https://github.com/djadmin/fort
Audit and fix your Mac's security in one command. No agent, no signup, open source.
https://github.com/djadmin/fort
audit cli compliance cybersecurity devops devsecops endpoint-security golang hardening homebrew iso27001 mac-security macos macos-security open-source security security-audit security-tools soc2 sysadmin
Last synced: 6 days ago
JSON representation
Audit and fix your Mac's security in one command. No agent, no signup, open source.
- Host: GitHub
- URL: https://github.com/djadmin/fort
- Owner: djadmin
- License: mit
- Created: 2026-05-21T09:37:46.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-06-10T19:22:18.000Z (about 1 month ago)
- Last Synced: 2026-06-11T17:04:17.567Z (about 1 month ago)
- Topics: audit, cli, compliance, cybersecurity, devops, devsecops, endpoint-security, golang, hardening, homebrew, iso27001, mac-security, macos, macos-security, open-source, security, security-audit, security-tools, soc2, sysadmin
- Language: Go
- Homepage: https://djadmin.github.io/fort
- Size: 14.3 MB
- Stars: 20
- Watchers: 0
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-go - fort - Audits macOS security settings across 16 checks, reports a score, and fixes issues where it safely can. Single binary, installable via Homebrew. (Security / HTTP Clients)
- fucking-awesome-go - fort - Audits macOS security settings across 16 checks, reports a score, and fixes issues where it safely can. Single binary, installable via Homebrew. (Security / HTTP Clients)
- osx-and-ios-security-awesome - fort - CLI to audit, fix, and prove macOS endpoint security. 15 checks, auto-remediation, SOC 2 evidence report. Single binary, no agent. (macOS Security)
- awesome-go-with-stars - fort - 06-18 | (Security / HTTP Clients)
README
# fort
**Know your Mac's security posture, fix the gaps, and keep it locked down. One command.**
[](https://github.com/djadmin/fort/actions)
[](https://github.com/djadmin/fort/releases)
[](LICENSE)
[](https://github.com/djadmin/fort)
[](plugin/)
`fort` runs 15+ security checks on your Mac, fixes what it safely can, and writes an auditor-ready report. No agent, no signup, no MDM enrollment. Just a single binary.
Good for anyone who wants to harden their Mac. Essential for teams preparing for SOC 2 or ISO 27001.
**[djadmin.github.io/fort](https://djadmin.github.io/fort)**

`fort` audits every control and shows where you stand. `fort --fix` reviews each change, then applies, after you confirm.
Watch a full run

## Install
**Homebrew** _(recommended)_
```bash
brew install djadmin/tap/fort
```
**Direct download (macOS, Apple Silicon + Intel)**
```bash
curl -fsSL https://github.com/djadmin/fort/releases/latest/download/fort_darwin_all.tar.gz | tar xz && sudo mv fort /usr/local/bin/
```
**Go**
```bash
go install github.com/djadmin/fort/cmd/fort@latest
```
**Build from source**
```bash
git clone https://github.com/djadmin/fort.git
cd fort && make install
```
**Update**
```bash
brew upgrade djadmin/tap/fort
```
## Usage
```bash
fort # audit your Mac
fort --dry-run # preview what --fix would change; nothing is applied
fort --fix # audit, show confirmation prompt, apply selected fixes
fort --fix --yes # skip prompt; for scripts, MDM push, or cron
fort --json # structured JSON output for automation
fort --report # write fort-report-YYYY-MM-DD.html (print to PDF)
fort --only filevault,firewall # run only the specified checks (comma-separated IDs)
```
Exit codes: `0` all pass · `1` any fail · `2` any warn
## Use it from Claude Code
fort ships a [Claude Code](https://claude.com/claude-code) plugin, so you can audit and harden your Mac just by asking. Say "is my Mac secure?" and Claude runs the audit, explains each finding and why it matters, then fixes only what you approve, showing the exact command first.
```bash
# 1. install the fort binary (the plugin drives it; Claude can also install it for you)
brew install djadmin/tap/fort
# 2. add the plugin
/plugin marketplace add djadmin/fort
/plugin install fort@fort
```
Then just ask, or run a command directly: `/fort-audit` (read-only), `/fort-harden` (fix safe issues with your approval), `/fort-report` (HTML evidence). The plugin runs the `fort` binary on your Mac over your shell, no extra service, nothing uploaded. See [`plugin/`](plugin/) for details.
## Safe by design
- **The audit makes no network calls.** `fort` reads local system state and exits. Nothing is uploaded, no account, no telemetry.
- **No black box.** Every check prints the exact command it ran and its raw output, in the terminal, the JSON, and the HTML report. Verify it instead of trusting it.
- **`--fix` always asks first.** It shows each change and prompts `[y/N]` before applying. Use `--dry-run` to preview without touching anything, or `--yes` to skip the prompt when you mean to (automation, cron, MDM).
- **One MIT-licensed Go binary.** No agent, no background process, nothing installed system-wide. Read the source.
Full detail in [PRIVACY.md](PRIVACY.md): zero data collection, no network calls, nothing leaves your machine.
## What it checks
15+ macOS checks across five groups, each mapped to SOC 2, ISO 27001, NIST CSF, and CIS v8:
| Group | Checks |
|-------|--------|
| Core security | password manager, FileVault, screen lock, antivirus / EDR |
| System hardening | firewall, Gatekeeper, SIP, SSH |
| Access controls | local admin rights, guest account, automatic login, Touch ID for sudo |
| Exposure reduction | sharing services, AirDrop |
| Patching | automatic OS updates, OS patch status |
The exact set grows over time. Run `fort` to see every check on your machine, and the [changelog](CHANGELOG.md) for what's new.
## JSON output
```json
{
"tool": "fort", "version": "0.3.0", "hostname": "alice-mbp",
"os_version": "15.5", "timestamp": "2026-06-09T10:00:00Z",
"summary": { "total": 16, "pass": 12, "fail": 2, "warn": 2, "score": "12/16" },
"policies": [{ "id": "filevault", "status": "pass", "current": "on",
"evidence": "$ fdesetup status\nFileVault is On.",
"frameworks": { "SOC 2": ["CC6.1", "CC6.7"], "ISO 27001": ["A.8.3"] } }]
}
```
`fort --report` writes a self-contained HTML evidence report: machine identity, serial number, OS version, timestamp, per-check results with the exact commands run and their verbatim output, and framework control references. Opens locally or prints to PDF. See a [sample report](https://djadmin.github.io/fort/sample-report.html).
## Contributing
PRs welcome. To add a check:
1. Create `internal/checks/yourcheck_darwin.go` and implement the `Check` interface
2. Register in `internal/checks/registry_darwin.go`
3. Add framework mappings in `internal/checks/frameworks.go`
4. Run `go test ./...`; existing tests enforce interface contracts
## Support
If fort saves you time, please **[star it on GitHub](https://github.com/djadmin/fort)**. It is the easiest way to support the project and helps other people find it.
## License
[MIT](LICENSE)