Note: This is a v0 release, API may change.
A tool to analyze ELF binaries for security hardening features.
Supports binaries compiled with gcc, clang, and rustc stable and nightly.
Nightly support is limited to rules where unstable flags work without rebuilding the standard library (-Z build-std).
Based on recommendations from:
go install go.kacmar.sk/crack/cmd/crack@latestOr download pre-built binaries from releases.
crack analyze [options] [<path>...]<path>...- Files or directories to analyze (glob patterns must be expanded by the shell)--recursive- Recursively scan directories--input <file>- Read paths from file, one per line (use-for stdin)--parallel <n>- Number of files to analyze in parallel (default: number of CPUs)
See rules reference for all available rules.
--rules <ids>- Comma-separated list of rule IDs to run--target-compiler <spec>- Only run rules available for these compilers (e.g.,gcc,clang:15)--target-platform <spec>- Only run rules available for these platforms (e.g.,arm64,amd64)
When --rules is not specified, crack runs the following default set:
aslrfortify-sourcefull-relrono-insecure-rpathno-insecure-runpathnx-bitpierelroseparate-codestack-canary
The --target-compiler and --target-platform flags filter which rules are loaded based on their applicability.
At runtime, the tool also detects the actual compiler from binary metadata and skips rules that don't apply to the detected compiler.
For stripped binaries where detection fails, all loaded rules run.
--include-passed- Include passing checks in output--include-skipped- Include skipped checks in output--sarif <file>- Save detailed SARIF report to file--aggregate- Aggregate findings into actionable recommendations--exit-zero- Exit with 0 even when findings are detected
The --include-passed and --include-skipped flags affect both text and SARIF output.
For programmatic access to results, use SARIF output (--sarif). SARIF (Static Analysis Results Interchange Format) is a standardized JSON format. We support SARIF version 2.1.0.
--log <file>- Write logs to file--log-level <level>- Log level:none,debug,info,warn,error
Fetch debug symbols from debuginfod servers.
--debuginfod- Enable debuginfod integration--debuginfod-servers <urls>- Comma-separated server URLs--debuginfod-cache <dir>- Cache directory for downloaded symbols--debuginfod-timeout <duration>- HTTP timeout--debuginfod-retries <n>- Max retries per server--debuginfod-max-size <bytes>- Max debug file size per download
Debug builds (make build) include --cpuprofile and --memprofile flags for the analyze command. These flags are not available in release binaries.
If you experience performance issues, please build from source with make build and attach CPU/memory profiles to your issue. Profiles are written in pprof format and can be analyzed with go tool pprof <file>.
0- Success (no findings, or--exit-zerospecified)1- Error (invalid arguments, file errors, etc.)2- Findings detected
The public packages can be used as a library. See API documentation for details on parsing binaries, running rules, writing custom rules, and custom compiler detection.
MIT License - see LICENSE for details.