Gathering detailed insights and metrics for eslint-plugin-security-rules
Gathering detailed insights and metrics for eslint-plugin-security-rules
Installations
npm install eslint-plugin-security-rulesScore
61.2
Supply Chain
93.5
Quality
74
Maintenance
50
Vulnerability
96.4
License
Releases
Unable to fetch releases
Developer
lasselupe33
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
Typescript Support
No
Node Version
18.2.0
NPM Version
8.9.0
Statistics
7 Stars
471 Commits
3 Watching
1 Branches
2 Contributors
Updated on 28 Jul 2023
Bundle Size
493.02 kB
Minified
119.37 kB
Minified + Gzipped
Languages
TypeScript (99.96%)
Shell (0.04%)
Total Downloads
Cumulative downloads
Total Downloads
229,675
Last day
-54%
529
Compared to previous day
Last week
-39.1%
3,691
Compared to previous week
Last month
4.1%
27,174
Compared to previous month
Last year
16,228.9%
226,318
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
8
Peer Dependencies
1
Dev Dependencies
24
@commitlint/cli@commitlint/config-conventional@swc-node/jest@types/eslint@types/fs-extra@types/jest@types/node@types/semver@types/react@typescript-eslint/eslint-plugin@typescript-eslint/parser@typescript-eslint/scope-managereslinteslint-config-prettiereslint-plugin-comment-lengtheslint-plugin-importeslint-plugin-prettiereslint-plugin-security-ruleshuskyjestlint-stagedprettiertsc-filestypescript
Versions
ESLint Plugin Security Rules
ESLint security rules to help harden your project as early as possible.
NB: This project was written as an artefact for a master's thesis at the IT University of Copenhagen and it should still be considered a work in progress.
Installation
- Requires Node.js
>=14 - Requires ESLint
>=8
1yarn add --dev eslint-plugin-security-rules
Usage
To include the recommended eslint-plugin-security-rules to your ruleset add the following to your .eslintrc configuration:
1{ 2 "extends": [ 3 "plugin:security-rules/recommended" 4 ], 5 // Please include the environments that you use when using this plugin. Doing 6 // so will enhance the tracing algorithm greatly. 7 "env": { 8 "node": true, 9 "browser": true, 10 "es6": true 11 }, 12 "overrides": [ 13 { 14 "files": ["*.ts", "*.tsx"], 15 "extends": ["plugin:@typescript-eslint/recommended"], 16 // If you would like to improve the accuracy of the tracing algorithm 17 // when using typescript, then please include the "project" configuration 18 // for the @typescript-eslint/parser. 19 // See more at 20 // https://github.com/typescript-eslint/typescript-eslint/tree/main/packages/parser#parseroptionsproject 21 "parserOptions": { 22 "project": ["./tsconfig.json"] 23 } 24 }, 25 ] 26}
Rules
eslint-plugin-security-rules comes with several rulesets, scoped to the environment that they target, allowing you to only enable rules relevant to your project.
'plugin:security-rules/recommended': recommended security rules, including all available rules that you can drop in without any additional configuration.'plugin:security-rules/node': rules related to vulnerabilities occuring in code that is intended to be executed in a NodeJS environment.'plugin:security-rules/browser': rules related to vulnerabilities occuring in code that is intended to be executed in a browser.'plugin:security-rules/universal': rules related to vulnerabilities that may occur regardless of which environment the code is being run.'plugin:security-rules/package': rules related to ensure safe usage of dependencies by scanningpackage.json-files.'plugin:security-rules/react': security related rules targeting code using thereactpackage.'plugin:security-rules/pg': security related rules targeting code using thepg(postgres) package.'plugin:security-rules/mysql': security related rules targeting code using themysqlpackage.
Key:
- ✅ = recommended,
- 🔧 = fixable with suggestion,
- 💭 = enchaned with TypeScript type information,
- 🌩 = requires TypeScript type information
Browser
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/browser/no-xss | Detects DOM-based XSS vulnerabilities in browser sinks | ✅ | 🔧 | 💭 |
Node
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/node/no-unsafe-path | Avoids usage of unsafe paths when interacting with the file-system using "fs" | ✅ | 🔧 | 💭 | |
| security-rules/node/no-insecure-ciphers | Detects unsafe ciphers algorithms that should not be used | ✅ | 🔧 | 💭 |
Universal
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/universal/no-hardcoded-credentials | Detects hardcoded secrets in a file | ||||
| security-rules/universal/no-vulnerable-dependencies | Determines if import statements exist in a vulnerable version | ✅ |
Package.json
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/package/no-vulnerable-dependencies | Determines if any of the projects installed dependencies exist in a vulnerable version | ✅ | 🔧 |
Package specific rulesets
The following ruleset are related to specific popular packages, scanning for vulnerable usages in these.
React
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/react/no-xss | Detects DOM-based XSS vulnerabilities introduced in JSX | ✅ | 🔧 | 💭 |
Postgres (pg)
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/pg/no-sql-injections | Detects queries vulnerable to SQL Injections | ✅ | 🔧 | 💭 | |
| security-rules/pg/no-hardcoded-credentials | Detects hardcoded secrets in a file | ✅ | 💭 |
MySQL
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/mysql/no-sql-injections | Detects queries vulnerable to SQL Injections | ✅ | 🔧 | 💭 | |
| security-rules/mysql/no-hardcoded-credentials | Detects hardcoded secrets in a file | ✅ | 💭 |
No vulnerabilities found.
No security vulnerabilities found.