ESLint Plugin Security Rules
ESLint security rules to help harden your project as early as possible.
NB: This project was written as an artefact for a master's thesis at the IT University of Copenhagen and it should still be considered a work in progress.
Installation
- Requires Node.js
>=14
- Requires ESLint
>=8
yarn add --dev eslint-plugin-security-rules
Usage
To include the recommended eslint-plugin-security-rules
to your ruleset add the following to your .eslintrc
configuration:
{
"extends": [
"plugin:security-rules/recommended"
],
// Please include the environments that you use when using this plugin. Doing
// so will enhance the tracing algorithm greatly.
"env": {
"node": true,
"browser": true,
"es6": true
},
"overrides": [
{
"files": ["*.ts", "*.tsx"],
"extends": ["plugin:@typescript-eslint/recommended"],
// If you would like to improve the accuracy of the tracing algorithm
// when using typescript, then please include the "project" configuration
// for the @typescript-eslint/parser.
// See more at
// https://github.com/typescript-eslint/typescript-eslint/tree/main/packages/parser#parseroptionsproject
"parserOptions": {
"project": ["./tsconfig.json"]
}
},
]
}
Rules
eslint-plugin-security-rules
comes with several rulesets, scoped to the environment that they target, allowing you to only enable rules relevant to your project.
'plugin:security-rules/recommended'
: recommended security rules, including all available rules that you can drop in without any additional configuration.'plugin:security-rules/node'
: rules related to vulnerabilities occuring in code that is intended to be executed in a NodeJS environment.'plugin:security-rules/browser'
: rules related to vulnerabilities occuring in code that is intended to be executed in a browser.'plugin:security-rules/universal'
: rules related to vulnerabilities that may occur regardless of which environment the code is being run.'plugin:security-rules/package'
: rules related to ensure safe usage of dependencies by scanning package.json
-files.'plugin:security-rules/react'
: security related rules targeting code using the react
package.'plugin:security-rules/pg'
: security related rules targeting code using the pg
(postgres) package.'plugin:security-rules/mysql'
: security related rules targeting code using the mysql
package.
Key:
- ✅ = recommended,
- 🔧 = fixable with suggestion,
- 💭 = enchaned with TypeScript type information,
- 🌩 = requires TypeScript type information
Browser
Node
Universal
Package.json
Package specific rulesets
The following ruleset are related to specific popular packages, scanning for vulnerable usages in these.
React
Postgres (pg)
MySQL