/app
# Sequential scanning with different databases
for file in $(find . -name "*.php"); do graudit -d php "$file"; done
for file in $(find . -name "*.js"); do graudit -d js "$file"; doneLimiting Results
Sección titulada «Limiting Results»# Show only first 10 matches per file
graudit file.php | head -10
# Filter specific vulnerability type
graudit -v file.php | grep "SQL"
# Count total vulnerabilities
graudit -r /code | grep -c "Found"Custom Pattern Rules
Sección titulada «Custom Pattern Rules»Creating Custom Database
Sección titulada «Creating Custom Database»# View default database structure
cat /usr/share/graudit/databases/default.db
# Create custom database
cat > custom.db << 'EOF'
# Custom Security Rules
# Format: regex_pattern
# Detect hardcoded API keys
[A-Za-z0-9]{40}
# Detect TODO comments
TODO.*FIXME
# Detect insecure protocols
http://[^s]
# Detect weak encryption
MD5|SHA1
EOF
# Use custom database
graudit -d ./custom.db file.phpDatabase Format
Sección titulada «Database Format»# Database syntax:
# Lines starting with # are comments
# Each rule is a grep regex pattern
# Patterns are case-sensitive by default
# Example rule for SQL injection
SELECT.*FROM.*WHERE
# Pattern for command execution
exec\s*\(|system\s*\(|passthru\s*\(
# Pattern for file operations
fopen|file_get_contents|readfile
# Pattern for eval
eval\s*\(|create_functionPattern Development
Sección titulada «Pattern Development»# Test patterns with grep before adding to database
grep -n "SELECT.*FROM" *.php
# Test regex pattern syntax
grep -E "[0-9]{3}-[0-9]{2}-[0-9]{4}" *.txt
# Use graudit's verbose output
graudit -v -d custom.db file.phpIntegration with Penetration Testing
Sección titulada «Integration with Penetration Testing»Code Review Workflow
Sección titulada «Code Review Workflow»# 1. Extract source code from target
scp -r user@target:/var/www/app ./target_code
# 2. Run graudit audit
graudit -r -d default ./target_code > audit_results.txt
# 3. Review findings
cat audit_results.txt | sort | uniq
# 4. Verify with manual inspection
vim target_code/vulnerable_file.phpAutomated Assessment
Sección titulada «Automated Assessment»#!/bin/bash
# Comprehensive code audit script
PROJECT_PATH=$1
REPORT_FILE="graudit_report_$(date +%Y%m%d_%H%M%S).txt"
echo "=== graudit Security Audit Report ===" > $REPORT_FILE
echo "Project: $PROJECT_PATH" >> $REPORT_FILE
echo "Date: $(date)" >> $REPORT_FILE
echo "" >> $REPORT_FILE
echo "[PHP Files]" >> $REPORT_FILE
find $PROJECT_PATH -name "*.php" | xargs graudit -d php >> $REPORT_FILE
echo "[Python Files]" >> $REPORT_FILE
find $PROJECT_PATH -name "*.py" | xargs graudit -d python >> $REPORT_FILE
echo "[JavaScript Files]" >> $REPORT_FILE
find $PROJECT_PATH -name "*.js" | xargs graudit -d js >> $REPORT_FILE
echo "Report saved to: $REPORT_FILE"Output Analysis
Sección titulada «Output Analysis»Understanding Results
Sección titulada «Understanding Results»# Typical graudit output format:
# /path/to/file.php:123: Found: dangerous_pattern
graudit file.php
/path/to/file.php:45: Found: exec(
/path/to/file.php:67: Found: $_GET
/path/to/file.php:89: Found: eval(Parsing Output
Sección titulada «Parsing Output»# Count findings by type
graudit -r /code | awk -F': Found: ' '{print $2}' | sort | uniq -c | sort -rn
# Extract filename and line number
graudit -r /code | awk -F':' '{print $1":"$2}' | sort -u
# Create CSV report
graudit -r /code | awk -F': Found: ' '{print $1","$2}' > audit.csvCommon Vulnerability Patterns
Sección titulada «Common Vulnerability Patterns»SQL Injection Detection
Sección titulada «SQL Injection Detection»# Graudit detects:
$query = "SELECT * FROM users WHERE id=" . $_GET['id'];
$db->query("SELECT * FROM users WHERE id=".$_POST['id']);
mysqli_query($conn, "SELECT * FROM WHERE id=$id");
# Grep pattern to find vulnerable code
grep -n "SELECT.*FROM.*WHERE.*\$" *.phpCommand Injection Detection
Sección titulada «Command Injection Detection»# Graudit identifies:
system($_GET['cmd']);
exec($_POST['command']);
passthru(user_input);
shell_exec($cmd);
# Manual verification
grep -n "exec\|system\|passthru\|shell_exec" *.phpXSS Vulnerability Detection
Sección titulada «XSS Vulnerability Detection»# Detected patterns:
echo $_GET['name'];
print $_POST['comment'];
<div><?php echo $user_input; ?></div>
# Find echo/print with user input
grep -n "echo\s*\$_\|print\s*\$_" *.phpInsecure Deserialization
Sección titulada «Insecure Deserialization»# Python detection
pickle.loads(user_data)
json.loads(untrusted_json)
# PHP detection
unserialize($_GET['data']);
# Search for patterns
grep -n "unserialize\|pickle.loads" *.php *.pyWorkflow Integration
Sección titulada «Workflow Integration»Git Pre-Commit Hook
Sección titulada «Git Pre-Commit Hook»#!/bin/bash
# .git/hooks/pre-commit
echo "Running graudit security audit..."
