[{"data":1,"prerenderedAt":231},["ShallowReactive",2],{"blog-checklists/acquired-codebase-checklist":3},{"id":4,"title":5,"body":6,"category":207,"date":208,"dateModified":208,"description":209,"draft":210,"extension":211,"faq":212,"featured":210,"headerVariant":216,"image":217,"keywords":217,"meta":218,"navigation":219,"ogDescription":220,"ogTitle":217,"path":221,"readTime":217,"schemaOrg":222,"schemaType":223,"seo":224,"sitemap":225,"stem":226,"tags":227,"twitterCard":229,"__hash__":230},"blog/blog/checklists/acquired-codebase-checklist.md","Acquired Codebase Security Checklist: 20-Item Audit Guide",{"type":7,"value":8,"toc":201},"minimark",[9,16,19,22,47,68,87,109,137,142,145,148,170,189],[10,11,12],"tldr",{},[13,14,15],"p",{},"When acquiring a codebase, rotate all credentials immediately, scan for hardcoded secrets in git history, audit dependencies for vulnerabilities, revoke access for previous developers, and review authentication patterns. 6 critical items must be done immediately, 9 important items within the first week, and 5 recommended items for thorough security. Trust nothing until verified.",[13,17,18],{},"Taking over someone else's codebase is a bit like moving into a house where you don't know who has copies of the keys. The previous team might have been great, or they might have left API keys scattered across the repo like breadcrumbs. Work through this checklist before you integrate anything into your stack.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Generate new keys for every third-party service: Stripe, AWS, database, email","Rotate all API keys and secrets",[27,32],{"description":33,"label":34},"Use TruffleHog or GitLeaks to search entire git history","Scan git history for exposed secrets",[27,36],{"description":37,"label":38},"Remove access from GitHub, hosting platforms, databases, and services","Revoke access for all previous developers",[27,40],{"description":41,"label":42},"Rotate database user passwords and delete unused accounts","Change all database passwords",[27,44],{"description":45,"label":46},"Use npm audit or Snyk to identify vulnerable packages","Run dependency vulnerability scan",[23,48,51,54,57,61,64],{"title":49,"count":50},"Credential Audit","5",[27,52],{"description":53,"label":30},"Generate new keys for every third-party service: Stripe, AWS, database, email, analytics. Do not assume old keys are safe. How to rotate API keys",[27,55],{"description":56,"label":34},"Use TruffleHog or GitLeaks to search entire git history. Secrets committed years ago may still be valid. How to scan git history",[27,58],{"description":59,"label":60},"Review all .env files, production configs, and deployment settings. Document what each secret is used for. How to audit environment variables","Audit environment variables",[27,62],{"description":63,"label":42},"Rotate database user passwords. Create new database users if needed and delete old unused accounts. How to rotate database passwords",[27,65],{"description":66,"label":67},"Regenerate OAuth client secrets. Verify callback URLs point to domains you control. How to audit OAuth configuration","Review OAuth and SSO configurations",[23,69,72,75,79,83],{"title":70,"count":71},"Access Control","4",[27,73],{"description":74,"label":38},"Remove access from GitHub, hosting platforms, CI/CD, databases, and all third-party services. How to revoke developer access",[27,76],{"description":77,"label":78},"Review all admin users in the application. Delete or reset passwords for accounts you do not recognize. How to audit admin accounts","Audit admin accounts",[27,80],{"description":81,"label":82},"Search for hardcoded admin credentials, debug endpoints, or test accounts with elevated privileges. How to find backdoors","Check for backdoor accounts or endpoints",[27,84],{"description":85,"label":86},"Audit who can deploy to production. Remove unused deploy keys and CI/CD tokens. How to audit deployment access","Review deployment access",[23,88,90,93,97,101,105],{"title":89,"count":50},"Dependency and Code Audit",[27,91],{"description":92,"label":46},"Use npm audit, Snyk, or Dependabot to identify vulnerable packages. Prioritize critical and high severity issues. How to run dependency audit",[27,94],{"description":95,"label":96},"Focus on security-critical packages first: authentication libraries, crypto, HTTP clients. How to update dependencies safely","Update outdated dependencies",[27,98],{"description":99,"label":100},"Check for typosquatted packages or dependencies with suspicious names. Verify package sources. How to detect malicious packages","Review for malicious packages",[27,102],{"description":103,"label":104},"Review login, session management, and password handling. Check for common vulnerabilities. How to audit authentication","Audit