engineering

CheckMate for Auth0: Six Months of Growth

Learn how CheckMate for Auth0 has evolved over six months to provide automated, open-source security audits for your CI/CD pipeline.

Yang Wang

Senior Security Engineer

Mathew Woodyard

Director, Threat Intelligence

Apr 21, 20266 min read

Six months ago, we introduced CheckMate for Auth0, an open-source command-line tool that audits your Auth0 tenant configuration against security best practices. Our vision was simple: give developers and security teams a fast, repeatable way to audit their Auth0 tenant and improve its security posture. Since its launch, CheckMate for Auth0 has grown thanks to the support of our community of users. Community members filed bugs, surfaced edge cases and requested features that made CheckMate for Auth0 more powerful. We have been constantly iterating to produce a tool that is more capable, more resilient and ready for production pipelines.

Six Months of CheckMate for Auth0, by the Numbers

The numbers behind the first six months of CheckMate for Auth0 tell a story of steady growth. We're seeing more users, more contributors, and a maintenance pace that has kept up with both.

  • Tool Development
    • Consistently increasing npm installs since launch, monthly install volume has grown roughly 4x from October 2025 to March 2026.
    • 18 releases shipped in six months, every one GPG-signed, of course.
    • 100 pull requests merged or closed.
  • Impact at a Glance
    • 628 audits across 422 unique tenants
    • 26% repeat customer rate
  • Growth and momentum
    • Steady growth trajectory: from Oct 2025 to March 2026 peak with 159 runs
    • Sustained 90 average tool runs per month
  • Global reach
    • 47.9% North America, 30.7% APJ, 21.0% Europe, with emerging footprint in South America and Africa

CheckMate for Auth0 Is Built with the Community

CheckMate for Auth0 launched with an issue tracker, and the community responded by providing feedback, feature requests and bug reports. External users filed many issues that were closed, not the core team. As an example of how we improve from community input, when a user requested configuration entirely by environment variables, we listened and extended CheckMate for Auth0's functionality.

That community request for environment variable support created a new opportunity for operating CheckMate for Auth0. Before version 1.6.1, every run required interactive prompts with a person at the keyboard. Useful for periodic audits, sure, but impractical for automation in continuous integration (CI) flows.

With three environment variables set, AUTH0CHECKMATE_DOMAIN, AUTH0CHECKMATE_CLIENT_ID and AUTH0CHECKMATE_CLIENT_SECRET, CheckMate for Auth0 runs completely without user interaction. Additional variables let you control where reports are saved and whether PDF generation is enabled, making it straightforward to slot into any CI environment. Our support for JSON output makes it easy for downstream tools to parse CheckMate for Auth0's findings.

And that changed what the tool could be. It evolved from something you run once during a security review to part of the CI/CD infrastructure your team relies on. But whenever a tool becomes part of your infrastructure, you should trust it to be secure.

Vigilant Supply Chain Security

Supply chain compromises have made headlines repeatedly over the past six months, especially those in CI pipelines. Malicious packages slipping onto npm, typosquatted dependencies that pass code review, legitimate packages quietly compromised between releases.

We wired automated dependency scanning into the CI pipeline from the start. When an upstream vulnerability is detected, our CI flow automatically opens a pull request. We routinely review, approve, merge and update our package on npm within hours upon discovering potential risks.

Put It in Your Pipeline and Do Not Miss a Thing

The fastest path to continuous coverage is a scheduled workflow. Create a dedicated Machine-to-Machine application in your Auth0 tenant, store its credentials as repository secrets and drop this into your GitHub Actions:

name: CheckMate for Auth0 Security Audit
on:
  schedule:
    - cron: '0 9 * * 1'  # Every Monday at 9am
  workflow_dispatch:

jobs:
  checkmate:
    runs-on: ubuntu-latest
    steps:
      - name: Run CheckMate for Auth0
        env:
          AUTH0CHECKMATE_DOMAIN: ${{ secrets.AUTH0CHECKMATE_DOMAIN }}
          AUTH0CHECKMATE_CLIENT_ID: ${{ secrets.AUTH0CHECKMATE_CLIENT_ID }}
          AUTH0CHECKMATE_CLIENT_SECRET: ${{ secrets.AUTH0CHECKMATE_CLIENT_SECRET }}
          AUTH0CHECKMATE_FILE_PATH: ./reports
        run: npx @auth0/auth0-checkmate

      - name: Upload report
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1 at 2026-04-10
        with:
          name: checkmate-report
          path: ./reports

It can produce a PDF artifact or nifty JSON output like what’s shown below. Perfect for parsing and automation.

 {  
   "finding_name": "checkGrantTypes",  
   "finding_title": "Application Grant Types",  
   "severity": "High",  
   "name": "single page (rxfKf4sNcbCUbt9SXe4K2xxxxxxx) (First-Party Application)",  
   "field": "unexpected_grant_type_for_app_type",  
   "value": "implicit",  
   "message": "Unexpected grant type "implicit" enabled for application "single page (rxfKf4sNcbCUbt9SXe4K2xxxxxxx) (First-Party Application)"  with app_type: spa"  
 },  
 {  
   "finding_name": "checkPasswordComplexity",  
   "finding_title": "Databases - Password Complexity",  
   "severity": "Moderate",  
   "name": "ldap",  
   "field": "password_min_length_fail",  
   "value": 8,  
   "message": "The minimum password length configured for ldap is below 12 characters, the minimum length recommended by the US National Institute for Standards and Technology (NIST). The current minimum password length is set to 8"  
 }

Every Monday, a fresh audit lands in your GitHub Actions artifacts ready to share with your security-minded organization. When something in your tenant changes, you'll know when the automation runs rather than at the next manual review.

Some of what CheckMate surfaces will be configuration changes you can make today. Others will open conversations about what Auth0 makes possible, like advanced attack protection, Tenant Access Control Lists, and other capabilities that exist on the platform but may not yet be enabled on your tenant. Either way, you will know exactly where you stand.

Not on Auth0 yet? Start for free and run your first audit in minutes. Already have an Auth0 tenant? Follow our the CheckMate readme and run your first test. Notice any points for improvement? Do not hesitate to raise an issue. We look forward to your participation and the chance to use and improve CheckMate for Auth0 together!

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.