SAST Scan with ESLint Security (JavaScript/TypeScript)

When to use

Prerequisites

• ESLint installed with security plugin:
  bash

  npm install --save-dev eslint eslint-plugin-security
  # For TypeScript: also install @typescript-eslint/parser

• Verify:

  npx eslint --version

Instructions

1. Identify the target — Determine the JS/TS file(s) or directory to scan.
2. Run the scan:
   bash

   npx eslint --plugin security --rule 'security/detect-unsafe-regex: error' \
     --rule 'security/detect-non-literal-regexp: warn' \
     --rule 'security/detect-eval-with-expression: error' \
     --rule 'security/detect-no-csrf-before-method-override: error' \
     --rule 'security/detect-possible-timing-attacks: warn' \
     --rule 'security/detect-object-injection: warn' \
     --format json --output-file eslint-security-results.json \
     <target-path>

   • Alternatively, if the project has an

     .eslintrc

     with security plugin configured:
     bash

     npx eslint --format json --output-file eslint-security-results.json <target-path>

3. Parse the results — Read JSON output and present findings:

| # | Severity | Rule | File:Line | Finding | Remediation |
|---|----------|------|-----------|---------|-------------|

1. Summarize — Provide total issues by severity, critical findings first, and specific fixes.

Key Security Rules

detect-eval-with-expression

detect-non-literal-regexp

detect-unsafe-regex

detect-no-csrf-before-method-override

detect-possible-timing-attacks

detect-object-injection

detect-child-process

detect-non-literal-fs-filename