Vulnscope Deploys 'Bagel' Credential Scanner, Targets Workstation Security & Unified Risk Scoring

A new open-source security tool, Vulnscope, has integrated the 'Bagel' credential scanner, creating a unified platform for workstation security audits and risk scoring. The integration wraps Bagel as a subprocess to systematically hunt for exposed credentials across a developer's local machine, scanning git configurations, SSH keys, npm and cloud credential files, environment variables, shell history, and even AI tool configurations. The tool operates on a privacy-first principle, detecting only metadata about potential exposures without extracting the actual secret values, and can auto-install the required scanner from GitHub Releases.

The workstation security module expands the threat surface analysis with eight distinct check categories. These include SSH key hygiene—flagging unencrypted private keys and improper file permissions—and git credential exposure, such as the use of insecure credential helpers. It also scans for exposed .env files in development directories, checks for the dangerous exposure of the Docker daemon on TCP port 2375 (a known lateral movement vector), and audits cloud credential files for AWS, GCP, Azure, and Kubernetes. The scanner further examines npm, pip, and PyPI token files and identifies overly permissive file permissions that could lead to credential theft.

Beyond credential scanning, Vulnscope introduces a feature for tracking stale and potentially vulnerable global packages. By cross-referencing the last access times of pip and npm packages against a user-defined threshold, it aims to highlight outdated dependencies that may pose a security risk. This combination of automated credential discovery, comprehensive workstation hardening checks, and dependency tracking positions the tool as a potential one-stop shop for developers and security teams to generate a unified risk score for individual workstations, a critical vector in modern software supply chain attacks.