A collection of experimental security tools and proof-of-concepts developed during security research. These tools are designed for educational purposes and defensive security analysis.
Path: tools/devsec-audit/
A comprehensive security scanner for development environments, inspired by Lynis. Scans projects for security misconfigurations across Git, Docker, VS Code, exposed secrets, and smart contract development (Foundry).
- Multi-module security scanning (Git, Docker, VS Code, Secrets, Foundry)
- Configurable exclusions to reduce false positives
- Multiple output formats (text, JSON, HTML)
- CI/CD integration support
- Lockfile tampering detection
Quick Start:
cd tools/devsec-audit
just run --target /path/to/projectPath: tools/vscode-extension-inspector/
A Python tool for monitoring and analyzing VSCode marketplace extensions. Helps identify potentially malicious extensions through metadata analysis, download patterns, and publisher verification.
- Search extensions by keywords, tags, and dates
- Suspicious pattern detection (unverified publishers, low downloads, etc.)
- Download extensions for deeper analysis
- Continuous monitoring with Discord alerts
- Publisher verification checks
Quick Start:
cd tools/vscode-extension-inspector
python VSExInspector.py --keywords "solidity,ethereum" --analyzePaths: tools/backdoored-test-repo/, tools/backdoored-test-repo-2/
Intentionally vulnerable test repositories containing various security issues for testing security tools and demonstrating attack vectors. These repositories contain examples of:
- Git configuration vulnerabilities
- Exposed secrets and credentials
- Docker security misconfigurations
- VS Code malicious tasks and settings
- Supply chain attack vectors (lockfile tampering, typosquatting)
- Smart contract security issues (FFI usage, dangerous configurations)
Note: These are intentionally insecure repositories for testing purposes only.
Each tool has its own README with detailed installation and usage instructions. Most tools are designed to run independently with minimal setup.
- Python 3.7+
- Git
- Basic command-line familiarity
Most tools follow these patterns:
- uv (recommended):
uv run python script.py - Just:
just run(where available) - Direct:
python script.py - Docker: Available for some tools
This repository contains experimental research tools. While contributions are welcome, please note:
- Tools may have incomplete features or documentation
- Breaking changes can occur without notice
- Focus is on security research rather than production stability
- Each tool maintains its own coding standards
These tools are provided for educational and research purposes only. Users are responsible for:
- Complying with applicable laws and regulations
- Using tools ethically and responsibly
- Understanding the risks of experimental software
- Properly securing any sensitive data encountered
See the LICENSE file for details.