full screen background image
Monday 22 January 2018
  • :
  • :

drek: A static-code-analysis tool for performing security-focused code reviews

drek is a static-code-analysis tool that can be used to perform security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.

Much like grep, it scans a codebase for user-defined regular-expressions. Unlike grep, drek outputs its results into an ergonomic html report that allows for sorting, filtering, and annotating of points-of-interest.

drek is the successor to watchtower (projectarticle).


[sudo] npm install -g drek



It can output points-of-interest as csvhtmljson, or xml, though the html report is the primary use-case.

The html report allows auditors to do the following:

  • Categorize each point-of-interest by “severity”.
  • Filter points-of-interest by severity and filetype.
  • Save annotations to localStorage.
  • Export a PDF to share audit results.



It can be configured to scan for any user-defined regular-expressions on a per-filetype basis via signature files.

Signature files are yml files that conform to a simple schema. See the drek-signatures repository for a collection of example signature files.


drek may optionally be configured via a ~/.drekrc file (example) as parsed by rc. It accepts the following values:

dateFormatstringReport date format, as parsed by moment.js.
signaturesarrayPath to .yml signature files to apply. (Accepts glob wildcards.)
ignorearrayFile paths to exclude from scan. (Accepts glob wildcards.)

Scan the codebase at /path/to/app for the signatures contained within /path/to/signatures/*.yml:

drek /path/to/app -s ‘/path/to/signatures/*.yml’ -p ‘My App’ > ./drek-report.html

Source: https://github.com/chrisallenlane/


Read more…


Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Part-Time Hacker || Child Pornography & Sexual Abuse Combat

Leave a Reply

Your email address will not be published. Required fields are marked *