-
Notifications
You must be signed in to change notification settings - Fork 59
Security Analysis
geoffrey fernald edited this page Jan 28, 2026
·
2 revisions
Drift tracks sensitive data flows through your codebase, helping you understand and secure data access patterns.
Drift's security analysis answers critical questions:
- Where is sensitive data accessed? β Find all code that touches PII, credentials, financial data
- Who can reach sensitive data? β Trace from entry points to data access
- Are there boundary violations? β Detect unauthorized data access
- What's the attack surface? β Map entry points to sensitive operations
Drift automatically classifies data sensitivity:
| Classification | Examples | Risk Level |
|---|---|---|
| CRITICAL | Passwords, API keys, tokens, secrets | π΄ Highest |
| SENSITIVE | SSN, credit cards, bank accounts | π΄ High |
| PII | Email, phone, address, name, DOB | π‘ Medium |
| INTERNAL | User IDs, internal flags | π’ Low |
Drift detects sensitive data by:
-
Column/field names β
password,ssn,credit_card,api_key -
Table names β
users,payments,credentials - Patterns β Email regex, phone patterns, card numbers
-
Annotations β
@sensitive,@pii, custom markers
Get an overview of your security posture:
drift callgraph status --securityOutput:
π Security-Prioritized Data Access
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Summary:
Total Access Points: 47
π΄ Critical (P0/P1): 8
π‘ High (P2): 12
βͺ Low (P3/P4): 27
Regulatory Implications:
GDPR, PCI-DSS, HIPAA
π¨ Critical Security Items (P0/P1):
P0 π users.password_hash
read password_hash
src/auth/login.ts:45
Credentials access - highest priority
Regulations: PCI-DSS
...
{
"focus": "critical",
"limit": 10
}drift boundaries sensitiveOutput:
π Sensitive Field Access
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CREDENTIALS (8):
β users.password_hash
src/auth/login.ts:56
src/auth/register.ts:34
src/services/user.ts:67
PII (68):
β users.email
src/services/user.ts:23
src/api/users.ts:12
src/notifications/email.ts:45
β users.phone
src/services/user.ts:23
src/notifications/sms.ts:12
FINANCIAL (12):
β payments.card_number
src/services/payment.ts:34
src/checkout/process.ts:56
# View specific table access
drift boundaries table users
# View all tables
drift boundaries tablesdrift callgraph reach src/api/users.ts:42Output:
π Reachability Analysis
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Origin: src/api/users.ts:42
Tables Reachable: users, payment_methods
Functions Traversed: 12
Max Depth: 10
β οΈ Sensitive Fields Accessible:
β users.email (pii)
2 access point(s), 3 path(s)
β users.phone (pii)
1 access point(s), 2 path(s)
β payment_methods.card_last_four (financial)
1 access point(s), 1 path(s)
Data Access Points:
read users.email, phone
Path: handleRequest β getUserProfile β fetchUser
read payment_methods.card_last_four
Path: handleRequest β getPaymentMethods β fetchPayments
drift callgraph inverse users.password_hashOutput:
π Inverse Reachability
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Target: users.password_hash
Direct Accessors: 3
Entry Points That Can Reach: 4
Access Paths:
πͺ login
Path: login β verifyPassword
πͺ register
Path: register β hashPassword
πͺ changePassword
Path: changePassword β verifyPassword
πͺ resetPassword
Path: resetPassword β hashPassword
Define rules for who can access what data:
drift boundaries init-rulesCreates .drift/boundaries/rules.json:
{
"rules": [
{
"id": "no-pii-in-logs",
"description": "PII should not be logged",
"deny": {
"source": "src/logging/**",
"access": ["*.email", "*.phone", "*.ssn", "*.address"]
}
},
{
"id": "passwords-auth-only",
"description": "Password access restricted to auth module",
"allow": {
"access": ["users.password_hash"],
"only": ["src/auth/**"]
}
},
{
