tahr-audit-secrets-config
Tahr Audit Secrets and Config
Find configuration and supply-chain weaknesses that become real attacker capabilities. Do not turn a keyword, permissive development setting, or package advisory into a vulnerability without proving production relevance and reachability.
Establish scope and safety
Inspect source, committed configuration, lockfiles, build files, IaC, containers, CI/CD, and documentation read-only by default. Inspect git history only when the user includes it. Do not search unrelated home directories, credential stores, or .git working metadata.
Never validate a discovered credential against a live provider unless the user explicitly authorizes that exact action and the account is disposable. Never print, copy, commit, or persist a raw secret. Record type, file and line, source, scope, length, a short redacted preview, and a SHA-256 fingerprint.
Read references/config-audit-matrix.md for the audit families. Read references/exploitability-research.md before using advisory or CVE information.
Inventory every configuration plane
Enumerate: