Vulnerability Analysissource code auditstatic analysisgrepsecurity flaws

graudit

Grep rough audit is a source code auditing tool that uses grep to find potential security flaws. It offers a simple, flexible alternative to tools like RATS, SWAAT, and flaw-finder with minimal technical requirements.

Description

graudit is a simple script and signature sets designed to identify potential security flaws in source code using the GNU utility grep. It functions as a static analysis tool comparable to other applications like RATS, SWAAT, and flaw-finder, while maintaining low technical requirements and high flexibility.

The tool is particularly useful for quickly scanning source codebases for common vulnerabilities without the overhead of more complex analysis suites. Users can customize scans with various options to tailor the audit to specific needs, such as database selection, file exclusions, and output formatting.

It supports multiple databases for signature matching and provides options for context display, making it suitable for both initial assessments and detailed reviews.

How It Works

graudit leverages GNU grep to match predefined signatures from selected databases against source code files, identifying patterns indicative of security flaws. It scans specified paths, optionally including difficult files, excluding certain types, and providing context lines around matches for analysis. Output can be customized for readability with color schemes, line formats, and suppressed banners.

Installation

bash

sudo apt install graudit

Flags

-d <dbname>database to use or /path/to/file.db (uses default if not specified)

-Ascan unwanted and difficult (ALL) files

-xexclude these files (comma separated list: -x *.js,*.sql)

-icase in-sensitive scan

-c <num>number of lines of context to display, default is 2

-Bsupress banner

-Lvim friendly lines

-bcolour blind friendly template

-zsupress colors

-Zhigh contrast colors

-llists databases available

-vprints version number

Examples

Displays the help banner and usage information for graudit

graudit -h

Performs a basic scan of the specified path using the default database

graudit /path/to/scan

Scans the path using a custom database file

graudit -d custom.db /path/to/scan

Scans all files including unwanted and difficult ones

graudit -A /path/to/scan

Scans the path while excluding JavaScript and SQL files

graudit -x *.js,*.sql /path/to/scan

Performs a case-insensitive scan of the path

graudit -i /path/to/scan

Scans with 5 lines of context displayed per match

graudit -c 5 /path/to/scan

Lists available databases

graudit -l

Updated 2026-04-16kali.org ↗