authentication implementation",[27,106],{"description":107,"label":108},"Check that access controls are enforced server-side. Look for IDOR and privilege escalation risks. How to audit authorization","Review authorization patterns",[23,110,113,117,121,125,129,133],{"title":111,"count":112},"Infrastructure Review","6",[27,114],{"description":115,"label":116},"Review IAM users and roles in AWS, GCP, or Azure. Delete unused users and rotate access keys. How to audit cloud access","Audit cloud provider access",[27,118],{"description":119,"label":120},"Check for overly permissive rules. Close unnecessary ports and restrict SSH access. How to audit firewall rules","Review security groups and firewall rules",[27,122],{"description":123,"label":124},"Verify that access logs, error logs, and audit trails are enabled and being retained. How to set up logging","Enable logging and monitoring",[27,126],{"description":127,"label":128},"Verify domain ownership records. Transfer domains to accounts you control. How to verify domain ownership","Review DNS and domain ownership",[27,130],{"description":131,"label":132},"Verify certificate validity and ownership. Set up auto-renewal if not configured. How to check SSL certificates","Check SSL/TLS certificates",[27,134],{"description":135,"label":136},"Check that backups exist and can be restored. Test a restore to verify backup integrity. How to test backup restoration","Verify backup processes",[138,139,141],"h2",{"id":140},"treat-acquired-code-as-untrusted","Treat Acquired Code as Untrusted",[13,143,144],{},"When you acquire a codebase, you are inheriting someone else's security decisions, mistakes, and technical debt. You have no visibility into how credentials were handled, who had access historically, or what shortcuts were taken.",[13,146,147],{},"A 2024 study by Synopsys found that 84% of codebases contained at least one known vulnerability, and 48% contained high-risk vulnerabilities. The older the codebase, the higher the likelihood of issues.",[149,150,151,158,164],"faq-section",{},[152,153,155],"faq-item",{"question":154},"Should I rotate all credentials after acquiring a codebase?",[13,156,157],{},"Yes, always. You have no way of knowing who had access previously or if credentials were ever shared inappropriately. Rotating all credentials is the safest approach.",[152,159,161],{"question":160},"How do I find hardcoded secrets in an acquired codebase?",[13,162,163],{},"Use secret scanning tools like TruffleHog, GitLeaks, or GitHub's built-in secret scanning. Also manually search for common patterns like 'api_key', 'password', 'secret', and 'token' in the codebase. Do not forget to scan the entire git history, not just the current state.",[152,165,167],{"question":166},"How long should a security audit of acquired code take?",[13,168,169],{},"A basic security audit takes 4 to 8 hours for a small application. Larger applications may require days or weeks. Prioritize credential rotation and access revocation first, as these are the highest risk items.",[171,172,173,179,184],"related-articles",{},[174,175],"related-card",{"description":176,"href":177,"title":178},"Secure handoff from contractors","/blog/checklists/freelancer-handoff-checklist","Freelancer Handoff Checklist",[174,180],{"description":181,"href":182,"title":183},"Secure your code repositories","/blog/checklists/github-repo-checklist","GitHub Repository Security Checklist",[174,185],{"description":186,"href":187,"title":188},"Step-by-step credential rotation","/blog/how-to/rotate-api-keys","How to Rotate API Keys",[190,191,194,198],"cta-box",{"href":192,"label":193},"/","Start Free Scan",[138,195,197],{"id":196},"scan-your-acquired-codebase","Scan Your Acquired Codebase",[13,199,200],{},"Get an automated security assessment to identify vulnerabilities quickly.",{"title":202,"searchDepth":203,"depth":203,"links":204},"",2,[205,206],{"id":140,"depth":203,"text":141},{"id":196,"depth":203,"text":197},"checklists","2026-01-22","Security audit checklist for acquired codebases. Review credentials, dependencies, access controls, and vulnerabilities before integrating inherited projects.",false,"md",[213,214],{"question":154,"answer":157},{"question":160,"answer":215},"Use secret scanning tools like TruffleHog, GitLeaks, or GitHub's built-in secret scanning. Also manually search for common patterns like 'api_key', 'password', 'secret', and 'token' in the codebase.","green",null,{},true,"Security checklist for auditing acquired or inherited codebases.","/blog/checklists/acquired-codebase-checklist","[object Object]","HowTo",{"title":5,"description":209},{"loc":221},"blog/checklists/acquired-codebase-checklist",[228],"Audit Checklist","summary_large_image","CGJic4nvgxbIwXII5124cSmkpSV6C9ZP4STuu4EqyyM",1775843931817]