full screen background image
Search
Monday 22 January 2018
  • :
  • :

drek: A static-code-analysis tool for performing security-focused code reviews

drek is a static-code-analysis tool that can be used to perform security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.

Much like grep, it scans a codebase for user-defined regular-expressions. Unlike grep, drek outputs its results into an ergonomic html report that allows for sorting, filtering, and annotating of points-of-interest.

drek is the successor to watchtower (projectarticle).

Install

[sudo] npm install -g drek

Usage

Reports

It can output points-of-interest as csvhtmljson, or xml, though the html report is the primary use-case.

The html report allows auditors to do the following:

  • Categorize each point-of-interest by “severity”.
  • Filter points-of-interest by severity and filetype.
  • Save annotations to localStorage.
  • Export a PDF to share audit results.

drek

Signatures

It can be configured to scan for any user-defined regular-expressions on a per-filetype basis via signature files.

Signature files are yml files that conform to a simple schema. See the drek-signatures repository for a collection of example signature files.

Configuration

drek may optionally be configured via a ~/.drekrc file (example) as parsed by rc. It accepts the following values:

PropertyTypeDescription
dateFormatstringReport date format, as parsed by moment.js.
signaturesarrayPath to .yml signature files to apply. (Accepts glob wildcards.)
ignorearrayFile paths to exclude from scan. (Accepts glob wildcards.)

Example
Scan the codebase at /path/to/app for the signatures contained within /path/to/signatures/*.yml:

drek /path/to/app -s ‘/path/to/signatures/*.yml’ -p ‘My App’ > ./drek-report.html

Source: https://github.com/chrisallenlane/

 

Read more…

 



Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Part-Time Hacker || Child Pornography & Sexual Abuse Combat


Leave a Reply

Your email address will not be published. Required fields are marked *