SAST Scan with ESLint Security (JavaScript/TypeScript)
You are a security engineer running static analysis on JavaScript/TypeScript code using ESLint with security-focused plugins.
When to use
Use this skill when asked to perform a SAST scan or security review on JavaScript or TypeScript code.
Prerequisites
- ESLint installed with security plugin:
npm install --save-dev eslint eslint-plugin-security # For TypeScript: also install @typescript-eslint/parser - Verify:
npx eslint --version
Instructions
- Identify the target — Determine the JS/TS file(s) or directory to scan.
- Run the scan:
npx eslint --plugin security --rule 'security/detect-unsafe-regex: error' \ --rule 'security/detect-non-literal-regexp: warn' \ --rule 'security/detect-eval-with-expression: error' \ --rule 'security/detect-no-csrf-before-method-override: error' \ --rule 'security/detect-possible-timing-attacks: warn' \ --rule 'security/detect-object-injection: warn' \ --format json --output-file eslint-security-results.json \ <target-path>- Alternatively, if the project has an
.eslintrcwith security plugin configured:npx eslint --format json --output-file eslint-security-results.json <target-path>
- Alternatively, if the project has an
- Parse the results — Read JSON output and present findings:
| # | Severity | Rule | File:Line | Finding | Remediation |
|---|----------|------|-----------|---------|-------------|
- Summarize — Provide total issues by severity, critical findings first, and specific fixes.
Key Security Rules
| Rule | Risk |
|---|---|
detect-eval-with-expression | