njsscan is a SAST tool that can find insecure code patterns in your Node.js applications.
njsscan is a static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.
Made with 
in India
OpSecX Node.js Security: Pentesting and Exploitation - NJS
pip install njsscan
Requires Python 3.7+ and supports only Mac and Linux
$ njsscan
usage: njsscan [-h] [--json] [--sarif] [--sonarqube] [--html] [-o OUTPUT] [-c CONFIG] [--missing-controls] [-w] [-v] [path ...]
positional arguments:
path Path can be file(s) or directories with source code
optional arguments:
-h, --help show this help message and exit
--json set output format as JSON
--sarif set output format as SARIF 2.1.0
--sonarqube set output format compatible with SonarQube
--html set output format as HTML
-o OUTPUT, --output OUTPUT
output filename to save the result
-c CONFIG, --config CONFIG
Location to .njsscan config file
--missing-controls enable missing security controls check
-w, --exit-warning non zero exit code on warning
-v, --version show njsscan version
$ njsscan test.js
- Pattern Match ████████████████████████████████████████████████████████████ 1
- Semantic Grep ███████████████████████████ 160
njsscan: v0.1.9 | Ajin Abraham | opensecurity.in
╒═════════════╤═══════════════════════════════════════════════════════════════════════════════════════════════╕
│ RULE ID │ express_xss │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ OWASP │ A1: Injection │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ CWE │ CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ DESCRIPTION │ Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability. │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ SEVERITY │ ERROR │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ FILES │ ╒════════════════╤═══════════════════════════════════════════════╕ │
│ │ │ File │ test.js │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Match Position │ 5 - 46 │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Line Number(s) │ 7: 8 │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Match String │ const { name } = req.query; │ │
│ │ │ │ res.send('<h1> Hello :' + name + "</h1>") │ │
│ │ ╘════════════════╧═══════════════════════════════════════════════╛ │
╘═════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════╛
nodejsscan, built on top of njsscan provides a full fledged vulnerability management user interface along with other nifty integrations.
See nodejsscan
>>> from njsscan.njsscan import NJSScan
>>> node_source = '/node_source/true_positives/sqli_node.js'
>>> scanner = NJSScan([node_source], json=True, check_controls=False)
>>> scanner.scan()
{
'templates': {},
'nodejs': {
'node_sqli_injection': {
'files': [{
'file_path': '/node_source/true_positives/sqli_node.js',
'match_position': (1, 24),
'match_lines': (4, 11),
'match_string': 'var employeeId = req.foo;\n\nvar sql = "SELECT * FROM trn_employee WHERE employee_id = " + employeeId;\n\n\n\nconnection.query(sql, function (error, results, fields) {\n\n if (error) {\n\n throw error;\n\n }\n\n console.log(results);'
}],
'metadata': {
'owasp': 'A1: Injection',
'cwe': "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
'description': 'Untrusted input concatinated with raw SQL query can result in SQL Injection.',
'severity': 'ERROR'
}
}
},
'errors': []
}
A .njsscan file in the root of the source code directory allows you to configure njsscan. You can also use a custom .njsscan file using --config argument.
---
- nodejs-extensions:
- .js
template-extensions:
- .new
- .hbs
- ''
ignore-filenames:
- skip.js
ignore-paths:
- __MACOSX
- skip_dir
- node_modules
ignore-extensions:
- .jsx
ignore-rules:
- regex_injection_dos
- pug_jade_template
severity-filter:
- WARNING
- ERROR
You can suppress findings from javascript source files by adding the comment // njsscan-ignore: rule_id1, rule_id2 to the line that trigger the findings.
Example:
app.get('/some/redirect', function (req, res) {
var target = req.param("target");
res.redirect(target); // njsscan-ignore: express_open_redirect
});
You can enable njsscan in your CI/CD or DevSecOps pipelines.
Add the following to the file .github/workflows/njsscan.yml.
name: njsscan
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
njsscan:
runs-on: ubuntu-latest
name: njsscan check
steps:
- name: Checkout the code
uses: actions/checkout@v4.2.2
- uses: actions/setup-python@v5.3.0
with:
python-version: '3.12'
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@master
with:
args: '.'
Example: dvna with njsscan github action
Add the following to the file .github/workflows/njsscan_sarif.yml.
name: njsscan sarif
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
njsscan:
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
- name: Checkout the code
uses: actions/checkout@v4.2.2
- uses: actions/setup-python@v5.3.0
with:
python-version: '3.12'
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@master
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Add the following to the file .gitlab-ci.yml.
stages:
- test
njsscan:
image: python
before_script:
- pip3 install --upgrade njsscan
script:
- njsscan .
Example: dvna with njsscan gitlab
Add the following to the file .travis.yml.
language: python
install:
- pip3 install --upgrade njsscan
script:
- njsscan .
Add the following to the file .circleci/config.yaml
version: 2.1
jobs:
njsscan:
docker:
- image: cimg/python:3.9.6
steps:
- checkout
- run:
name: Install njsscan
command: pip install --upgrade njsscan
- run:
name: njsscan check
command: njsscan .
docker pull opensecurity/njsscan
docker run -v /path-to-source-dir:/src opensecurity/njsscan /src
docker build -t njsscan .
docker run -v /path-to-source-dir:/src njsscan /src
FAQs
njsscan is a SAST tool that can find insecure code patterns in your Node.js applications.
We found that njsscan demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.