OpenAuditKit

Next-Gen Security Audit Tool for Modern Codebases. Powered by AI. Secure by Design. Offline First.

🌐 Website • 📚 Documentation • 🐛 Report Bug

---

� What is OpenAuditKit?

OpenAuditKit is not just another linter. It's an intelligent security companion that lives in your terminal. Unlike traditional tools that drown you in false positives, OpenAuditKit combines robust pattern matching (Regex & Entropy) with Context-Aware AI Agents to understand why a piece of code might be dangerous.

Whether you are a solo developer or part of a large enterprise, OpenAuditKit helps you ship secure code faster.

✨ Key Features

Feature	Description
🕵️ Secret Scanning	Detects API keys, tokens, and credentials with high-entropy validation.
⚙️ Config Audit	Discovers misconfigurations in Dockerfile, .env, Kubernetes, and more.
🧠 AI Advisory	(New) Integrated AI Agents explain vulnerabilities and suggest fixes.
🏗️ Architecture Analysis	AI agents analyze your project structure for design flaws.
🛡️ Threat Modeling	auto-generates STRIDE threat models based on your codebase.
🔌 Integrations	Native support for CI/CD pipelines (GitHub Actions, GitLab CI).
📝 JSON Reporting	Export findings for easy integration with dashboards like DefectDojo.

🚀 Installation

Install simply via pip:

pip install openaudit

⚡ Quick Start

1. Basic Scan

Run a security scan on your current directory:

openaudit scan .

2. Enable AI Superpowers 🧠

Unlock the full potential with AI agents that analyze architecture and data flow:

# Set your OpenAI API Key
openaudit config set-key sk-your-api-key

# Run an AI-enhanced scan
openaudit scan . --ai

openaudit explain src/complex_logic.py

4. 🤖 AI Agent Integration (MCP) - NEW!

Turn your favorite AI Editor (Cursor, Claude Desktop) into a security expert. OpenAuditKit now supports the Model Context Protocol (MCP).

1. Install OpenAuditKit:

   pip install openaudit[mcp]

2. Configure your AI Tool (e.g., claude_desktop_config.json):

   {
     "mcpServers": {
       "openaudit": {
         "command": "openaudit",
         "args": ["mcp"]
       }
     }
   }

3. Chat with your AI:

   "Hey, can you scan this workspace for security issues?" "Check this file for any vulnerabilities or tech debt."

The AI will invoke OpenAuditKit locally and report back findings instantly!

🪝 Git Hooks (Pre-commit)

Prevent security issues from being committed by using our pre-configured git hooks.

1. Install pre-commit:

   pip install pre-commit

2. Install the hooks:

   pre-commit install

Now, openaudit will automatically scan your code before every commit!

🎨 Custom Rules ("Vibe Checks")

Define your own security and quality rules that match your team's standards.

1. Create a custom rules file:

   openaudit custom-rules init

2. Edit the generated file (.openaudit/custom_rules.yaml):

   rules:
     - id: "CUSTOM_COMPANY_SECRET"
       description: "Company API key detected"
       regex: "MYCOMPANY_[A-Z0-9]{32}"
       severity: "high"
       confidence: "high"
       category: "secret"
       remediation: "Move to secrets manager."

3. Run scan - Custom rules are automatically loaded:

   openaudit scan .

Custom rules can be placed in:

• Project-level: .openaudit/custom_rules.yaml (committed to repo)
• User-level: ~/.openaudit/custom_rules.yaml (personal rules)

🛡️ VibeGuard (Tech Debt Scanner)

We know "vibecodin" happens. OpenAuditKit now includes VibeGuard, a scanner designed to catch non-engineering practices before they hit production:

• 🔍 Annotations: Catches TODO, FIXME, BUG leftovers.
• 🐛 Debug Trash: Finds forgotten console.log, print(), debugger.
• 🤫 Silent Failures: Alerts on except: pass.
• 🌐 Hardcoding: Detects hardcoded IPs and potential secrets.

VibeGuard runs automatically with openaudit scan.

📊 Comparison

Feature	OpenAuditKit	Gitleaks	TruffleHog
Finding Secrets	✅	✅	✅
Config Analysis	✅	❌	❌
AI Context Analysis	✅	❌	❌
Architecture Review	✅	❌	❌
Offline Capabilities	✅	✅	❌*

*TruffleHog often requires API connectivity for verification.

🤖 CI/CD Integration

Secure your pipeline with zero effort. Add this to your .github/workflows/security.yml:

name: Security Audit
on: [push, pull_request]

jobs:
  openaudit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: '3.10'
      - run: pip install openaudit
      - run: openaudit scan . --ci --fail-on high --ai
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} # Optional for AI features

🛡️ Security Philosophy

At NeuralForge, we believe security tools should be:

1. Silent but Deadly: Only alert on real issues (Low False Positives).
2. Educational: Don't just find bugs, explain them.
3. Private: Your code never leaves your machine unless you explicitly opt-in to AI features (which are redacted by default).

🤝 Contributing

We love contributions! Please check out our Contributing Guide to get started.

---

_{Built with ❤️ by the NeuralForge Team.}