cfgaudit is a newly released open-source tool written in Go, aimed at enhancing the security of AI agent configurations. It functions as a security auditor, scanning configuration files for AI coding assistants like Claude Code and Cursor to detect settings that could lead to security vulnerabilities. The tool identifies issues such as unrestricted Bash patterns in permissions, dangerous commands with wildcard arguments, hardcoded secrets in environment blocks, and configurations that weaken or hijack the execution sandbox.
Key features of cfgaudit include scope-aware findings, which categorize issues based on whether they originate from project, project-local, or user-global settings, with user-global findings escalating in severity due to their broader impact. It also incorporates version gating, allowing rules to be skipped if the detected Claude Code version is below a required minimum. The tool supports SARIF 2.1.0 output for integration into existing security workflows and offers CLI flags for rule selection and finding suppression. cfgaudit aims to provide developers with a robust mechanism to maintain secure AI agent configurations, aligning with DevSecOps practices.