graudit
Overview
Seção intitulada “Overview”graudit (grep rough audit) is a lightweight, open-source static application security testing (SAST) tool that performs source code analysis using grep patterns. It identifies potential vulnerabilities, dangerous coding practices, code smells, and security issues by pattern matching against customizable rule sets. graudit is language-agnostic and supports multiple programming languages including Python, PHP, Java, C/C++, JavaScript, Ruby, and others.
The tool is designed for rapid security audits during penetration testing, code review processes, and continuous integration/continuous deployment (CI/CD) pipelines. It’s particularly useful for identifying common vulnerability patterns without requiring sophisticated semantic analysis.
Installation
Seção intitulada “Installation”Linux (Debian/Ubuntu)
Seção intitulada “Linux (Debian/Ubuntu)”# Install from repository
sudo apt-get update
sudo apt-get install graudit
# Or install from source
git clone https://github.com/presidentbeef/graudit.git
cd graudit
sudo ./install.sh
# Verify installation
graudit -v# Using Homebrew
brew install graudit
# Or from source
git clone https://github.com/presidentbeef/graudit.git
cd graudit
sudo bash install.shWindows
Seção intitulada “Windows”# Using Git Bash or WSL
git clone https://github.com/presidentbeef/graudit.git
cd graudit
bash install.sh
# Alternative: Use WSL (Windows Subsystem for Linux)
wsl
sudo apt-get install grauditBasic Usage
Seção intitulada “Basic Usage”Simple File Scan
Seção intitulada “Simple File Scan”# Scan single file
graudit myfile.php
# Scan all PHP files in directory
graudit *.php
# Scan entire directory recursively
graudit -r /path/to/code
# Quiet mode (findings only)
graudit -q file.pyOutput Formats
Seção intitulada “Output Formats”# Standard output
graudit file.php
# Verbose output (more context)
graudit -v file.php
# Log output to file
graudit -l results.log file.php
# XML output
graudit -x results.xml file.phpDatabase Selection
Seção intitulada “Database Selection”Available Graudit Databases
Seção intitulada “Available Graudit Databases”| Database | Language | Focus | Command |
|---|---|---|---|
| default | Multi | General vulnerabilities | graudit -d default file |
| php | PHP | PHP-specific issues | graudit -d php file.php |
| python | Python | Python vulnerabilities | graudit -d python file.py |
| java | Java | Java security issues | graudit -d java file.java |
| c | C/C++ | Memory, buffer issues | graudit -d c file.c |
| js | JavaScript | JS/Node issues | graudit -d js file.js |
| ruby | Ruby | Ruby vulnerabilities | graudit -d ruby file.rb |
| custom | Any | User-defined patterns | graudit -d ./custom.db file |
Database Management
Seção intitulada “Database Management”# List available databases
graudit -l
# Using specific database
graudit -d php index.php
# View database location
graudit -g
# List all rules in database
graudit -s php | head -20Language-Specific Scanning
Seção intitulada “Language-Specific Scanning”PHP Auditing
Seção intitulada “PHP Auditing”# Scan PHP file with PHP database
graudit -d php index.php
# Scan all PHP files
find . -name "*.php" -exec graudit -d php {} \;
# Common PHP vulnerabilities detected:
# - SQL injection (mysql_query, mysqli, PDO)
# - Command injection (exec, system, passthru)
# - XSS (echo, print without escaping)
# - File inclusion (include, require)
# - Insecure functions (eval, create_function)Python Auditing
Seção intitulada “Python Auditing”# Scan Python file
graudit -d python script.py
# Scan all Python files
find . -name "*.py" | xargs graudit -d python
# Python vulnerabilities detected:
# - SQL injection (execute, query)
# - Command execution (os.system, subprocess)
# - Insecure deserialization (pickle)
# - Hardcoded credentials
# - Unsafe importsJava Auditing
Seção intitulada “Java Auditing”# Scan Java source files
