Graudit is a lightweight source code auditing tool built on grep and POSIX extended regular expressions.

With over 1,700 GitHub stars, the tool has earned its place as a practical reconnaissance scanner for security researchers.

The tool scans codebases for security vulnerabilities using signature databases that match dangerous function calls, insecure patterns, and common coding mistakes.

Comparable to other static analysis applications like RATS, SWAAT, and Flaw-finder, Graudit keeps technical requirements to a minimum while delivering effective results.

What is Graudit?

Graudit takes a fundamentally simple approach to static analysis: pattern matching with grep.

While this lacks the semantic understanding of more sophisticated tools, it provides several practical advantages.

Graudit runs on any POSIX system without compilation or complex setup.

It processes large codebases quickly since grep operates at near-disk-speed.

Security researchers can easily create and modify rules using familiar regular expression syntax.

The tool includes signature databases for common web languages and has been used to discover SQL injection, remote file inclusion, and command execution vulnerabilities in production applications.

Graudit compares favorably to RATS and Flawfinder while offering more flexibility in rule customization.

Key Features

Signature Databases

Graudit ships with curated signature files for multiple languages.

Each database contains patterns targeting language-specific security issues:

Database	Focus Areas
php.db	SQL injection, XSS, file inclusion, command execution
python.db	Pickle deserialization, subprocess calls, eval usage
perl.db	Taint mode violations, open() abuse, regex injection
c.db	Buffer overflows, format strings, unsafe functions
asp.db	Response.Write XSS, SQL concatenation
java.db	JNDI injection, XML parsing, deserialization
js.db	DOM XSS, eval patterns, prototype pollution

Minimal Dependencies

Graudit requires only standard POSIX utilities available on virtually any Unix-like system:

grep (GNU grep or compatible)
sed
awk
bash

No package managers, no compilation, no runtime environments.

Copy the script and databases to any server and start scanning immediately.

Custom Rule Development

Creating custom signatures involves writing regular expressions that match vulnerable patterns.

Rules can be as simple or complex as needed.

# Example custom signatures

# Match hardcoded passwords
password\s*=\s*["'][^"']+["']

# Match unsafe Python pickle usage
pickle\.loads?\(

# Match PHP file inclusion from user input
(include|require)(_once)?\s*\(\s*\$_(GET|POST|REQUEST)

# Match Java SQL concatenation
(executeQuery|executeUpdate)\s*\([^)]*\+

Output Formats

Graudit supports multiple output modes for different use cases:

Default: Colored terminal output with file paths and line numbers
-B: Machine-readable format for integration with other tools
-A: Show context lines around matches
-c: Count-only mode for quick statistics

Installation

Quick Install

# Clone the repository
git clone https://github.com/wireghoul/graudit.git
cd graudit

# Make executable
chmod +x graudit

# Optional: Add to PATH
sudo ln -s $(pwd)/graudit /usr/local/bin/graudit

Package Managers

# Kali Linux (included by default)
apt install graudit

# macOS via Homebrew
brew install graudit

# Arch Linux (AUR)
yay -S graudit

How to Use Graudit

Basic Scanning

# Scan a directory with default database
graudit /path/to/source

# Scan with specific language database
graudit -d php /var/www/html

# Scan a single file
graudit -d python app.py

Advanced Options

# Show context (3 lines before and after)
graudit -d java -A 3 /path/to/project

# Machine-readable output
graudit -d c -B src/

# Exclude specific patterns
graudit -d php -x "vendor/|tests/" /path/to/project

# Use multiple databases
graudit -d php -d js /path/to/project

# List available databases
graudit -l

Practical Examples

# Find SQL injection in PHP application
graudit -d php wordpress/wp-content/plugins/

# Audit Python Flask application
graudit -d python -d flask myapp/

# Check C code for buffer overflows
graudit -d c -A 5 firmware/src/

# Scan entire project with all relevant databases
graudit -d php -d js -d sql web_app/

Integration

GitHub Actions

name: Graudit Security Scan
on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  graudit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Graudit
        run: |
          git clone https://github.com/wireghoul/graudit.git /tmp/graudit
          chmod +x /tmp/graudit/graudit

      - name: Run Security Scan
        run: |
          /tmp/graudit/graudit -d php -d js -B . > graudit-results.txt || true

      - name: Check for Critical Findings
        run: |
          if grep -q "HIGH" graudit-results.txt; then
            echo "Critical vulnerabilities found!"
            cat graudit-results.txt
            exit 1
          fi

      - name: Upload Results
        uses: actions/upload-artifact@v4
        with:
          name: graudit-results
          path: graudit-results.txt

GitLab CI

graudit-scan:
  stage: security
  image: kalilinux/kali-rolling
  before_script:
    - apt-get update && apt-get install -y graudit
  script:
    - graudit -d php -d python -d js -B . > graudit-report.txt || true
    - |
      ISSUES=$(wc -l < graudit-report.txt)
      echo "Found $ISSUES potential security issues"
      if [ "$ISSUES" -gt 100 ]; then
        echo "Too many issues found, review required"
        exit 1
      fi
  artifacts:
    paths:
      - graudit-report.txt
    expire_in: 1 week
  allow_failure: true

Pre-Commit Hook

#!/bin/bash
# .git/hooks/pre-commit

# Run graudit on staged PHP files
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep '\.php$')

if [ -n "$STAGED_FILES" ]; then
    echo "Running Graudit security scan..."
    for FILE in $STAGED_FILES; do
        RESULT=$(graudit -d php -B "$FILE" 2>/dev/null)
        if [ -n "$RESULT" ]; then
            echo "Potential security issues in $FILE:"
            echo "$RESULT"
            FOUND_ISSUES=1
        fi
    done

    if [ "$FOUND_ISSUES" = "1" ]; then
        echo "Review findings before committing. Use --no-verify to skip."
        exit 1
    fi
fi

Creating Custom Databases

Database Format

Signature databases are plain text files with one regex pattern per line.

Comments start with #.

# myapp.db - Custom signatures for MyApp
# Author: Security Team
# Last updated: 2026-02-04

# Dangerous configuration patterns
DEBUG\s*=\s*True
ALLOWED_HOSTS\s*=\s*\[['"]?\*['"]?\]

# Insecure session settings
SESSION_COOKIE_SECURE\s*=\s*False

# Hardcoded secrets
(API_KEY|SECRET_KEY|PASSWORD)\s*=\s*["'][^"']{8,}["']

# Custom framework vulnerabilities
unsafe_render\s*\(
raw_sql_query\s*\(

Using Custom Databases

# Use custom database
graudit -d /path/to/myapp.db /path/to/project

# Combine with built-in databases
graudit -d php -d /path/to/custom.db /path/to/project

When to Use Graudit

Graudit works best as a fast first-pass scanner that identifies obvious security issues for further investigation.

The grep-based approach catches many common vulnerabilities without the setup complexity of full-featured SAST tools.

Consider Graudit when you need:

Quick security review of unfamiliar codebases
Lightweight scanning in CI pipelines without heavy dependencies
Custom rule development with familiar regex syntax
Auditing legacy code in languages with limited SAST support

Graudit has limitations inherent to pattern matching.

It cannot track data flow across functions, understand variable scope, or distinguish safe usages from vulnerable ones.

Expect false positives that require manual review.

For production security programs, combine Graudit with semantic analysis tools like Semgrep or CodeQL that understand code structure.

Graudit excels as a reconnaissance tool rather than a comprehensive security solution.