← Back to Home

Introduction

GoAudit is a utility for checking whether a package installation or script execution is malicious by monitoring its behavior in a secure sandbox and analyzing static indicators. We support scanning single commands natively (npm, pnpm, bun, curl | sh) as well as full projects using the new scan-project command.

Important Note: GoAudit is not meant for proving absolute maliciousness, it just provides a risk assessment based on behavior and static indicators.

Installation

Install the latest version of GoAudit directly using Go:

go install github.com/KushalMeghani1644/GoAudit-CLI/cmd/goaudit@latest

Usage Examples

GoAudit provides a simple UX for scanning commands. Here are the supported flags and package managers:

$ goaudit scan "npm install <package>"
$ goaudit scan "curl -fsSL https://example.com/install.sh | sh"


# Scan an entire project (detects package manager automatically)
$ goaudit scan-project .


# Show live findings during scan (verbose mode)
$ goaudit scan-project . -v


# Output results as JSON for CI/CD
$ goaudit scan-project . --ci


# Advanced sandbox controls
$ goaudit scan "npm run build" --network off --run-as-root


# Specify custom Docker images and upgrade strategies
$ goaudit scan-project . --node-image node:current-slim --upgrade-mode ncu

Demo Output

GoAudit intercepts file reads (like AWS credentials) and intelligently deduplicates network calls.

$ goaudit scan "cat ~/.aws/credentials"
╭─────────────────────────────────────────────╮ │ GoAudit Report: cat ~/.aws/credentials │ ╰─────────────────────────────────────────────╯
🚨 Verdict: malicious (confidence: 95)
🛡️ Sandbox: gVisor (runsc)
🔴 Critical Findings
1. CREDENTIAL THEFT: /root/.aws/credentials
└─ Read sensitive files like SSH keys, AWS credentials, or .env secrets
📋 Summary: 1 critical, 0 warnings, 0 informational
DO NOT INSTALL this package.

$ goaudit scan "curl -fsSL example.com | sh"
╭─────────────────────────────────────────────╮ │ GoAudit Report: curl -fsSL example.com |...│ ╰─────────────────────────────────────────────╯
⚠️ Verdict: suspicious (confidence: 65)
⚠️ Sandbox: runc (install gVisor for stronger isolation)
⚠️ Warnings
1. UNKNOWN NETWORK CONNECTION: example.com:80
└─ Connected to a host that isn't a known package registry
🌐 Network Activity
• 1 connection(s) to example.com
• 1 connection(s) to 1 host(s)
📋 Summary: 0 critical, 1 warnings, 0 informational
Use --ci for full JSON output.

Advanced Security & Honeypots

GoAudit runs target commands as a non-root sandbox user by default to mimic a realistic environment. It automatically injects highly realistic decoy credentials (honeypots) such as .ssh/id_rsa, .aws/credentials, and Kubernetes configs into the sandbox to bait malicious actors. The expanded tracing engine actively monitors for environment variable theft (/proc/self/environ), process injection (ptrace), fileless execution (memfd_create), and unauthorized network port binding.

Intelligent False Positive Filtering: Our tracing engine drastically cuts down noise by deduplicating redundant network calls, suppressing expected behavior (like package manager registry queries or default lifecycle scripts), and ignoring benign sandbox initialization (like su/PAM setuid operations) before payload execution.

Requirements

  • Docker installed and running
  • gVisor (highly recommended for actual isolation)

gVisor (runsc) on Fedora / SELinux

GoAudit uses gVisor when Docker lists runsc in docker info Runtimes. Installing the runsc binary is not enough, please register it in Docker (e.g. in /etc/docker/daemon.json):

{
  "runtimes": {
    "runsc": {
      "path": "/usr/local/bin/runsc",
      "runtimeArgs": ["--debug=false", "--platform=ptrace"]
    }
  },
  "default-runtime": "runc"
}

Use runsc help platform to see valid --platform values. Restart Docker: sudo systemctl restart docker, then verify:

docker info | grep -i runtimes

SELinux: gVisor cannot use Docker’s default container SELinux labels. GoAudit sets --security-opt label=disable automatically for runsc containers.

Pre-built Node Sandbox & Runc Fallback: Many hosts cannot run apt-get inside a gVisor container. When gVisor is available, GoAudit pulls a pre-built image (ghcr.io/kushalmeghani1644/goaudit-node-sandbox:latest) which has scan tools pre-installed. If the gVisor sandbox preparation fails, GoAudit automatically retries once with runc and prints a warning. Without runsc in Docker info, GoAudit falls back to runc.