graudit -d java *.java
# Recursive Java scan
find . -name "*.java" | xargs graudit -d java
# Java issues detected:
# - SQL injection patterns
# - Weak cryptography
# - Insecure deserialization
# - Command injectionJavaScript/Node.js Auditing
Seção intitulada “JavaScript/Node.js Auditing”# Scan JavaScript files
graudit -d js app.js
# Scan Node.js project
find . -name "*.js" | xargs graudit -d js
# Common findings:
# - eval() usage
# - require() with variables
# - Insecure crypto
# - Command executionAdvanced Scanning Techniques
Seção intitulada “Advanced Scanning Techniques”Recursive Directory Scan
Seção intitulada “Recursive Directory Scan”# Scan entire project
graudit -r /path/to/project
# Recursive with specific database
graudit -r -d php /var/www/html
# Recursive excluding directories
find /path -type f -name "*.php" ! -path "*/vendor/*" ! -path "*/node_modules/*" | xargs graudit -d phpMultiple File Types
Seção intitulada “Multiple File Types”# Scan mixed PHP and JavaScript project
graudit -r -d default /var/www/app
# Sequential scanning with different databases
for file in $(find . -name "*.php"); do graudit -d php "$file"; done
for file in $(find . -name "*.js"); do graudit -d js "$file"; doneLimiting Results
Seção intitulada “Limiting Results”# Show only first 10 matches per file
graudit file.php | head -10
# Filter specific vulnerability type
graudit -v file.php | grep "SQL"
# Count total vulnerabilities
graudit -r /code | grep -c "Found"Custom Pattern Rules
Seção intitulada “Custom Pattern Rules”Creating Custom Database
Seção intitulada “Creating Custom Database”# View default database structure
cat /usr/share/graudit/databases/default.db
# Create custom database
cat > custom.db << 'EOF'
# Custom Security Rules
# Format: regex_pattern
# Detect hardcoded API keys
[A-Za-z0-9]{40}
# Detect TODO comments
TODO.*FIXME
# Detect insecure protocols
http://[^s]
# Detect weak encryption
MD5|SHA1
EOF
# Use custom database
graudit -d ./custom.db file.phpDatabase Format
Seção intitulada “Database Format”# Database syntax:
# Lines starting with # are comments
# Each rule is a grep regex pattern
# Patterns are case-sensitive by default
# Example rule for SQL injection
SELECT.*FROM.*WHERE
# Pattern for command execution
exec\s*\(|system\s*\(|passthru\s*\(
# Pattern for file operations
fopen|file_get_contents|readfile
# Pattern for eval
eval\s*\(|create_functionPattern Development
Seção intitulada “Pattern Development”# Test patterns with grep before adding to database
grep -n "SELECT.*FROM" *.php
# Test regex pattern syntax
grep -E "[0-9]{3}-[0-9]{2}-[0-9]{4}" *.txt
# Use graudit's verbose output
graudit -v -d custom.db file.phpIntegration with Penetration Testing
Seção intitulada “Integration with Penetration Testing”Code Review Workflow
Seção intitulada “Code Review Workflow”# 1. Extract source code from target
scp -r user@target:/var/www/app ./target_code
# 2. Run graudit audit
graudit -r -d default ./target_code > audit_results.txt
# 3. Review findings
cat audit_results.txt | sort | uniq
# 4. Verify with manual inspection
vim target_code/vulnerable_file.phpAutomated Assessment
Seção intitulada “Automated Assessment”#!/bin/bash
# Comprehensive code audit script
PROJECT_PATH=$1
REPORT_FILE="graudit_report_$(date +%Y%m%d_%H%M%S).txt"
echo "=== graudit Security Audit Report ===" > $REPORT_FILE
echo "Project: $PROJECT_PATH" >> $REPORT_FILE
echo "Date: $(date)" >> $REPORT_FILE
echo "" >> $REPORT_FILE
echo "[PHP Files]" >> $REPORT_FILE
find $PROJECT_PATH -name "*.php" | xargs graudit -d php >> $REPORT_FILE
echo "[Python Files]" >> $REPORT_FILE
find $PROJECT_PATH -name "*.py" | xargs graudit -d python >> $REPORT_FILE
echo "[JavaScript Files]" >> $REPORT_FILE
find $PROJECT_PATH -name "*.js" | xargs graudit -d js >> $REPORT_FILE
