KEYHUNT

Scan firmware blobs and filesystem dumps for hardcoded private keys, API tokens, default creds, and weak RSA/ECC material.

IoT / OT / Embedded — firmware, buses, and device security.

pip install cognis-keyhunt
keyhunt scan .            # → prioritized findings in seconds

Usage — step by step

1. Install the scanner:

   pip install cognis-keyhunt

2. Scan a tree (e.g. an extracted firmware image or filesystem dump) for hardcoded keys, tokens, and default creds:

   keyhunt scan /tmp/firmware_extracted

3. Filter by severity and emit JSON for CI or jq:

   keyhunt scan ./dump --severity high --format json | jq '.findings[] | select(.severity=="critical")'

4. Read the result. Secrets are redacted by default; pass --show-secrets to print full values. Exit code 0 = no findings, 1 = one or more secrets found, 2 = usage/runtime error.

5. Gate a build. keyhunt's exit code makes it a drop-in CI check:

   keyhunt scan ./build --severity high || { echo 'hardcoded secrets found'; exit 1; }

Contents

• Why keyhunt? · Features · Quick start · Example · Architecture · AI stack · How it compares · Integrations · Install anywhere · Related · Contributing

Why keyhunt?

Instant gratification — point at any router firmware and get 'hardcoded root SSH key shared across 2M devices.' Universal hardcoded-cred findings are reliably front-page.

keyhunt is single-purpose, scriptable, and self-hostable: point it at a target, get prioritized results in the format your workflow already speaks (table · JSON · SARIF), gate CI on it, and let agents drive it over MCP.

↑ back to top

Features

• ✅ Scan Bytes
• ✅ Scan File
• ✅ Iter Files
• ✅ Scan Path
• ✅ Runs on Linux/macOS/Windows · Docker · devcontainer
• ✅ Ports in Python, JavaScript, Go, and Rust (ports/)

↑ back to top

Quick start

pip install cognis-keyhunt
keyhunt --version
keyhunt scan .                       # scan current project
keyhunt scan . --format json         # machine-readable
keyhunt scan . --fail-on high        # CI gate (non-zero exit)

↑ back to top

Example

$ keyhunt scan .
  [HIGH    ] KEY-001  example finding             (./src/app.py)
  [MEDIUM  ] KEY-002  another signal              (./config.yaml)

  2 findings · risk score 5 · 38ms

↑ back to top

Architecture

flowchart LR
  IN[target / manifest] --> P[keyhunt<br/>checks + rules]
  P --> OUT[findings (JSON / SARIF)]

Loading

↑ back to top

Use it from any AI stack

keyhunt is interoperable with every popular way of using AI:

• MCP server — keyhunt mcp (Claude Desktop, Cursor, Cognis.Studio, uncensored-fleet)
• OpenAI-compatible / JSON — pipe keyhunt scan . --format json into any agent or LLM
• LangChain · CrewAI · AutoGen · LlamaIndex — wrap the CLI/JSON as a tool in one line
• CI / scripts — exit codes + SARIF for non-AI pipelines

↑ back to top

How it compares

	Cognis keyhunt	trufflehog + EAPOL
Self-hostable, no account	✅	varies
Single command, zero config	✅	⚠️
JSON + SARIF for CI	✅	varies
MCP-native (AI agents)	✅	❌
Polyglot ports (JS/Go/Rust)	✅	❌
Open license	✅ COCL	varies

Built in the spirit of trufflehog + EAPOL/binwalk extract, re-framed the Cognis way. Missing a credit? Open a PR.

↑ back to top

Integrations

Pipes into your stack: SARIF for code-scanning, JSON for anything, an MCP server (keyhunt mcp) for AI agents, and a webhook forwarder for SIEM/Slack/Jira. See docs/INTEGRATIONS.md.

↑ back to top

Install — every way, every platform

pip install "git+https://github.com/cognis-digital/keyhunt.git"    # pip (works today)
pipx install "git+https://github.com/cognis-digital/keyhunt.git"   # isolated CLI
uv tool install "git+https://github.com/cognis-digital/keyhunt.git" # uv
pip install cognis-keyhunt                                          # PyPI (when published)
docker run --rm ghcr.io/cognis-digital/keyhunt:latest --help        # Docker
brew install cognis-digital/tap/keyhunt                             # Homebrew tap
curl -fsSL https://raw.githubusercontent.com/cognis-digital/keyhunt/main/install.sh | sh

Linux	macOS	Windows	Docker	Cloud
scripts/setup-linux.sh	scripts/setup-macos.sh	scripts/setup-windows.ps1	docker run ghcr.io/cognis-digital/keyhunt	DEPLOY.md (AWS/Azure/GCP/k8s)

↑ back to top

Related Cognis tools

• fwxray — Diff two firmware images and surface exactly what changed: new binaries, flipped config flags, added certs, and shifted entropy regions.
• canzap — Replay, fuzz, and assert on CAN bus traffic from a .pcap or SocketCAN interface with a tiny YAML DSL.
• sbomb — Generate a CycloneDX SBOM directly from an unpacked firmware root filesystem and flag components with known CVEs and EOL kernels.
• mqttspy — Passively map an MQTT broker: enumerate topics, detect unauthenticated writes, spot PII/secrets in payloads, and emit a risk report.
• uefiscan — Audit UEFI firmware dumps for missing Secure Boot keys, unsigned modules, S3 boot-script vulns, and known SMM threats.
• modpot — Spin up a high-interaction Modbus/DNP3 ICS honeypot that logs attacker register reads/writes as structured JSON.

Explore the suite → 🗂️ all 170+ tools · ⭐ awesome-cognis · 🔗 cognis-sources · 🤖 uncensored-fleet · 🧠 engram

↑ back to top

Contributing

PRs, new rules, and demo scenarios are welcome under the collaboration-pull model — see CONTRIBUTING.md and SECURITY.md.

⭐ If keyhunt saved you time, star it — it genuinely helps others find it.

Interoperability

{} composes with the 300+ tool Cognis suite — JSON in/out and a shared OpenAI-compatible /v1 backbone. See INTEROP.md for the suite map, composition patterns, and reference stacks.

License

Source-available under the Cognis Open Collaboration License (COCL) v1.0 — free for personal, internal-evaluation, research, and educational use; commercial / production use requires a license (licensing@cognis.digital). See LICENSE.

---

_{Cognis Digital · one of 170+ tools in the Cognis Neural Suite · Making Tomorrow Better Today}