🔒

Protected Project

This is a private repository. Enter the PIN to view the project summary.

Live Demo

A misbehaving binary audited end-to-end in under 2 seconds

What you're watching: A test binary that reads planted AWS credentials, exfiltrates them over TLS, sends a fake credit card number, beacons to 1.1.1.1 at regular intervals, and probes for sandbox detection. app-audit catches all of it — 8 high-severity findings, 16 medium — and recommends REJECT in 1.98 seconds.

End-to-End Video

Web UI Screenshots

The built-in web UI provides a complete approval workflow — no CLI needed for reviewers.

Approval queue showing three audit runs with REJECT verdicts
Approval Queue — Every audit run lands here with its verdict, severity counts, and target path. Click any row to drill into the full report. The queue shows real-time results: "just now", "25 minutes ago", and a replayed JSONL audit from an hour ago.
Full audit report with REJECT verdict and severity summary
Audit Report — SHA-256 verified against the sidecar file. The report opens with the recommended decision (REJECT), severity breakdown (8 high, 16 medium), and the run window (1.983 seconds). Below: each finding with its detector, timestamp, and raw evidence bytes. This is what the approver signs.
Organization policy editor showing geo restrictions and auto-reject rules
Org Policy — Enterprise overlay with geographic restrictions (US, CA, GB, DE, FR, IE, NL, JP, AU allowed), blocked ASNs (bulletproof hosting), auto-reject threshold (medium), and auto-reject detectors (honeytoken_hit, crypto_mining, known_bad_asn, known_bad_domain). Policy overrides per-vendor manifests org-wide.
Report integrity verifier with SHA-256 sidecar upload
Verify Report — Upload any .report.md (or .report.html) and its .sha256 sidecar. The verifier recomputes the hash and confirms whether the report has been tampered with. Chain of custody from audit to boardroom.

What the Demo Binary Does

1. Reads /proc/cpuinfo looking for hypervisor brands (sandbox detection)
2. Reads /etc/machine-id (host fingerprinting)
3. Opens /root/.aws/credentials (planted honeytoken)
4. POSTs AWS keys to example.com over TLS (honeytoken exfiltration)
5. Sends GITHUB_TOKEN in Authorization header (honeytoken exfiltration)
6. Sends OPENAI_API_KEY in Go HTTPS POST body (honeytoken exfiltration)
7. Beacons to 1.1.1.1:443 every ~261ms (C2 pattern)
8. Sends SLACK_BOT_TOKEN to example.com (honeytoken exfiltration)
9. POSTs {"card":"4242424242424242","cvc":"123"} over TLS (PII leakage)
10. Reads /root/.bashrc (persistence probe)
Result: REJECT — 8 high, 16 medium, 0 low, 10 info findings in 1.98 seconds.