echo "Report saved to: $REPORT_FILE"Output Analysis
Seção intitulada “Output Analysis”Understanding Results
Seção intitulada “Understanding Results”# Typical graudit output format:
# /path/to/file.php:123: Found: dangerous_pattern
graudit file.php
/path/to/file.php:45: Found: exec(
/path/to/file.php:67: Found: $_GET
/path/to/file.php:89: Found: eval(Parsing Output
Seção intitulada “Parsing Output”# Count findings by type
graudit -r /code | awk -F': Found: ' '{print $2}' | sort | uniq -c | sort -rn
# Extract filename and line number
graudit -r /code | awk -F':' '{print $1":"$2}' | sort -u
# Create CSV report
graudit -r /code | awk -F': Found: ' '{print $1","$2}' > audit.csvCommon Vulnerability Patterns
Seção intitulada “Common Vulnerability Patterns”SQL Injection Detection
Seção intitulada “SQL Injection Detection”# Graudit detects:
$query = "SELECT * FROM users WHERE id=" . $_GET['id'];
$db->query("SELECT * FROM users WHERE id=".$_POST['id']);
mysqli_query($conn, "SELECT * FROM WHERE id=$id");
# Grep pattern to find vulnerable code
grep -n "SELECT.*FROM.*WHERE.*\$" *.phpCommand Injection Detection
Seção intitulada “Command Injection Detection”# Graudit identifies:
system($_GET['cmd']);
exec($_POST['command']);
passthru(user_input);
shell_exec($cmd);
# Manual verification
grep -n "exec\|system\|passthru\|shell_exec" *.phpXSS Vulnerability Detection
Seção intitulada “XSS Vulnerability Detection”# Detected patterns:
echo $_GET['name'];
print $_POST['comment'];
<div><?php echo $user_input; ?></div>
# Find echo/print with user input
grep -n "echo\s*\$_\|print\s*\$_" *.phpInsecure Deserialization
Seção intitulada “Insecure Deserialization”# Python detection
pickle.loads(user_data)
json.loads(untrusted_json)
# PHP detection
unserialize($_GET['data']);
# Search for patterns
grep -n "unserialize\|pickle.loads" *.php *.pyWorkflow Integration
Seção intitulada “Workflow Integration”Git Pre-Commit Hook
Seção intitulada “Git Pre-Commit Hook”#!/bin/bash
# .git/hooks/pre-commit
echo "Running graudit security audit..."
CHANGED_FILES=$(git diff --cached --name-only)
for file in $CHANGED_FILES; do
if [[ $file == *.php ]]; then
graudit -d php "$file" && {
echo "Security issues found in $file"
exit 1
}
fi
done
exit 0CI/CD Integration
Seção intitulada “CI/CD Integration”# Example GitHub Actions workflow
name: Code Security Audit
on: [push, pull_request]
jobs:
graudit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Install graudit
run: sudo apt-get install graudit
- name: Run graudit
run: graudit -r . > audit_results.txt
- name: Upload results
uses: actions/upload-artifact@v2
with:
name: graudit-report
path: audit_results.txtFalse Positives and Filtering
Seção intitulada “False Positives and Filtering”Common False Positives
Seção intitulada “Common False Positives”# graudit may flag legitimate code:
# False positive 1: Comment containing SQL
# "TODO: Implement SELECT query for users table"
# False positive 2: String literal
$example = "SELECT * FROM users";
# False positive 3: Log messages
echo "System executing backup script";Filtering False Positives
Seção intitulada “Filtering False Positives”# Exclude comment-only matches
graudit -r /code | grep -v "^[[:space:]]*//"
# Exclude specific files
find /code -name "*.php" ! -path "*/test/*" ! -path "*/vendor/*" | xargs graudit -d php
# Manual review and whitelist
graudit -v file.php | less
# Use 'v' flag for contextPerformance Optimization
Seção intitulada “Performance Optimization”Scanning Large Projects
Seção intitulada “Scanning Large Projects”# Exclude large directories
graudit -r /code --exclude=vendor,node_modules,dist
# Parallel scanning
find . -name "*.php" | parallel graudit -d php
# Sample scanning (10% of files)
find . -name "*.php" | shuf | head -10% | xargs graudit -d phpPerformance Metrics
Seção intitulada “Performance Metrics”# Measure scan time
