Skip to content

Stratus-Security/AIza-Audit

Repository files navigation

AIza Audit

aizaudit checks which Google APIs accept a supplied API key. It reports whether the key was accepted, which services responded, and which API or application restrictions were visible from the machine running the scan.

It does not search for leaked keys or read a key's Google Cloud configuration.

Download the latest release

Only test keys and projects you own or have permission to assess. Never post keys or unredacted reports in issues.

Download

The release binaries are self-contained; .NET is not required.

Platform Download
Windows x64 aizaudit-win-x64.exe
Linux x64 aizaudit-linux-x64
SHA-256 SHA256SUMS.txt

Rename the downloaded binary to aizaudit (aizaudit.exe on Windows). On Linux, also run chmod +x aizaudit.

Usage

Prompt for a key without putting it in shell history:

Read-Host "Google API key" | .\aizaudit.exe
read -rsp "Google API key: " key; printf '\n'
printf '%s\n' "$key" | ./aizaudit
unset key

Common examples:

# Read several keys from a file
.\aizaudit.exe --key-file keys.txt

# Write JSON
$env:GOOGLE_API_KEY = Read-Host "Google API key"
.\aizaudit.exe --from-env --json > report.json

# Show only accessible results
.\aizaudit.exe --key-file keys.txt --only-accessible

# Test a browser context
Read-Host "Google API key" | .\aizaudit.exe `
  --referer https://example.com/app --origin https://example.com

Potentially billable probes are disabled by default. Enable them with --include-billable. APIs restricted to non-commercial use require the separate --include-noncommercial flag.

Run .\aizaudit.exe --help (Windows) or ./aizaudit --help (Linux) for all input options, exit codes, and defaults.

Results

Each probe reports one of these states:

ACCESSIBLE, KEY_RESTRICTED, REQUEST_CONTEXT_REQUIRED, API_NOT_ENABLED, BILLING_NOT_ENABLED, PROJECT_UNAVAILABLE, RATE_LIMITED, INVALID_KEY, NETWORK_ERROR, or UNKNOWN.

The overall key result is VALID, INVALID, or INDETERMINATE. Restriction ratings are STRONG, MODERATE, UNVERIFIED, or N/A.

Results describe only the IP, referrer, origin, and application context used for that scan. They do not show the key's full configuration or prove that an unobserved restriction is absent.

Use --json for schema-v2 output. Keys are masked unless --show-key is set, but the report may still contain sensitive project or restriction details.

Probe safety

The catalog contains small, non-destructive requests across Google Maps Platform, YouTube, the Gemini API, Firebase Auth, public Workspace endpoints, and other Google services. Probes use nonexistent resources or reserved .invalid addresses where needed and avoid operations that create or change data.

Pricing and terms can change. Check the relevant Google documentation before enabling billable or non-commercial probes. APIs that require OAuth or a service account are not tested.

Build

The project uses .NET 10.

dotnet restore AIzaAudit.slnx
dotnet build AIzaAudit.slnx -c Release --no-restore
dotnet test AIzaAudit.slnx -c Release --no-build
dotnet format AIzaAudit.slnx --verify-no-changes --no-restore

Run from source:

Read-Host "Google API key" |
  dotnet run --project AIzaAudit --no-launch-profile --

Building Native AOT on Windows requires Visual Studio 2022 or Build Tools with the Desktop development with C++ workload.

Contributing and security

See CONTRIBUTING.md before changing a probe. Report security issues as described in SECURITY.md.

License

Apache License 2.0

Disclaimer

AIza Audit is not affiliated with or endorsed by Google LLC. Google and its product names are trademarks of Google LLC.