A CLI tool that audits Passbolt password resources for age and breach status (via Have I Been Pwned).
Download the latest binary for your OS from the Releases page.
curl -Lo passbolt-audit https://github.com/<owner>/passbolt-audit/releases/latest/download/passbolt-audit-linux-amd64
chmod +x passbolt-audit
sudo mv passbolt-audit /usr/local/bin/curl -Lo passbolt-audit https://github.com/<owner>/passbolt-audit/releases/latest/download/passbolt-audit-linux-arm64
chmod +x passbolt-audit
sudo mv passbolt-audit /usr/local/bin/curl -Lo passbolt-audit https://github.com/<owner>/passbolt-audit/releases/latest/download/passbolt-audit-darwin-arm64
chmod +x passbolt-audit
sudo mv passbolt-audit /usr/local/bin/curl -Lo passbolt-audit https://github.com/<owner>/passbolt-audit/releases/latest/download/passbolt-audit-darwin-amd64
chmod +x passbolt-audit
sudo mv passbolt-audit /usr/local/bin/- Download
passbolt-audit-windows-amd64.exefrom the Releases page. - Rename it to
passbolt-audit.exe(optional). - Place it in a directory that is in your
PATH, or run it directly.
Requires Go 1.25+:
go install github.com/<owner>/passbolt-audit@latestOr clone and build:
git clone https://github.com/<owner>/passbolt-audit.git
cd passbolt-audit
go build -o passbolt-audit .- A running Passbolt server (v4 or v5)
- A PGP private key file and passphrase for authentication
Parameters can be passed as CLI flags. Environment variables are used as fallbacks if a flag is not provided.
passbolt-audit --url=<server> --passphrase=<pass> --key=<keyfile>
| Flag | Env Fallback | Description | Required |
|---|---|---|---|
--url |
PB_SERVER_URL |
Passbolt server URL | Yes |
--passphrase |
PB_PASSPHRASE |
Passphrase for the PGP private key | Yes |
--key |
PB_KEY_FILE |
Path to the PGP private key file (.asc) | Yes |
--user-agent |
— | Custom User-Agent string | No |
# Using flags
passbolt-audit --url=https://passbolt.example.com --passphrase=secret --key=./my-key.asc
# Or with env vars
export PB_SERVER_URL=https://passbolt.example.com
export PB_PASSPHRASE=secret
export PB_KEY_FILE=./my-key.asc
passbolt-auditThe tool prints a table with the following columns:
| Column | Description |
|---|---|
| RESOURCE | Name of the password resource |
| URI | URI/URL associated with the resource |
| USERNAME | Username stored in the resource |
| AGE | Days since last modification; marked OLD if >90 days |
| HIBP | Have I Been Pwned status: SAFE or PWNED |
| Code | Location | Description |
|---|---|---|
#001 |
Startup | Failed to read the PGP private key file. Check PB_KEY_FILE path. |
#002 |
Startup | Failed to initialize the Passbolt API client. Check server URL, key format, and passphrase. |
#003 |
Authentication | Login to Passbolt failed. Verify credentials and server availability. |
#004 |
Audit | The audit process returned an error. See the wrapped error for details. |
#005 |
Resource Fetch | Failed to fetch resources from the Passbolt API. Check permissions and connectivity. |
#006 |
Resource Decrypt | Failed to decrypt/read a specific resource. The resource may have an unsupported type or corrupted data. |