Skip to content

A static-code-analysis tool for performing security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.

License

Notifications You must be signed in to change notification settings

chrisallenlane/drek

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build Status npm npm

drek

drek is a static-code-analysis tool that can be used to perform security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.

Much like grep, drek scans a codebase for user-defined regular-expressions. Unlike grep, drek outputs its results into an ergonomic html report that allows for sorting, filtering, and annotating of points-of-interest.

drek is the successor to watchtower (project, article).

Installing

drek can be installed via npm:

[sudo] npm install -g drek

Example

Scan the codebase at /path/to/app for the signatures contained within /path/to/signatures/*.yml:

drek /path/to/app -s '/path/to/signatures/*.yml' -p 'My App' > ./drek-report.html

Interactive Examples

The following are reports on the Damn Vulnerable Web Application:

Usage

Reports

drek can output points-of-interest as csv, html, json, or xml, though the html report is the primary use-case.

The html report allows auditors to do the following:

  • Categorize each point-of-interest by "severity".
  • Filter points-of-interest by severity and filetype.
  • Save annotations to localStorage.
  • Export a PDF to share audit results.

Signatures

drek can be configured to scan for any user-defined regular-expressions on a per-filetype basis via signature files.

Signature files are yml files that conform to a simple schema. See the drek-signatures repository for a collection of example signature files.

Configuration

drek may optionally be configured via a ~/.drekrc file (example) as parsed by rc. It accepts the following values:

Property Type Description
dateFormat string Report date format, as parsed by moment.js.
signatures array Path to .yml signature files to apply. (Accepts glob wildcards.)
ignore array File paths to exclude from scan. (Accepts glob wildcards.)

About

A static-code-analysis tool for performing security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages