One command to audit your website, API, or server. Built for business owners who care about security.
Python security scanner with defensive checks + active pentest mode. Find vulnerabilities, test performance, and generate professional reports for your business.
A Python-based security assessment tool that helps you identify vulnerabilities, performance issues, and security misconfigurations in your own systems. Perfect for business owners, developers, and DevOps teams who want to proactively secure their infrastructure.
For authorized security testing only. Use exclusively on:
- Systems you own
- Systems you have explicit written permission to test
Unauthorized scanning may violate laws. By using this tool, you confirm proper authorization.
This tool performs two types of security assessments:
- Scan file permissions, services, firewall rules
- Detect hardcoded secrets in code
- Check TLS certificates, container configs
- Analyze dependencies for known vulnerabilities
- Performance testing: Measure response times
- Vulnerability scanning: Test for SQL injection, XSS
- Load testing: Simulate traffic to test capacity
| Use Case | What You Get |
|---|---|
| Business Owner | Know if your website has security holes |
| Developer | Find secrets in code before committing |
| DevOps/SRE | Test if your servers can handle traffic spikes |
| Security Team | Quick first-line vulnerability assessment |
| Compliance | Generate audit reports for security reviews |
pip install cache-wraith-audit-toolInteractive Mode (Easiest) - Just run with no arguments:
security-auditThe TUI will guide you through target selection, scan mode, and reporting.
Command Line Mode:
# Simple security audit
security-audit --url https://your-website.com --full-scan
# Scan local system
security-audit --local --full-scanThis creates:
audit_report_*.html- Professional HTML reportaudit_report_*.json- Machine-readable JSONaudit_report_*.pdf- PDF report (pentest mode)
# Open the HTML report
firefox audit_report_*.html# Authenticate the CLI with the Laravel portal
security-audit login
# Scan any website
security-audit --url https://example.com --full-scan
# Scan your local system
security-audit --local --full-scan
# Scan a project directory
security-audit --path ./my-project --full-scan
# Scan multiple websites
security-audit --url https://api1.com --url https://api2.com --full-scan
# Interactive mode (no arguments)
security-audit# Sign in through the Laravel portal in your browser
security-audit login
# Show the currently authenticated account
security-audit whoami
# Revoke the CLI token and remove local auth state
security-audit logoutToken storage:
- The CLI prefers OS keyring storage when available
- Otherwise it stores auth state at
~/.config/security-audit/auth.jsonwith restricted permissions - Tokens are never printed to the terminal
# Full pentest with performance, vulnerability, and load tests
security-audit --url https://your-business.com --pentest-mode
# Just vulnerability scan (SQLi, XSS tests)
security-audit --url https://your-api.com --enable-vulnerability-scan
# Performance test only
security-audit --url https://your-api.com --enable-performance-test
# Load test (simulates traffic - use with caution!)
security-audit --url https://your-api.com --enable-load-test- β File/directory permissions
- β Running services and open ports
- β Firewall configuration
- β Hardcoded secrets in code
- β Outdated dependencies with known CVEs
- β Docker/container security
- β Web application configuration
- β Everything above, plus:
- β TLS/SSL certificate validation
- β Performance testing
- β Vulnerability scanning (SQLi, XSS)
- β Everything above, plus:
- β Load testing / DDoS simulation
| Check ID | Category | Description | Default |
|---|---|---|---|
| permissions | Read-Only | File/directory permissions (world-writable, SUID/SGID) | β Enabled |
| services | Read-Only | Running service and port enumeration | β Enabled |
| firewall | Read-Only | Firewall status and configuration | β Enabled |
| hardening | Read-Only | OS hardening indicator checks | β Enabled |
| secrets | Read-Only | Hardcoded secrets and credential patterns | β Enabled |
| dependencies | Read-Only | Outdated and vulnerable dependencies | β Enabled |
| containers | Read-Only | Docker/container security configuration | β Enabled |
| webapp_config | Read-Only | Web application configuration checks | β Enabled |
| tls | Read-Only | TLS/SSL certificate inspection | --enable-tls-checks |
| performance | Active | Response time measurement | --enable-performance-test |
| vulnerability | Active | SQL injection, XSS tests | --enable-vulnerability-scan |
| load_test | Active | DDoS simulation (intensive) | --pentest-mode only |
Use with --skip-checks or --only-checks:
# Skip specific checks
security-audit --url example.com --skip-checks "tls,containers"
# Run only specific checks
security-audit --url example.com --only-checks "vulnerability,secrets"
# List all available checks
security-audit --list-checks| Format | File Extension | Use Case |
|---|---|---|
| Terminal | - | Quick review during development |
| HTML | .html |
Share with team, management, compliance |
| JSON | .json |
CI/CD integration, automation, archiving |
.pdf |
Formal documentation, offline review |
Want to extend the tool? Here's how it's structured:
app/
βββ cli.py # Command-line interface
βββ main.py # Entry point and orchestration
βββ config.py # Configuration management
βββ scope.py # Target validation and scoping
βββ checks/ # Security test implementations
β βββ base.py # Base class for all checks
β βββ permissions_check.py
β βββ vulnerability_check.py # SQLi, XSS tests
β βββ performance_check.py
β βββ load_test_check.py # DDoS simulation
βββ collectors/ # Data gathering modules
βββ report/ # Output generators (JSON, HTML, Terminal)
βββ utils/ # Rate limiting, timeouts, validators
- Create
app/checks/my_check.py - Inherit from
BaseCheck - Implement
run()method - Register in
app/checks/__init__.py
from .base import BaseCheck, CheckResult
from ..models import SeverityLevel
class MyCheck(BaseCheck):
check_id = "my_check"
check_name = "My Security Check"
def run(self) -> CheckResult:
result = self._create_result()
# Your check logic here
finding = self._create_finding(
title="Example issue",
severity=SeverityLevel.MEDIUM,
target="example.com",
evidence="Found issue X",
remediation="Fix by doing Y"
)
result.findings.append(finding)
return self._finish_result(result)# Install dev dependencies
venv/bin/pip install -e ".[dev]"
# Run tests
venv/bin/pytest
# Run with coverage
venv/bin/pytest --cov=app| Document | What's Inside |
|---|---|
docs/RUN.md |
How to install and run the tool |
docs/COMMANDS.md |
All available commands and examples |
docs/PENTEST.md |
Pentest mode guide for active testing |
docs/FEATURES.md |
Feature list and what each check does |
docs/ARCHITECTURE.md |
Code structure for developers |
docs/TROUBLESHOOTING.md |
Common issues and solutions |
- Explicit Scope Required - Tool won't run without defined targets
- Authorization Prompt - Legal confirmation required
- Rate Limiting - Built-in request throttling
- Read-Only by Default - No modifications to target systems
- Opt-in Active Tests - Pentest features must be explicitly enabled
- Auditable - All actions logged
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup
run: |
python -m venv venv
venv/bin/pip install -e .
- name: Run Security Audit
run: security-audit --url https://staging.your-app.com --full-scan
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: security-report
path: audit_report_*.html- CIS Benchmark compliance checks
- SBOM generation (CycloneDX, SPDX)
- Kubernetes security scanning
- API endpoint fuzzing
- Compliance mapping (NIST, PCI-DSS, SOC2)
Contributions welcome! Please ensure:
- All checks are defensive and non-destructive by default
- Code includes type hints
- Tests included for new functionality
- Documentation updated
MIT License - See LICENSE file for details.
Built with β€οΈ for business owners who take security seriously.
Got questions? Open an issue or check the docs/ folder.