¶ Drek
https://github.com/chrisallenlane/drek
Drek is a static-code-analysis tool that can be used to perform security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.
Much like grep, drek scans a codebase for user-defined regular-expressions. Unlike grep, drek outputs its results into an ergonomic html report that allows for sorting, filtering, and annotating of points-of-interest.
¶ Reports
drek can output points-of-interest as csv, html, json, or xml, though the html report is the primary use-case.
The html report allows auditors to do the following:
- Categorize each point-of-interest by "severity".
- Filter points-of-interest by severity and filetype.
- Save annotations to localStorage.
- Export a PDF to share audit results.
¶ Signatures
drek can be configured to scan for any user-defined regular-expressions on a per-filetype basis via signature files.
Signature files are yml files that conform to a simple schema. See the drek-signatures repository for a collection of example signature files.
¶ Findings Examples
