Professional-Grade Security Assessment Framework - 200+ Tests Across 5 Domains
Industry-Standard Security Assessment Framework
π Quick Start β’ β¨ Features β’ π₯ Install β’ βοΈ Legal β’ π€ Contribute
SecCheckmate is for AUTHORIZED SECURITY TESTING ONLY.
- β Use only on systems you own or have explicit written permission to test
- β Comply with all applicable laws and regulations
- β Use for defensive/authorized security purposes only
Unauthorized testing is ILLEGAL. Read LICENSE file for full legal terms before using.
SecCheckmate solves a critical gap in security: there's no standardized way to conduct security assessments.
Every organization does it differently:
- β Scattered spreadsheets
- β Inconsistent methodologies
- β Non-reproducible results
- β Poor documentation
- β Subjective severity ratings
SecCheckmate changes this:
β
Standardized - Same framework, consistent results
β
Comprehensive - 200+ tests across 5 critical domains
β
Offline-First - 100% private, no data collection
β
Professional - Enterprise-grade reports
β
Simple - Just answer y/n/na questions
β
Fast - Complete assessment in minutes
- π Penetration Testers - Comprehensive assessment checklists
- π¨βπΌ Security Engineers - Standardized security audits
- βοΈ Cloud Architects - AWS security compliance
- π± Firmware Analysts - Embedded systems security
- π€ AI/ML Security - LLM security testing
- π Web Developers - Application security reviews
- π’ Security Auditors - Compliance documentation
| Category | Tests | Coverage |
|---|---|---|
| π Web App Security | 35 | OWASP, APIs, Authentication |
| βοΈ AWS Cloud | 40 | IAM, EC2, S3, RDS, Lambda |
| π‘ WiFi Security | 38 | WPA2/3, Encryption, APs |
| π§ Firmware | 44 | Boot, Debug, Credentials |
| π€ LLM/AI Security | 44 | Prompts, Data, Privacy |
- Python: 3.10+ (required, not 3.9 or earlier)
- OS: macOS, Linux, or Windows
- Disk: ~50 MB
- Internet: Not required (100% offline)
Method 1: Virtual Environment (Recommended)
git clone https://github.com/amitgy/seccheckmate.git
cd seccheckmate
python3 -m venv venv
source venv/bin/activate # macOS/Linux
# venv\Scripts\activate # Windows
pip install --upgrade pip
pip install -r requirements.txt
python seccheckmate.pyMethod 2: Direct Installation
git clone https://github.com/amitgy/seccheckmate.git
cd seccheckmate
pip install PyYAML>=6.0 colorama>=0.4.6
python seccheckmate.pyMethod 3: Development Setup
git clone https://github.com/amitgy/seccheckmate.git
cd seccheckmate
python3 -m venv venv
source venv/bin/activate
pip install --upgrade pip
pip install -r requirements.txt
chmod +x seccheckmate.py # macOS/LinuxmacOS
# Using Homebrew
brew install python3
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtLinux (Ubuntu/Debian)
sudo apt update
sudo apt install python3 python3-venv python3-pip
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtWindows (PowerShell)
python -m venv venv
venv\Scripts\Activate.ps1
pip install -r requirements.txt
python seccheckmate.pyWindows (Command Prompt)
python -m venv venv
venv\Scripts\activate.bat
pip install -r requirements.txt
python seccheckmate.pyAuthentication & authorization, SQL injection, XSS, CSRF, CORS, API security, SSL/TLS, security headers, business logic, dependencies
IAM policies, EC2 security groups, S3 permissions, RDS encryption, CloudTrail, VPC, KMS, Lambda roles, DynamoDB
WPA2/WPA3, PSK testing, rogue APs, MITM prevention, deauth resilience, WPS/UPnP, guest networks, physical security, monitoring
Secure boot, code integrity, rollback protection, hardcoded credentials, debug interfaces (JTAG/UART/SWD), buffer overflow, crypto, reverse engineering, supply chain
Prompt injection, training data leakage, jailbreak resistance, RAG validation, API security, encryption, GDPR, model integrity, bias/fairness
SecCheckmate classifies findings using this framework:
- Complete system compromise possible
- Examples: Unauthenticated access, hardcoded credentials, SQL injection
- Assumption: Allows full attacker control
- Major security bypass or breach possible
- Examples: Weak authentication, missing encryption, privilege escalation
- Assumption: Bypasses major security controls
- Requires exploitation chain or conditions
- Examples: Missing headers, weak policies, info disclosure
- Assumption: Could chain with other vulnerabilities
- Minor impact, best practice gaps
- Examples: Outdated non-critical software, configuration hardening
- Assumption: Limited impact
- Recommendations and best practices
- Examples: Training, monitoring, documentation
- Assumption: Not a vulnerability
SecCheckmate generates professional markdown reports:
# π‘οΈ Security Assessment Report
**Category:** AWS Cloud Security
**Organization:** Your Org
**Date:** January 19, 2026
**Tool:** SecCheckmate v1.0.0
## Executive Summary
Assessment evaluated 40 security controls.
