This is a private repository. Enter the PIN to view the project summary.
The software approval problem costs enterprises $50,000–$150,000 per vendor assessment. GRC platforms charge $200K+/year and still can't tell you what a binary actually does at runtime. app-audit replaces all of it with a single Docker run.
Organizations spend billions on governance, risk, and compliance tooling — ServiceNow, OneTrust, Archer, Vanta — and none of them can tell you whether a binary phones home to a bulletproof-hosting ASN in Moldova. They track paperwork. app-audit tracks behavior.
Big 4 auditors and boutique appsec firms bill $500–$1,200/hour for vendor risk assessments that take 4–8 weeks. Their deliverable is a PDF with screenshots. app-audit produces a machine-verifiable, evidence-backed report in minutes — for free.
SCA tools scan dependency manifests. SAST tools parse source code. Neither one can detect a binary that reads your AWS credentials and exfiltrates them over TLS to a server in Hong Kong. Dynamic analysis is the only way to catch runtime betrayal — and app-audit is the only open-source tool purpose-built for this exact scenario.
Plants 18 unique honeytokens (fake AWS keys, SSH keys, browser cookies, PII docs, API tokens for GitHub/OpenAI/Anthropic/Stripe/Slack). If the binary reads and transmits any, the plaintext payload is captured before encryption via TLS library hooking.
Compares the vendor's declared network destinations against actual observed connections. Flags undeclared destinations with ASN/country enrichment. "Vendor said US-only; we observed traffic to AU" — take it to the vendor.
Catches binaries that check for virtualization (reading /proc/cpuinfo for hypervisor brands, probing /.dockerenv). If the binary behaves differently when it knows it's being watched, that's a high-severity finding.
Watches for writes to cron, systemd, shell rc files, autostart paths, and ld.so.preload. Write-shape opens (O_WRONLY/O_CREAT) escalate from medium to high — writing to .bashrc is an install action, reading it is just a probe.
Scans TLS payloads for Luhn-valid credit card numbers, JWT-shaped bearer tokens, and email addresses. Catches accidental PII leakage that no static tool would find.
Detects regular-interval outbound connections — the callback fingerprint of command-and-control infrastructure. Statistical analysis of connection timing patterns flags suspiciously periodic phone-home behavior.
Save a behavioral baseline when you approve v1.2. When v1.3 ships, audit against the baseline and surface only what changed. Catches silent malicious updates without re-vetting unchanged behavior.
The tracer writes the raw event stream to JSONL. The replay command re-runs the detector pipeline offline — no eBPF, no privileges, runs anywhere Go runs including macOS directly. Iterate on detector logic without re-tracing.
Post-enrichment detector flags connections to ASNs on a curated bulletproof-hosting list. Catches traffic to infrastructure commonly associated with malware C2 and data exfiltration services.
Container-egress proxy with iptables redirect + injected CA. Catches TLS traffic from non-OpenSSL libraries (rustls, BoringSSL, GnuTLS) that uprobes can't hook. Complementary capture path — events flow into the same detector pipeline.
Built-in web interface with approval queue, org policy viewer, and report integrity verifier. Submit binaries, review REJECT/APPROVE verdicts, and verify SHA-256 report hashes — all from the browser. No CLI required for approvers.
Launch a live Windows VM via noVNC — watch the binary run in real time through the browser. WebSocket proxy streams VNC from the sandbox backend. Auto-reconnect on disconnect with 60s grace period. Clipboard paste from browser to VM supported.
Cross-compiled Windows agent deployed via EC2 user-data. Implements Windows Service Control Protocol, reads config from IMDS, plants honeytokens on the Desktop, proxies TLS traffic via WinHTTP/WinINET interception — all while bypassing IMDS and AWS endpoints.
Per-session EC2 Windows VMs spun up on demand. IAM profile for SSM access, IMDSv2-required at launch, auto-login with reboot for unattended operation. Loading page with branded status messages while the VM boots.
Organization-wide policy overlay: geographic restrictions (allowed/blocked countries), ASN block-lists, severity thresholds for auto-reject, per-detector auto-reject rules, external threat-intel feed files. Policy overrides per-vendor manifests.
Every report includes provenance: run ID, tracer version, Go version, host OS/arch, target SHA-256, manifest hash, honeytoken count, detector list. SHA-256 sidecar file + verify-report CLI for tamper detection. Reports are defensible evidence.
Catches binaries that spawn cryptocurrency miners — detects Stratum protocol patterns, mining pool connections, and suspicious CPU-intensive child processes. Because your vendor's "monitoring agent" shouldn't be mining Monero.
| Detector | Severity | Triggers On |
|---|---|---|
| HoneytokenHit | HIGH | Planted credential observed in outbound traffic |
| SandboxDetection | HIGH | Probes /proc/cpuinfo, /.dockerenv, etc. |
| Beaconing | HIGH | Regular-interval outbound connects (C2 pattern) |
| KnownBadASN | HIGH | Connect to bulletproof-hosting ASN |
| PIIOutbound | HIGH/MED/LOW | Credit cards, JWTs, emails in TLS payloads |
| VendorDiff | MEDIUM | Undeclared network destination |
| SensitivePath | MEDIUM | Read of credentials/PII path |
| HostFingerprint | MEDIUM | Read /etc/machine-id, MAC address |
| PersistencePath | MEDIUM/HIGH | Touch of cron/systemd/shell-rc paths |
| CryptoMining | HIGH | Stratum protocol patterns, pool connections |
| TimeManipulation | MEDIUM | Probes /etc/localtime, /etc/timezone (anti-analysis) |
| KnownBadDomain | HIGH | PTR matches .onion, ngrok, trycloudflare, etc. |
| GeoPolicy | HIGH | Connection to country blocked by org policy |
| NetworkDestination | INFO | Every unique destination (for the report) |
REJECT / REVIEW / APPROVE WITH CONDITIONS / APPROVE — a clear decision the approver can sign. Not raw logs, not a dashboard — a defensible document.
Each finding includes severity, the raw evidence (captured bytes, file paths, network destinations), and the detector that produced it. Unambiguous: "this binary read the planted AWS file and POSTed its contents to example.com."
Every observed destination enriched with PTR record, ASN, and country. Cross-referenced against the vendor's declared list. Undeclared destinations highlighted.