MASTerm includes a comprehensive cybersecurity layer with 10 built-in security plugins designed to protect developers from common threats, secrets exposure, and dangerous commands.
| Feature | Description |
|---|---|
| Secret Detection | Detects 25+ patterns of API keys, tokens, passwords |
| Threat Detection | Identifies 20+ threat patterns (reverse shells, encoded commands) |
| Audit Logging | Cryptographically-signed, append-only command logs |
| Privilege Escalation | Environment-aware warnings for sudo/su/doas |
| Network Monitoring | Tracks outbound connections via curl/ssh/nc |
| Package Audit | Typosquatting detection, malicious package blocklist |
| File Integrity | Alerts on access to .ssh, .env, /etc/shadow |
| SSH/GPG Monitoring | Tracks key generation, export, and deletion |
| IP/Domain Reputation | Check targets against threat intelligence |
| Sandbox Mode | Restricted execution environment |
masterm security statusShows current security configuration and active plugins.
masterm security check -- "your command here"Analyzes a command for security risks without executing it.
Example:
$ masterm security check -- "export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE"
π Security Analysis
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Command: export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
π Secrets Detected:
βοΈ AWS Credentials (AKIA************MPLE)
Risk Level: Criticalmasterm security patterns # Show all patterns
masterm security patterns --pattern-type secrets # Secrets only
masterm security patterns --pattern-type threats # Threats onlymasterm security audit show # Show recent entries
masterm security audit show --count 50 # Show 50 entries
masterm security audit verify # Verify log integrity
masterm security audit export --output backup.json # Export logsmasterm security config show # Show current config
masterm security config enable ip-reputation # Enable feature
masterm security config disable audit-log # Disable feature
masterm security config level paranoid # Set security levelmasterm security sandbox enter # Enter sandbox
masterm security sandbox enter --allow-net # Allow network access
masterm security sandbox status # Check sandbox status
masterm security sandbox exit # Exit sandboxDetects hardcoded secrets before they're exposed:
| Pattern | Examples |
|---|---|
| AWS Keys | AKIA*, ASIA* |
| GitHub Tokens | ghp_*, gho_*, ghs_*, ghu_* |
| GitLab Tokens | glpat-* |
| Slack Tokens | xoxb-*, xoxa-*, xoxp-* |
| Stripe Keys | sk_live_*, pk_live_* |
| Google API Keys | AIza* |
| Private Keys | -----BEGIN * PRIVATE KEY----- |
| JWT Tokens | eyJ*.eyJ*.* |
Configuration:
[plugins.secret-detection]
action = "confirm" # warn | confirm | blockForensic-grade command logging with:
- SHA-256 hash chains for tamper detection
- Secret redaction before logging
- JSON format for SIEM integration
- Append-only storage
Log location: ~/.masterm/security/audit.log
Configuration:
[plugins.audit-log]
enabled = true
log_path = "~/.masterm/security/audit.log"
redact_secrets = trueEnvironment-aware warnings for privilege escalation:
| Environment | Default Action |
|---|---|
| Development | Warn |
| Staging | Confirm |
| Production | Block (configurable) |
Detected commands: sudo, su, doas, pkexec, setuid
Detects dangerous command patterns:
| Category | Examples |
|---|---|
| Reverse Shells | bash -i >& /dev/tcp/..., nc -e /bin/sh |
| Encoded Commands | `base64 -d |
| History Evasion | unset HISTFILE, history -c |
| Fork Bombs | `:(){ : |
| Data Exfiltration | `curl ... |
Tracks outbound connections via:
curl,wget,httpiessh,scp,sftpnc,netcat,ncattelnet,ftp
Protects against supply chain attacks:
- Typosquatting detection (Levenshtein distance)
- Malicious package blocklist
- Unscoped npm package warnings
Supported package managers: npm, yarn, pnpm, pip, cargo, gem
Alerts on access to sensitive files:
| Category | Paths |
|---|---|
| SSH Keys | ~/.ssh/*, id_rsa, authorized_keys |
| GPG Keys | ~/.gnupg/* |
| Cloud Credentials | ~/.aws/*, ~/.config/gcloud/* |
| Environment Files | .env* |
| System Auth | /etc/passwd, /etc/shadow, /etc/sudoers |
Tracks cryptographic key operations:
- Key generation (
ssh-keygen,gpg --gen-key) - Key loading (
ssh-add) - Key export (
gpg --export) - Key deletion (
gpg --delete-key)
Check targets against threat intelligence:
- Local blocklist caching
- Safe domain filtering
- Extensible for external APIs (AbuseIPDB, VirusTotal)
Restricted execution environment:
- Blocks privilege escalation
- Optional network blocking
- Directory allowlisting
| Level | Description |
|---|---|
low |
Minimal protection, warnings only |
medium |
Confirmation for dangerous ops |
high |
Default, blocks critical threats |
paranoid |
Maximum protection, strict blocking |
# ~/.masterm.toml
[security]
level = "high"
[plugins.secret-detection]
enabled = true
action = "confirm"
[plugins.audit-log]
enabled = true
redact_secrets = true
[plugins.priv-escalation]
dev_action = "warn"
staging_action = "confirm"
prod_action = "block"
[plugins.suspicious-pattern]
block_reverse_shells = true
block_encoded_commands = true
[plugins.sandbox]
allow_network = false
blocked_commands = ["rm -rf /", "mkfs"]- Enable audit logging in production environments
- Use sandbox mode when testing untrusted scripts
- Review patterns regularly with
masterm security patterns - Check commands before execution with
masterm security check - Export audit logs for compliance requirements
masterm security status # Check if audit-log is enabled
ls -la ~/.masterm/security/ # Check directory permissionsAdd exceptions in your config:
[plugins.secret-detection]
# Whitelist specific patterns
exclude_patterns = ["test-api-key-*"]Security plugins are designed for minimal overhead:
- Pattern matching: < 1ms per command
- Audit logging: async, non-blocking
- Caching for reputation lookups
MIT License β see LICENSE for details.