### Key Metrics
| Metric | Count | % |
|--------|-------|---|
| β
Passed | 35 | 87.5% |
| β Failed | 3 | 7.5% |
| βοΈ N/A | 2 | 5.0% |
### Risk Assessment
- **Critical:** 0
- **High:** 1
## Findings by Severity
### π High (1)
- AWS-15: S3 Bucket Public Access
### π‘ Medium (2)
- AWS-08: CloudTrail Not Enabled
- AWS-12: VPC Flow Logs MissingEdit config/settings.yaml:
organization: "Your Organization"
version: "1.0"seccheckmate/
βββ seccheckmate.py # Main application
βββ requirements.txt # Python dependencies
βββ README.md # This file
βββ LICENSE # MIT License + Legal Disclaimer
β
βββ config/
β βββ settings.yaml # Configuration
β
βββ checklists/ # Assessment templates
β βββ web.yaml # Web security (35 tests)
β βββ cloud_aws.yaml # AWS security (40 tests)
β βββ wifi.yaml # WiFi security (38 tests)
β βββ firmware.yaml # Firmware security (44 tests)
β βββ llm.yaml # LLM security (44 tests)
β
βββ reports/ # Generated reports
βββ report_*.md # Dated reports
Q: Is this an automated vulnerability scanner?
A: No. It's a checklist framework requiring professional judgment.
Q: Can I test systems I don't own?
A: No. You need explicit written permission. Unauthorized testing is illegal.
Q: What if a test doesn't apply?
A: Mark it "N/A" (press Enter). Metrics calculate only for applicable tests.
Q: Can I modify checklists?
A: Yes! Edit YAML files in checklists/ folder.
Q: Does it send data online?
A: No. 100% offline, all reports stay on your machine.
Q: What Python versions work?
A: Python 3.10+ only. Not compatible with 3.9 or earlier.
Q: Can I contribute?
A: Yes! We welcome new checklists and improvements.
We welcome:
- β New security checklists
- β Bug fixes and improvements
- β Documentation enhancements
- β Testing and validation
Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request
See LICENSE file for contribution guidelines.
This project is licensed under the MIT License.
IMPORTANT:
- For AUTHORIZED testing ONLY
- Read LICENSE file before use
- You assume all legal responsibility
- Unauthorized testing is illegal in all jurisdictions
- π Bug Reports: GitHub Issues
- π¬ Questions: GitHub Discussions
- π Legal: See LICENSE file
- Read test descriptions - Understand what each validates
- Document evidence - Include URLs and configuration details
- Customize severity - Adjust for your environment context
- Regular assessments - Schedule quarterly reviews
- Track metrics - Monitor improvements over time
- Share findings - Present to relevant teams
- Act on recommendations - Fix issues systematically
Give it a star on GitHub!
Made with β€οΈ by the security community
Professional security assessment framework | Open source | MIT licensed | Privacy-first | Offline-only
Get Started Now β | View Legal Terms β | Contribute β
Last Updated: January 19, 2026 | v1.0.0