GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → chrisallenlane → Drek

chrisallenlane / Drek

Licence: mit
A static-code-analysis tool for performing security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.

Labels

htmlsecurity-auditstatic-code-analysisinformation-security

Projects that are alternatives of or similar to Drek

Whispers
Identify hardcoded secrets and dangerous behaviours
Stars: ✭ 66 (-35.92%)
Mutual labels:  security-audit, static-code-analysis
codecat
CodeCat is an open-source tool to help you find/track user input sinks and security bugs using static code analysis. These points follow regex rules. Beta version.
Stars: ✭ 265 (+157.28%)
Mutual labels:  security-audit, static-code-analysis
Pest
🐞 Primitive Erlang Security Tool
Stars: ✭ 79 (-23.3%)
Mutual labels:  security-audit, static-code-analysis
Web exploit detector
The Web Exploit Detector is a Node.js application used to detect possible infections, malicious code and suspicious files in web hosting environments
Stars: ✭ 81 (-21.36%)
Mutual labels:  security-audit
Rails Security Checklist
🔑 Community-driven Rails Security Checklist (see our GitHub Issues for the newest checks that aren't yet in the README)
Stars: ✭ 1,265 (+1128.16%)
Mutual labels:  security-audit
Aws Securitygroup Grapher
This ansible role gets information from an AWS VPC and generate a graphical representation of security groups
Stars: ✭ 93 (-9.71%)
Mutual labels:  security-audit
Npgsql.fsharp.analyzer
F# analyzer that provides embedded SQL syntax analysis, type-checking for parameters and result sets and nullable column detection when writing queries using Npgsql.FSharp.
Stars: ✭ 103 (+0%)
Mutual labels:  static-code-analysis
Content
Security automation content in SCAP, OSCAL, Bash, Ansible, and other formats
Stars: ✭ 1,219 (+1083.5%)
Mutual labels:  information-security
Cloudsploit
Cloud Security Posture Management (CSPM)
Stars: ✭ 1,338 (+1199.03%)
Mutual labels:  security-audit
Eggshell
iOS/macOS/Linux Remote Administration Tool
Stars: ✭ 1,286 (+1148.54%)
Mutual labels:  information-security
Pentest Notes
Collection of Pentest Notes and Cheatsheets from a lot of repos (SofianeHamlaoui,dostoevsky,mantvydasb,adon90,BriskSec)
Stars: ✭ 89 (-13.59%)
Mutual labels:  security-audit
Sourcecodesniffer
The Source Code Sniffer is a poor man’s static code analysis tool (SCA) that leverages regular expressions. Designed to highlight high risk functions (Injection, LFI/RFI, file uploads etc) across multiple languages (ASP, Java, CSharp, PHP, Perl, Python, JavaScript, HTML etc) in a highly configurable manner.
Stars: ✭ 87 (-15.53%)
Mutual labels:  static-code-analysis
Violations Lib
Java library for parsing report files from static code analysis.
Stars: ✭ 94 (-8.74%)
Mutual labels:  static-code-analysis
Codecharta
CodeCharta visualizes multiple code metrics using 3D tree maps.
Stars: ✭ 85 (-17.48%)
Mutual labels:  static-code-analysis
Vsaudit
VOIP Security Audit Framework
Stars: ✭ 97 (-5.83%)
Mutual labels:  security-audit
Maven Examples
List of Maven examples
Stars: ✭ 79 (-23.3%)
Mutual labels:  static-code-analysis
Unimport
A linter, formatter for finding and removing unused import statements.
Stars: ✭ 96 (-6.8%)
Mutual labels:  static-code-analysis
Rubberduck
Every programmer needs a rubberduck. COM add-in for the VBA & VB6 IDE (VBE).
Stars: ✭ 1,287 (+1149.51%)
Mutual labels:  static-code-analysis
Secure Ios App Dev
Collection of the most common vulnerabilities found in iOS applications
Stars: ✭ 1,288 (+1150.49%)
Mutual labels:  security-audit
Frost
Unit testing framework for test driven security of AWS, GCP, Heroku and more.
Stars: ✭ 91 (-11.65%)
Mutual labels:  security-audit
View All Similar Projects ➔

Build Status npm npm

drek

drek is a static-code-analysis tool that can be used to perform security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.

Much like grep, drek scans a codebase for user-defined regular-expressions. Unlike grep, drek outputs its results into an ergonomic html report that allows for sorting, filtering, and annotating of points-of-interest.

drek is the successor to watchtower (project, article).

Installing

drek can be installed via npm:

[sudo] npm install -g drek

Example

Scan the codebase at /path/to/app for the signatures contained within /path/to/signatures/*.yml:

drek /path/to/app -s '/path/to/signatures/*.yml' -p 'My App' > ./drek-report.html

Interactive Examples

The following are reports on the Damn Vulnerable Web Application:

Usage

Reports

drek can output points-of-interest as csv, html, json, or xml, though the html report is the primary use-case.

The html report allows auditors to do the following:

  • Categorize each point-of-interest by "severity".
  • Filter points-of-interest by severity and filetype.
  • Save annotations to localStorage.
  • Export a PDF to share audit results.

Signatures

drek can be configured to scan for any user-defined regular-expressions on a per-filetype basis via signature files.

Signature files are yml files that conform to a simple schema. See the drek-signatures repository for a collection of example signature files.

Configuration

drek may optionally be configured via a ~/.drekrc file (example) as parsed by rc. It accepts the following values:

Property Type Description
dateFormat string Report date format, as parsed by moment.js.
signatures array Path to .yml signature files to apply. (Accepts glob wildcards.)
ignore array File paths to exclude from scan. (Accepts glob wildcards.)
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].