Gathering detailed insights and metrics for eslint-plugin-security-rules
Gathering detailed insights and metrics for eslint-plugin-security-rules
Installations
npm install eslint-plugin-security-rulesDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Node Version
18.2.0
NPM Version
8.9.0
Releases
Unable to fetch releases
Languages
2
TypeScript
Shell
TypeScript (99.96%)
Shell (0.04%)
Developer
lasselupe33
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
7 Stars
471 Commits
1 Forks
3 Watchers
1 Branches
2 Contributors
Updated on Jul 28, 2023
Maintainers
2
Package Meta Information
Latest Version
0.8.0
Package Id
eslint-plugin-security-rules@0.8.0
Unpacked Size
687.16 kB
Size
136.09 kB
File Count
687
NPM Version
8.9.0
Node Version
18.2.0
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
8
Peer Dependencies
1
Dev Dependencies
24
@commitlint/cli@commitlint/config-conventional@swc-node/jest@types/eslint@types/fs-extra@types/jest@types/node@types/semver@types/react@typescript-eslint/eslint-plugin@typescript-eslint/parser@typescript-eslint/scope-managereslinteslint-config-prettiereslint-plugin-comment-lengtheslint-plugin-importeslint-plugin-prettiereslint-plugin-security-ruleshuskyjestlint-stagedprettiertsc-filestypescript
ESLint Plugin Security Rules
ESLint security rules to help harden your project as early as possible.
NB: This project was written as an artefact for a master's thesis at the IT University of Copenhagen and it should still be considered a work in progress.
Installation
- Requires Node.js
>=14 - Requires ESLint
>=8
1yarn add --dev eslint-plugin-security-rules
Usage
To include the recommended eslint-plugin-security-rules to your ruleset add the following to your .eslintrc configuration:
1{ 2 "extends": [ 3 "plugin:security-rules/recommended" 4 ], 5 // Please include the environments that you use when using this plugin. Doing 6 // so will enhance the tracing algorithm greatly. 7 "env": { 8 "node": true, 9 "browser": true, 10 "es6": true 11 }, 12 "overrides": [ 13 { 14 "files": ["*.ts", "*.tsx"], 15 "extends": ["plugin:@typescript-eslint/recommended"], 16 // If you would like to improve the accuracy of the tracing algorithm 17 // when using typescript, then please include the "project" configuration 18 // for the @typescript-eslint/parser. 19 // See more at 20 // https://github.com/typescript-eslint/typescript-eslint/tree/main/packages/parser#parseroptionsproject 21 "parserOptions": { 22 "project": ["./tsconfig.json"] 23 } 24 }, 25 ] 26}
Rules
eslint-plugin-security-rules comes with several rulesets, scoped to the environment that they target, allowing you to only enable rules relevant to your project.
'plugin:security-rules/recommended': recommended security rules, including all available rules that you can drop in without any additional configuration.'plugin:security-rules/node': rules related to vulnerabilities occuring in code that is intended to be executed in a NodeJS environment.'plugin:security-rules/browser': rules related to vulnerabilities occuring in code that is intended to be executed in a browser.'plugin:security-rules/universal': rules related to vulnerabilities that may occur regardless of which environment the code is being run.'plugin:security-rules/package': rules related to ensure safe usage of dependencies by scanningpackage.json-files.'plugin:security-rules/react': security related rules targeting code using thereactpackage.'plugin:security-rules/pg': security related rules targeting code using thepg(postgres) package.'plugin:security-rules/mysql': security related rules targeting code using themysqlpackage.
Key:
- ✅ = recommended,
- 🔧 = fixable with suggestion,
- 💭 = enchaned with TypeScript type information,
- 🌩 = requires TypeScript type information
Browser
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/browser/no-xss | Detects DOM-based XSS vulnerabilities in browser sinks | ✅ | 🔧 | 💭 |
Node
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/node/no-unsafe-path | Avoids usage of unsafe paths when interacting with the file-system using "fs" | ✅ | 🔧 | 💭 | |
| security-rules/node/no-insecure-ciphers | Detects unsafe ciphers algorithms that should not be used | ✅ | 🔧 | 💭 |
Universal
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/universal/no-hardcoded-credentials | Detects hardcoded secrets in a file | ||||
| security-rules/universal/no-vulnerable-dependencies | Determines if import statements exist in a vulnerable version | ✅ |
Package.json
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/package/no-vulnerable-dependencies | Determines if any of the projects installed dependencies exist in a vulnerable version | ✅ | 🔧 |
Package specific rulesets
The following ruleset are related to specific popular packages, scanning for vulnerable usages in these.
React
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/react/no-xss | Detects DOM-based XSS vulnerabilities introduced in JSX | ✅ | 🔧 | 💭 |
Postgres (pg)
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/pg/no-sql-injections | Detects queries vulnerable to SQL Injections | ✅ | 🔧 | 💭 | |
| security-rules/pg/no-hardcoded-credentials | Detects hardcoded secrets in a file | ✅ | 💭 |
MySQL
| Name | Description | ✅ | 🔧 | 💭 | 🌩 |
|---|---|---|---|---|---|
| security-rules/mysql/no-sql-injections | Detects queries vulnerable to SQL Injections | ✅ | 🔧 | 💭 | |
| security-rules/mysql/no-hardcoded-credentials | Detects hardcoded secrets in a file | ✅ | 💭 |
No vulnerabilities found.
No security vulnerabilities found.