Certmole is a lightweight DevSecOps CLI tool that recursively audits filesystems for cryptographic assets. It automatically detects x509 certificates and validates exposed private keys. By compiling into a single zero-dependency binary, it integrates seamlessly into local workflows and CI/CD pipelines to catch credential leaks before deployment.
Imagine that you have hundreds of application repositories, configuration directories, and containerized environments scattered across your infrastructure, with no centralized way to track where all of your SSL/TLS assets live.
Previously, security auditing was a manual, error-prone checklist. Teams had to rely on developers remembering not to commit raw root keys, or ops engineering tracking certificate expiration dates on an Excel spreadsheet—frequently leading to unexpected production outages when a single certificate expired unnoticed or a private key leaked into a public container build.
This is when Certmole can help you!
With Certmole, infrastructure auditing becomes fully automated, instantaneous, and proactive. The lightweight binary seamlessly hooks into local pre-commit workflows or CI/CD pipelines, digging deep into filesystems to uncover cryptographic files, flag upcoming expirations, and block credential leaks long before they ever reach a production environment.
- High-Speed Recursive Scanning: Burrows recursively into directories, smoothly bypassing system files or locked permissions without crashing.
- Format Agnostic Parsing: Robustly processes text-based standard ASCII (PEM) bundles as well as abstract syntax notation ASN.1 binary structures (DER).
- Zero Runtimes or Dependencies: Written entirely in Go—compiles into a standalone binary that can run instantly without requiring Node.js, Python, or Java on the target machine.
curl -fsSL https://raw.githubusercontent.com/xinlong69/certmole/main/scripts/install/install.sh | sh[!IMPORTANT]
powershell -ExecutionPolicy ByPass -c "irm https://raw.githubusercontent.com/xinlong69/certmole/main/scripts/install.ps1 | iex"
[!IMPORTANT]
Certmole is built around simplicity. Point the CLI tool to any directory target path to kick off an audit sweep:
certmole .certmole /etc/nginx/certs/Contributions, bug reports, and feature proposals are highly welcome!
To start developing locally, clone the repository
git clone https://github.com/xinlong69/certmole.gitRun code validation and tests:
make testBuild your custom binary:
make buildPlease ensure that you run code formatting and vet scripts inside the scripts/ directory before opening a Pull Request.
This repository is licensed under the MIT License.