Installations

npm install gulp-mraudit

Developer Guide

BETA

Typescript

No

Module System

CommonJS

Node Version

4.4.5

NPM Version

2.15.5 Pull Requests

Open

0

Total

1

Closed

0

Merged

1

Issues

Open

0

Total

0

Closed

0

Releases

Unable to fetch releases

Languages

1

JavaScript

JavaScript (100%)

Developer

lirantal

Download Statistics

Total Downloads

0

Last Day

0

Last Week

0

Last Month

0

Last Year

0

GitHub Statistics

MIT License

6 Stars

35 Commits

2 Watchers

1 Branches

1 Contributors

Updated on Feb 14, 2023

Maintainers

1

View All 1 Contributors

Package Meta Information

Latest Version

1.0.1

Package Id

gulp-mraudit@1.0.1

Size

9.18 kB

NPM Version

2.15.5

Node Version

4.4.5

Total Downloads

Cumulative downloads

Total Downloads

NaN

Last Day

0%

NaN

Compared to previous day

Last Week

0%

NaN

Compared to previous week

Last Month

0%

NaN

Compared to previous month

Last Year

0%

NaN

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

4

gulp-util mocha should through2

Dev Dependencies

4

eslint eslint-config-standard eslint-plugin-standard gulp-util

Mr. Audit validates secure code guidelines and security best practices for JavaScript projects.

About

gulp-mraudit is a gulp plugin that ties into the build process and will scan specified JavaScript files to ensure that they conform with security best practices.

This gulp plugin extends gulp-contains for searching specific strings in files.

Example

Add to your Gulpfile a task called securecode that ensures there is no use of insecure functions like eval or child_process.exec in your source code:

1gulp.task('securecode', function() {
2  var options = {
3    errList: {
4      search: [
5        'eval('
6      ],
7      onFound: function (string, file) { 
8        var error = 'Error: found an occurrence of the code: "' + string;
9        console.log(error);
10      }
11    }
12  };
13  gulp.src('gulpfile.js').pipe(mraudit(options));
14});

Then run the task as part of your build process to enforce it:

1$ gulp securecode
2
3lirantal:~/workspace (master) $ gulp securecode
4[07:10:58] Using gulpfile ~/workspace/gulpfile.js
5[07:10:58] Starting 'securecode'...
6[07:10:58] Finished 'securecode' after 12 ms
7
8events.js:141
9      throw er; // Unhandled 'error' event
10      ^
11Error: Your file contains "eval(", it should not.

Gulp Example

The project itself includes a gulpfile.js in the root directory as an example of an operational Gulpfile.

Install

1npm install gulp-mraudit --save

Configuration

The plugin expects to receive an object with two properties: warnList and an errList. This granularity is provided so that project owners can provide callbacks, and warnings when a match is found in the file for any string in the warnList, and can entirely break the build if the errList is matched.

Simple object example:

1var options = {
2  warnList: {
3    search: [
4      ' req.body.'
5    ]
6  },
7  errList: {
8    search: [
9      'eval(',
10      'child_process.exec(',
11      'setTimeout(',
12      'setInterval('
13    ]
14  }
15};

It is also possible to provide an onFound property for each of the errList and warnList properties so that you can completely customize any kind of callback function trigger that happens when a match is found in either case.

Security Best Practices

Out of the box Mr Audit is configured to assert the following list of security best practices:

Option	Description
`req.body.`	Potential noSQ injection with directly using parsed JSON objects in ExpressJS's `req.body`. This warning can be wavered if the object being accessed was already sanitized and filtered before. Or if ExpressJS does not use the `bodyParser` middleware for `json` or `urlencoded` options.
`child_process.exec(`	Potential OS command injection due to the use of directly calling a command line option with `.exec` where the first argument is the name of a command, which could potentially be originated from user manipulated input.
`eval(`	Interpreting JavaScript code in real-time on potential user manipulated input could result in malicious JavaScript code executed in the context of the application and complete access to the user's browser.
`setTimeout(`, `setInterval(`	Both of these functions can result in malicious JavaScript injection similar to how `eval(` is dangerous to use.

Author

Liran Tal liran.tal@gmail.com

No vulnerabilities found.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

10

License

Determines if the project has defined a license.

0

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Security-Policy

Determines if the project has published a security policy.

0

Fuzzing

Determines if the project uses fuzzing.

0

Branch-Protection

Determines if the default and release branches are protected with GitHub's branch protection settings.

0

SAST

Determines if the project uses static code analysis.

Score

3

/10

Last Scanned on 2025-07-07

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More