CHANGED_FILES=$(git diff --cached --name-only)
for file in $CHANGED_FILES; do
if [[ $file == *.php ]]; then
graudit -d php "$file" && {
echo "Security issues found in $file"
exit 1
}
fi
done
exit 0CI/CD Integration
Sección titulada «CI/CD Integration»# Example GitHub Actions workflow
name: Code Security Audit
on: [push, pull_request]
jobs:
graudit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Install graudit
run: sudo apt-get install graudit
- name: Run graudit
run: graudit -r . > audit_results.txt
- name: Upload results
uses: actions/upload-artifact@v2
with:
name: graudit-report
path: audit_results.txtFalse Positives and Filtering
Sección titulada «False Positives and Filtering»Common False Positives
Sección titulada «Common False Positives»# graudit may flag legitimate code:
# False positive 1: Comment containing SQL
# "TODO: Implement SELECT query for users table"
# False positive 2: String literal
$example = "SELECT * FROM users";
# False positive 3: Log messages
echo "System executing backup script";Filtering False Positives
Sección titulada «Filtering False Positives»# Exclude comment-only matches
graudit -r /code | grep -v "^[[:space:]]*//"
# Exclude specific files
find /code -name "*.php" ! -path "*/test/*" ! -path "*/vendor/*" | xargs graudit -d php
# Manual review and whitelist
graudit -v file.php | less
# Use 'v' flag for contextPerformance Optimization
Sección titulada «Performance Optimization»Scanning Large Projects
Sección titulada «Scanning Large Projects»# Exclude large directories
graudit -r /code --exclude=vendor,node_modules,dist
# Parallel scanning
find . -name "*.php" | parallel graudit -d php
# Sample scanning (10% of files)
find . -name "*.php" | shuf | head -10% | xargs graudit -d phpPerformance Metrics
Sección titulada «Performance Metrics»# Measure scan time
time graudit -r /code
# Count files scanned
find /code -type f \( -name "*.php" -o -name "*.js" \) | wc -l
# Generate statistics
echo "Total files: $(find /code -type f | wc -l)"
echo "PHP files: $(find /code -name "*.php" | wc -l)"
echo "Findings: $(graudit -r /code | wc -l)"Troubleshooting
Sección titulada «Troubleshooting»Common Issues
Sección titulada «Common Issues»| Issue | Cause | Solution |
|---|---|---|
| Database not found | Wrong path | Check /usr/share/graudit/databases/ |
| No results | Empty file list | Verify file extensions match database |
| Too many false positives | Overly broad patterns | Use more specific database |
| Permission denied | File access issue | Check file permissions, use sudo |
| Pattern not matching | Regex syntax error | Test with grep first |
Debug Mode
Sección titulada «Debug Mode»# Verbose output for debugging
graudit -v -d php file.php
# Show pattern matching details
graudit -v file.php 2>&1 | tee debug_output.txt
# List all patterns in database
graudit -s default | head -20Security Considerations
Sección titulada «Security Considerations»Responsible Disclosure
Sección titulada «Responsible Disclosure»# When auditing third-party code:
1. Get written permission before auditing
2. Report findings responsibly
3. Use secure channels for reporting
4. Allow time for patching before disclosure
5. Keep findings confidentialLegal Compliance
Sección titulada «Legal Compliance»# Ensure compliance with regulations:
# - Only audit code you have permission to audit
# - Document your authorization
# - Follow responsible disclosure practices
# - Adhere to CFAA and local regulations
# - Obtain client approval for testingAdvanced Pattern Creation
Sección titulada «Advanced Pattern Creation»Complex Regex Patterns
Sección titulada «Complex Regex Patterns»# Pattern: Detect unescaped output
<\?php\s+echo\s+\$(?!.*htmlspecialchars)
# Pattern: Detect hardcoded credentials
(password|api_key|secret)\s*=\s*['"][^'"]{8,}['"]
# Pattern: Detect weak algorithms
(md5|sha1|base64_encode)\s*\(
# Pattern: Detect remote code inclusion
(include|require)_once\s*\(\s*\$
# Test patterns
grep -E "pattern_here" file.phpDatabase Customization for Projects
Sección titulada «Database Customization for Projects»# Create project-specific database
cat > project_security.db << 'EOF'
# Project-specific vulnerabilities
# Custom API endpoints check
/api/admin
# Framework-specific issues
Django.*raw_sql
Flask.*render_template_string
# Database ORM issues
.filter\(.*user_input\)
.execute\(.*user_input\)
# Logging sensitive data
logger\.debug.*password
console\.log.*token
EOF
graudit -d ./project_security.db -r ./srcIntegration with Other Tools
Sección titulada «Integration with Other Tools»Combining with Other SAST Tools
Sección titulada «Combining with Other SAST Tools»# Use graudit alongside other tools
graudit -r /code > graudit_results.txt
semgrep -c p/security-audit /code > semgrep_results.txt
bandit -r /code > bandit_results.txt
# Merge and deduplicate results
cat *_results.txt | sort | uniq > combined_audit.txtExporting Results
Sección titulada «Exporting Results»# Export to HTML report
graudit -r /code | awk '{print "<tr><td>" $0 "</td></tr>"}' | \
sed '1i<table>' | sed '$a</table>' > report.html
# Export to JSON
graudit -v -r /code | jq -R -s '{findings: split("\n")}'
# Export to Slack
graudit -r /code | while read line; do
curl -X POST -H 'Content-type: application/json' \
--data "{'text':'$line'}" $SLACK_WEBHOOK_URL
doneResources and References
Sección titulada «Resources and References»- GitHub Repository: https://github.com/presidentbeef/graudit
- Pattern Database Documentation: https://github.com/presidentbeef/graudit/wiki
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- CWE Top 25: https://cwe.mitre.org/top25/
- Regular Expressions Guide: https://www.regular-expressions.info/