GoAudit

Catch malicious behavior

Runs executions in a secure sandbox with decoy honeypots to detect unexpected file access, environment variable theft (/proc/self/environ), process injection (ptrace), fileless execution (memfd_create), and backdoor listeners.

Intelligent False Positive Filtering

Our tracing engine drastically cuts down noise by deduplicating redundant network calls, suppressing expected behavior (like package manager registry queries or default lifecycle scripts), and ignoring benign sandbox initialization (like su/PAM setuid operations).

Full Project Scanning

Use scan-project to analyze entire JS codebases, including lockfile resolution and static registry checks for metadata anomalies and lifecycle scripts.

Advanced Controls

Configure sandbox policies using flags like --network off, --run-as-root, or fine-tune upgrades with --upgrade-mode. CI/CD integration is fully supported via JSON outputs.

$ goaudit scan "cat ~/.aws/credentials"

╭─────────────────────────────────────────────╮ │ GoAudit Report: cat ~/.aws/credentials │ ╰─────────────────────────────────────────────╯

🚨 Verdict: malicious (confidence: 95)

🛡️ Sandbox: gVisor (runsc)

🔴 Critical Findings

1. CREDENTIAL THEFT: /root/.aws/credentials

└─ Read sensitive files like SSH keys, AWS credentials, or .env secrets

📋 Summary: 1 critical, 0 warnings, 0 informational

DO NOT INSTALL this package.

$ goaudit scan-project .

╭─────────────────────────────────────────────╮ │ GoAudit Report: scan-project . │ ╰─────────────────────────────────────────────╯

⚠️ Verdict: suspicious (confidence: 45)

⚠️ Sandbox: runc (install gVisor for stronger isolation)

⚠️ Warnings

1. PACKAGE HAS LIFECYCLE SCRIPT

└─ The package defines a lifecycle script in its registry metadata

📋 Summary: 0 critical, 1 warnings, 0 informational

Use --ci for full JSON output.