Security scanner for developer environments
obacht inspects your local development setup for security misconfigurations — insecure file permissions, exposed credentials, weak SSH/Git settings, risky Docker access — using an embedded OPA engine and Rego policies. It is lightweight, read-only, and requires no agent or endpoint management platform.
- 98 built-in rules across 12 categories: SSH, Git, Docker, Kubernetes, env, shell, tools, PATH, OS, credentials, privacy
- OPA-powered with an embedded Rego engine — no external dependencies
- Read-only collectors — never modifies system state
- Extensible via
--rules-dirfor custom Rego policies - Pretty TUI or machine-readable JSON output for CI
Docker
docker run --rm foomo/obacht:latest scanMulti-arch images (amd64, arm64) are published to Docker Hub.
mise
mise use github:foomo/obachtor run directly:
mise x github:foomo/obacht -- scanSee mise.jdx.dev.
Binary release
Download the archive for your OS/arch from the releases page and extract obacht into your $PATH.
go install
go install github.com/foomo/obacht/cmd/obacht@latestRequires Go 1.26+.
$ obacht --help
Security configuration scanner for developer environments
Usage:
obacht [flags]
obacht [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
doctor Check obacht dependencies and configuration
explain Show detailed information about a rule
help Help about any command
scan Scan the local development environment for security issues
Flags:
--format string output format (pretty, json) (default "pretty")
-h, --help help for obacht
--rules-dir string use rules from this directory instead of embedded rules
--verbose enable verbose output
-v, --version version for obacht
Use "obacht [command] --help" for more information about a command.Contributions are welcome! Please read the contributing guide.
Distributed under MIT License, please see license file within the code for more details.