"id": "financial-requires-audit",
"description": "Financial data access must be audited",
"require": {
"access": ["payments.*", "transactions.*"],
"pattern": "audit-logging"
}
}
]
}drift boundaries checkOutput:
Boundary Violations
===================
β VIOLATION: no-pii-in-logs
src/logging/request-logger.ts:34 accesses users.email
Rule: PII should not be logged
β VIOLATION: passwords-auth-only
src/admin/debug.ts:12 accesses users.password_hash
Rule: Password access restricted to auth module
β οΈ WARNING: financial-requires-audit
src/payments/refund.ts:45 accesses payments.* without audit logging
Rule: Financial data access must be audited
3 violations, 1 warning
Drift detects security-related patterns in your code:
drift patterns list --category authDetected patterns:
- JWT token verification
- Session management
- OAuth flows
- API key validation
- Rate limiting
drift patterns list --category securityDetected patterns:
- Input sanitization
- SQL injection prevention
- XSS prevention
- CSRF protection
- Request validation
drift error-handling gaps --securityFinds:
- Sensitive data in error messages
- Stack traces exposed to users
- Missing error handling on auth paths
drift gate --gates security-boundaryChecks:
- No new boundary violations
- No unauthenticated access to sensitive data
- No sensitive data in logs
- Audit logging on financial operations
name: Security Check
on: [pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Drift
run: npm install -g driftdetect
- name: Scan
run: drift scan
- name: Security Check
run: drift boundaries check --ci
- name: Quality Gate
run: drift gate --gates security-boundary --format githubGet security overview:
{
"focus": "critical", // all, critical, data-access, auth
"limit": 10
}Trace sensitive data:
{
"direction": "inverse",
"target": "users.password_hash",
"sensitiveOnly": true,
"maxDepth": 10
}Check boundaries:
{
"action": "check",
"file": "src/api/users.ts"
}Create boundary rules before issues arise:
drift boundaries init-rules
# Edit .drift/boundaries/rules.json
drift boundaries check# Weekly security review
drift boundaries sensitive --level critical
drift boundaries checkBefore deploying new endpoints:
# Check what sensitive data the new code can access
drift callgraph reach src/api/new-endpoint.ts --sensitive-only# Block PRs that violate boundaries
drift gate --gates security-boundary --fail-on warningAsk your AI agent:
"Review this endpoint for security issues using Drift"
The AI will call drift_security_summary and drift_reachability to analyze the code.
Drift may not recognize custom sensitive fields. Add them to config:
// .drift/config.json
{
"security": {
"sensitivePatterns": [
"custom_secret_field",
"*_token",
"*_key"
]
}
}Adjust sensitivity or add exceptions:
// .drift/boundaries/rules.json
{
"exceptions": [
{
"file": "src/tests/**",
"reason": "Test files can access any data"
}
]
}Some ORMs or custom data access may not be detected. Check:
drift parser --test
drift boundaries tablesIf tables are missing, Drift may need framework-specific detection for your ORM.
- Cortex V2 Overview
- Memory Setup Wizard
- Memory CLI
- Universal Memory Types
- Learning System
- Token Efficiency
- Causal Graphs
- Code Generation
- Predictive Retrieval
- Architecture
- Call Graph Analysis
- Impact Analysis
- Security Analysis
- Data Boundaries
- Test Topology
- Coupling Analysis
- Error Handling Analysis
- Wrappers Detection
- Environment Variables
- Constants Analysis
- Styling DNA
- Constraints
- Contracts
- Decision Mining
- Speculative Execution
- Watch Mode
- Trends Analysis
- Projects Management
- Package Context
- Monorepo Support
- Reports & Export
- Dashboard
- 10 Languages
- 21 Frameworks
- 16 ORMs
- 400+ Detectors
- 50+ MCP Tools
- 60+ CLI Commands
- 23 Memory Types