drek
drek
drek
is a static-code-analysis tool that can be used to perform
security-focused code reviews. It enables an auditor to swiftly map the
attack-surface of a large application, with an emphasis on identifying
development anti-patterns and footguns.
Much like grep
, drek
scans a codebase for user-defined regular-expressions.
Unlike grep
, drek
outputs its results into an ergonomic html
report that
allows for sorting, filtering, and annotating of points-of-interest.
drek
is the successor to watchtower
(project,
article).
Installing
drek
can be installed via npm
:
[sudo] npm install -g drek
Example
Scan the codebase at /path/to/app
for the signatures contained within
/path/to/signatures/*.yml
:
drek /path/to/app -s '/path/to/signatures/*.yml' -p 'My App' > ./drek-report.html
Interactive Examples
The following are reports on the Damn Vulnerable Web Application:
- Interactive HTML report (save the file and open it locally)
- PDF report
Usage
Reports
drek
can output points-of-interest as csv
, html
, json
, or xml
, though
the html
report is the primary use-case.
The html
report allows auditors to do the following:
- Categorize each point-of-interest by “severity”.
- Filter points-of-interest by severity and filetype.
-
Save annotations to
localStorage
. - Export a PDF to share audit results.
Signatures
drek
can be configured to scan for any user-defined regular-expressions on a
per-filetype basis via signature files.
Signature files are yml
files that conform to a simple schema. See the
drek-signatures repository for a collection of example signature files.
Configuration
drek
may optionally be configured via a ~/.drekrc
file
(example) as parsed by rc. It accepts the following
values:
Property
Type
Description
dateFormat
string
Report date format, as parsed by moment.js.
signatures
array
Path to .yml
signature files to apply. (Accepts glob wildcards.)
ignore
array
File paths to exclude from scan. (Accepts glob wildcards.)