REDACTS v3.0.0

REDACTS v3.0.0 - Initial public release

REDACTS (REDCap Arbitrary Code Threat Scan) is a contract-driven forensic toolkit for auditing REDCap deployments, upgrade packages, and external modules. Static analysis, sandboxed dynamic analysis, and threat-base correlation produce HTML, JSON, Markdown, and SARIF reports.

Refusal contract

REDACTS reads only case.toml. There are no environment-variable overrides, no .env files, no global config. The startup contract refuses (exit code 2) any case file that:

• omits schema_version = 2
• references a container image without a sha256:<64-hex> digest
• declares a password-class field shorter than 16 chars or with fewer than three character classes
• pins [runtime.nix].nixpkgs_rev to anything other than a 40-hex commit SHA
• references a URL whose host is not in [security].ssrf_allowlist

Validation at release time

• 649 tests passing, 5 skipped
• Lint: 102 files scanned, 0 violations (4-file env-read allowlist, all auditing helpers)
• Signed orphan commit: 1f7c28b

Archived predecessor history

Pre-3.0.0 development happened on the now-archived companion repo The-Adimension/REDACTS-legacy. The full v2.0.0 history is also attached to this release as:

• redacts-v2.0.0.bundle - git bundle (clone with git clone redacts-v2.0.0.bundle redacts-v2)
• redacts-v2.0.0-source.zip - source snapshot at v2.0.0

Each artifact ships with a .sha256 companion file. The recorded SHA256 for both archives matches the file SHA256 verified at release time.

Getting started

See README.md and USER_GUIDE.md. Copy case.example.toml to case.toml, fill in every <<placeholder>>, and run python main.py --case case.toml.

License

Apache-2.0. See LICENSE.