Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

eslint-plugin-security-rules

Package Overview
Dependencies
Maintainers
2
Versions
26
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

eslint-plugin-security-rules

ESLint security rules to help harden your project as early as possible.

  • 0.8.0
  • latest
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
7.1K
increased by1.59%
Maintainers
2
Weekly downloads
 
Created
Source

ESLint Plugin Security Rules

ESLint security rules to help harden your project as early as possible.

NB: This project was written as an artefact for a master's thesis at the IT University of Copenhagen and it should still be considered a work in progress.

Installation

  • Requires Node.js >=14
  • Requires ESLint >=8
yarn add --dev eslint-plugin-security-rules

Usage

To include the recommended eslint-plugin-security-rules to your ruleset add the following to your .eslintrc configuration:

{
  "extends": [
    "plugin:security-rules/recommended"
  ],
  // Please include the environments that you use when using this plugin. Doing
  // so will enhance the tracing algorithm greatly.
  "env": { 
    "node": true,
    "browser": true,
    "es6": true
  },
  "overrides": [
    {
      "files": ["*.ts", "*.tsx"],
      "extends": ["plugin:@typescript-eslint/recommended"],
      // If you would like to improve the accuracy of the tracing algorithm
      // when using typescript, then please include the "project" configuration
      // for the @typescript-eslint/parser.
      // See more at 
      // https://github.com/typescript-eslint/typescript-eslint/tree/main/packages/parser#parseroptionsproject
      "parserOptions": {
        "project": ["./tsconfig.json"]
      }
    },
  ]
}

Rules

eslint-plugin-security-rules comes with several rulesets, scoped to the environment that they target, allowing you to only enable rules relevant to your project.

  • 'plugin:security-rules/recommended': recommended security rules, including all available rules that you can drop in without any additional configuration.
  • 'plugin:security-rules/node': rules related to vulnerabilities occuring in code that is intended to be executed in a NodeJS environment.
  • 'plugin:security-rules/browser': rules related to vulnerabilities occuring in code that is intended to be executed in a browser.
  • 'plugin:security-rules/universal': rules related to vulnerabilities that may occur regardless of which environment the code is being run.
  • 'plugin:security-rules/package': rules related to ensure safe usage of dependencies by scanning package.json-files.
  • 'plugin:security-rules/react': security related rules targeting code using the react package.
  • 'plugin:security-rules/pg': security related rules targeting code using the pg (postgres) package.
  • 'plugin:security-rules/mysql': security related rules targeting code using the mysql package.

Key:

  • ✅ = recommended,
  • 🔧 = fixable with suggestion,
  • 💭 = enchaned with TypeScript type information,
  • 🌩 = requires TypeScript type information

Browser

NameDescription🔧💭🌩
security-rules/browser/no-xssDetects DOM-based XSS vulnerabilities in browser sinks🔧💭

Node

NameDescription🔧💭🌩
security-rules/node/no-unsafe-pathAvoids usage of unsafe paths when interacting with the file-system using "fs"🔧💭
security-rules/node/no-insecure-ciphersDetects unsafe ciphers algorithms that should not be used🔧💭

Universal

NameDescription🔧💭🌩
security-rules/universal/no-hardcoded-credentialsDetects hardcoded secrets in a file
security-rules/universal/no-vulnerable-dependenciesDetermines if import statements exist in a vulnerable version

Package.json

NameDescription🔧💭🌩
security-rules/package/no-vulnerable-dependenciesDetermines if any of the projects installed dependencies exist in a vulnerable version🔧

Package specific rulesets

The following ruleset are related to specific popular packages, scanning for vulnerable usages in these.

React
NameDescription🔧💭🌩
security-rules/react/no-xssDetects DOM-based XSS vulnerabilities introduced in JSX🔧💭
Postgres (pg)
NameDescription🔧💭🌩
security-rules/pg/no-sql-injectionsDetects queries vulnerable to SQL Injections🔧💭
security-rules/pg/no-hardcoded-credentialsDetects hardcoded secrets in a file💭
MySQL
NameDescription🔧💭🌩
security-rules/mysql/no-sql-injectionsDetects queries vulnerable to SQL Injections🔧💭
security-rules/mysql/no-hardcoded-credentialsDetects hardcoded secrets in a file💭

Keywords

FAQs

Package last updated on 23 May 2022

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc