drek is a static-code-analysis tool that can be used to perform
security-focused code reviews. It enables an auditor to swiftly map the
attack-surface of a large application, with an emphasis on identifying
development anti-patterns and footguns.
Much like grep, drek scans a codebase for user-defined regular-expressions.
Unlike grep, drek outputs its results into an ergonomic html report that
allows for sorting, filtering, and annotating of points-of-interest.
drek is the successor to watchtower (project,
article).
drek can be installed via npm:
[sudo] npm install -g drekScan the codebase at /path/to/app for the signatures contained within
/path/to/signatures/*.yml:
drek /path/to/app -s '/path/to/signatures/*.yml' -p 'My App' > ./drek-report.htmlThe following are reports on the Damn Vulnerable Web Application:
- Interactive HTML report (save the file and open it locally)
- PDF report
drek can output points-of-interest as csv, html, json, or xml, though
the html report is the primary use-case.
The html report allows auditors to do the following:
- Categorize each point-of-interest by "severity".
- Filter points-of-interest by severity and filetype.
- Save annotations to
localStorage. - Export a PDF to share audit results.
drek can be configured to scan for any user-defined regular-expressions on a
per-filetype basis via signature files.
Signature files are yml files that conform to a simple schema. See the
drek-signatures repository for a collection of example signature files.
drek may optionally be configured via a ~/.drekrc file
(example) as parsed by rc. It accepts the following
values:
| Property | Type | Description |
|---|---|---|
dateFormat |
string | Report date format, as parsed by moment.js. |
signatures |
array | Path to .yml signature files to apply. (Accepts glob wildcards.) |
ignore |
array | File paths to exclude from scan. (Accepts glob wildcards.) |