A command-line tool for auditing scripts in your NinjaOne RMM instance by searching for specific patterns using regular expressions.
NinjaScriptAudit allows you to search through all automation scripts in your NinjaOne (formerly NinjaRMM) instance using regular expressions. This is useful for:
- Security auditing: Find scripts containing hardcoded credentials or sensitive information
- Code review: Identify scripts using deprecated functions or patterns
- Compliance: Ensure scripts follow organizational standards
- Maintenance: Locate scripts that need updates or modifications
The tool uses NinjaOne's OAuth 2.0 API to authenticate and retrieve script metadata, then fetches the full script content to perform pattern matching.
- OAuth 2.0 authentication with NinjaOne
- Regex-based pattern matching across all scripts
- Supports all script types (PowerShell, Bash, etc.)
- Interactive browser-based authorization flow
- Native AOT compilation for fast startup and low memory usage
- .NET 10.0 SDK or runtime
- A NinjaOne account with API access
- OAuth credentials (client ID, client secret) from NinjaOne
- Access to the NinjaOne instance you want to audit
- Log in to your NinjaOne instance
- Navigate to Administration → Apps → API
- Click Add to create a new API client
- Configure the OAuth client:
- Allowed Scopes: Select the required scopes (e.g.,
monitoring,management,control,offline_access) - Redirect URIs: Add
http://localhost:8080/(or your custom redirect URI)
- Allowed Scopes: Select the required scopes (e.g.,
- Save the Client ID and Client Secret for use with this tool
git clone https://github.com/ProVal-Tech/NinjaScriptAudit.git
cd NinjaScriptAudit
dotnet buildFor better performance and distribution:
dotnet publish -c Release -r win-x64
# Or for other platforms:
# dotnet publish -c Release -r linux-x64
# dotnet publish -c Release -r osx-x64The compiled executable will be in NinjaScriptAudit/bin/Release/net10.0/{runtime}/publish/
NinjaScriptAudit --instance <instance> --client-id <client-id> --client-secret <client-secret> --scope <scope> --search-regex <pattern>| Parameter | Short | Required | Default | Description |
|---|---|---|---|---|
--instance |
-i |
Yes | - | Your NinjaOne instance URL (e.g., provaltech.rmmservice.com) |
--client-id |
-c |
Yes | - | OAuth client ID from NinjaOne |
--client-secret |
-s |
Yes | - | OAuth client secret from NinjaOne |
--scope |
-o |
Yes | - | OAuth scopes (space-separated, e.g., offline_access monitoring management control) |
--redirect-uri |
-r |
No | http://localhost:8080/ |
Redirect URI for OAuth callback |
--search-regex |
-x |
Yes | - | Regular expression pattern to search for in scripts |
NinjaScriptAudit \
--instance provaltech.rmmservice.com \
--client-id your-client-id \
--client-secret your-client-secret \
--scope "offline_access monitoring management control" \
--search-regex "password\s*=\s*['\"][^'\"]+['\"]"NinjaScriptAudit \
--instance provaltech.rmmservice.com \
--client-id your-client-id \
--client-secret your-client-secret \
--scope "offline_access monitoring management control" \
--search-regex "Invoke-WebRequest|wget"NinjaScriptAudit \
--instance provaltech.rmmservice.com \
--client-id your-client-id \
--client-secret your-client-secret \
--scope "offline_access monitoring management control" \
--search-regex "\$apiKey|\$secretKey"- The tool starts a local HTTP listener on the specified redirect URI
- A browser authorization URL is displayed in the console
- Click the link to open your browser and authorize the application
- After authorization, you'll be redirected to a success page
- Follow the on-screen instructions to copy your
sessionKeycookie from browser DevTools:- Press F12 to open DevTools
- Go to Application (Chrome/Edge) or Storage (Firefox)
- Expand Cookies and select your NinjaOne URL
- Copy the
sessionKeyvalue
- Paste the session key into the console when prompted
- The tool will fetch and search through all scripts
The sessionKey cookie is required because the NinjaOne API's OAuth token doesn't provide direct access to the full script content endpoint. The session key allows the tool to fetch the complete script code from the web interface endpoint.
The tool outputs matching scripts to the console:
Match found in script ID 12345, Name: Server Backup Script
Match found in script ID 67890, Name: User Provisioning
- Credentials: Never hardcode credentials in scripts. Use secure storage methods or environment variables.
- Session Key: The session key is equivalent to being logged in to NinjaOne. Handle it securely and don't share it.
- OAuth Secrets: Keep your client secret secure and don't commit it to version control.
- Regex Patterns: Be mindful of regex complexity to avoid performance issues with large script collections.
- Language: C# (.NET 10.0)
- Target: Console application with Native AOT compilation support
- Dependencies:
System.CommandLine2.0.0 - Command-line parsing- Built-in System.Text.Json with source generation for optimal performance
- Verify your client ID and client secret are correct
- Ensure the redirect URI matches what's configured in NinjaOne
- Check that the requested scopes are allowed for your OAuth client
- Verify your OAuth client has the necessary permissions
- Ensure the
monitoringormanagementscope is included
The tool displays a clickable link in the console. If your terminal supports it, Ctrl+Click (or Cmd+Click on macOS) should open the link. Otherwise, copy and paste the URL into your browser manually.
- Ensure you copied the correct
sessionKeyvalue from your browser - Verify you're logged into the same NinjaOne instance
- Try logging out and back in to NinjaOne, then get a fresh session key
Contributions are welcome! Please feel free to submit issues or pull requests.
This project is licensed under the GNU General Public License v3.0 - see the LICENSE.txt file for details.
Built for use with NinjaOne RMM platform.