-
-
Notifications
You must be signed in to change notification settings - Fork 0
frisk
disrobe frisk is disrobe's built-in recon engine. Point it at any file, directory, APK, or disrobe-recovered source tree and it surfaces leaked secrets (cloud keys, SaaS/AI tokens, private keys), API endpoints and routes, cloud-storage buckets, Android manifest exposure (deep-link schemes and hosts, exported components, content-provider authorities, dangerous permissions), and IOCs (URLs, domains, IPs, emails, .onion, webhooks), each with its file, line, and column. Because disrobe recovers the real source first, frisk searches truth, not a shell grep, and it is fully encoding-safe.
disrobe frisk app/ # walk a directory or recovered source tree
disrobe frisk app.apk # APK manifest exposure + secrets + IOCs
disrobe frisk recovered/ --format json # text, json, or sarif
disrobe frisk recovered/ --format sarif > frisk.sarif
disrobe frisk app/ --pattern rules.txt # custom rule pack: name=regex per line
disrobe frisk app/ --suppress example.com # drop findings whose value contains a substring
disrobe frisk app/ --emit-baseline > baseline.json # snapshot current findings
disrobe frisk app/ --baseline baseline.json # report only new findings
disrobe frisk app/ --entropy # include high-entropy generic-secret findingsEvery finding carries a category, a rule id, the matched value, a severity, and a file:line:column (or byte offset for non-text input).
| Category | What it surfaces |
|---|---|
secret |
Cloud keys, SaaS and AI provider tokens, private keys, webhook URLs. High-entropy generic secrets are gated behind --entropy. |
endpoint |
API endpoints, routes, and request targets recovered from source. |
manifest |
Android manifest exposure: deep-link schemes and hosts, exported activities/services/receivers/providers, content-provider authorities, dangerous permissions. |
url |
HTTP and HTTPS URLs. |
domain |
Bare domains. |
ipv4, ipv6
|
IP-address IOCs. |
email |
Email addresses. |
onion |
Tor v2 and v3 .onion hidden-service addresses. |
custom |
Matches from a --pattern rule pack. |
| Flag | Effect |
|---|---|
--format <text|json|sarif> |
Output format. SARIF 2.1.0 drops into GitHub code scanning. |
--pattern <FILE> |
Custom rule pack, one name=regex per line; # comments allowed. |
--suppress <SUBSTR> |
Drop findings whose value contains the substring. Repeatable. |
--emit-baseline |
Print the current findings as a baseline JSON array to snapshot. |
--baseline <FILE> |
Report only findings absent from the baseline array. |
--entropy |
Include high-entropy generic-secret findings. |
A rule pack is one name=regex per line:
# rules.txt
internal-host=https://[a-z0-9.-]+\.corp\.example\.com
deploy-token=DEPLOY_[A-Z0-9]{32}
disrobe frisk recovered/ --pattern rules.txt --format jsonSnapshot the current findings, then report only new ones on later runs, so a CI gate fires only when a fresh secret or endpoint appears:
disrobe frisk app/ --emit-baseline > frisk-baseline.json
disrobe frisk app/ --baseline frisk-baseline.json --format sarif > new-findings.sarifThis wiki is generated from docs/src in the disrobe repository by scripts/wiki_sync.py. Edit the docs there, not the wiki pages here.
Getting started
Architecture
- Overview
- The five-rung IR ladder
- Passes and the capability model
- The chain runner
- The .dr envelope
- LLM sidecar and provenance
Reverse-engineering toolkit
Language and format guides
- Python
- JavaScript / TypeScript
- WebAssembly
- JVM and Android
- .NET / CIL
- Native (PE / ELF / Mach-O)
- Go
- Lua
- PHP
- Ruby
- BEAM (Erlang / Elixir)
- Swift / Objective-C
- ActionScript 3 / Flash
- Mobile (Hermes / Flutter)
- Python pickle
- Shell / PowerShell
- Containers and archives
Reference
- CLI overview
- Global flags
- Command reference
- Project configuration
- Batch directory processing
- Run reports
- Analysis-depth commands
- Diff and guard tooling
- The daemon: HTTP, gRPC, LSP, MCP
- Use it as a library
- Python bindings
- The browser playground
- Forensics and malware-safety posture
- Threat model
Integrations
Project