credaudit

Retired — functionality merged into credsweep.

retired 2026-05-29

This tool has moved

credaudit was a Python CLI for hardcoded credential scanning. Its detection patterns (53 across cloud credentials, tokens, API keys, connection strings, private keys, and generic assignments), Shannon-entropy validation, git-history scan, and false-positive filtering have been absorbed into credsweep — the Rust replacement.

Use credsweep going forward. It is a single Rust binary, supports --git history scanning, --baseline / --update for CI workflows, an operator --allow-list, --install-hook for pre-commit integration, and SARIF output for GitHub Code Scanning.

Migration

# Old (credaudit)
curl -fsSL https://cli.johlem.net/install.sh | bash -s -- credaudit
credaudit scan ./src

# New (credsweep)
curl -fsSL https://cli.johlem.net/install.sh | bash -s -- credsweep
credsweep --path ./src

# CI workflow (new capability)
credsweep --path . --baseline                 # snapshot existing findings
credsweep --path . --update                   # surface only NEW credentials
credsweep --git --path . --output sarif       # scan history, emit SARIF

Why retired?

credaudit (Python) and credsweep (Rust) were duplicate-scope tools. The 2026-05-29 suite audit recommended merging them so the catalogue carries one credential scanner rather than two with diverging pattern sets. credsweep ships as a single Rust binary deployable on hardened client environments where Python cannot be installed.

→ Go to credsweep