time graudit -r /code
# Count files scanned
find /code -type f \( -name "*.php" -o -name "*.js" \) | wc -l
# Generate statistics
echo "Total files: $(find /code -type f | wc -l)"
echo "PHP files: $(find /code -name "*.php" | wc -l)"
echo "Findings: $(graudit -r /code | wc -l)"Troubleshooting
Seção intitulada “Troubleshooting”Common Issues
Seção intitulada “Common Issues”| Issue | Cause | Solution |
|---|---|---|
| Database not found | Wrong path | Check /usr/share/graudit/databases/ |
| No results | Empty file list | Verify file extensions match database |
| Too many false positives | Overly broad patterns | Use more specific database |
| Permission denied | File access issue | Check file permissions, use sudo |
| Pattern not matching | Regex syntax error | Test with grep first |
Debug Mode
Seção intitulada “Debug Mode”# Verbose output for debugging
graudit -v -d php file.php
# Show pattern matching details
graudit -v file.php 2>&1 | tee debug_output.txt
# List all patterns in database
graudit -s default | head -20Security Considerations
Seção intitulada “Security Considerations”Responsible Disclosure
Seção intitulada “Responsible Disclosure”# When auditing third-party code:
1. Get written permission before auditing
2. Report findings responsibly
3. Use secure channels for reporting
4. Allow time for patching before disclosure
5. Keep findings confidentialLegal Compliance
Seção intitulada “Legal Compliance”# Ensure compliance with regulations:
# - Only audit code you have permission to audit
# - Document your authorization
# - Follow responsible disclosure practices
# - Adhere to CFAA and local regulations
# - Obtain client approval for testingAdvanced Pattern Creation
Seção intitulada “Advanced Pattern Creation”Complex Regex Patterns
Seção intitulada “Complex Regex Patterns”# Pattern: Detect unescaped output
<\?php\s+echo\s+\$(?!.*htmlspecialchars)
# Pattern: Detect hardcoded credentials
(password|api_key|secret)\s*=\s*['"][^'"]{8,}['"]
# Pattern: Detect weak algorithms
(md5|sha1|base64_encode)\s*\(
# Pattern: Detect remote code inclusion
(include|require)_once\s*\(\s*\$
# Test patterns
grep -E "pattern_here" file.phpDatabase Customization for Projects
Seção intitulada “Database Customization for Projects”# Create project-specific database
cat > project_security.db << 'EOF'
# Project-specific vulnerabilities
# Custom API endpoints check
/api/admin
# Framework-specific issues
Django.*raw_sql
Flask.*render_template_string
# Database ORM issues
.filter\(.*user_input\)
.execute\(.*user_input\)
# Logging sensitive data
logger\.debug.*password
console\.log.*token
EOF
graudit -d ./project_security.db -r ./srcIntegration with Other Tools
Seção intitulada “Integration with Other Tools”Combining with Other SAST Tools
Seção intitulada “Combining with Other SAST Tools”# Use graudit alongside other tools
graudit -r /code > graudit_results.txt
semgrep -c p/security-audit /code > semgrep_results.txt
bandit -r /code > bandit_results.txt
# Merge and deduplicate results
cat *_results.txt | sort | uniq > combined_audit.txtExporting Results
Seção intitulada “Exporting Results”# Export to HTML report
graudit -r /code | awk '{print "<tr><td>" $0 "</td></tr>"}' | \
sed '1i<table>' | sed '$a</table>' > report.html
# Export to JSON
graudit -v -r /code | jq -R -s '{findings: split("\n")}'
# Export to Slack
graudit -r /code | while read line; do
curl -X POST -H 'Content-type: application/json' \
--data "{'text':'$line'}" $SLACK_WEBHOOK_URL
doneResources and References
Seção intitulada “Resources and References”- GitHub Repository: https://github.com/presidentbeef/graudit
- Pattern Database Documentation: https://github.com/presidentbeef/graudit/wiki
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- CWE Top 25: https://cwe.mitre.org/top25/
- Regular Expressions Guide: https://www.regular-expressions.info/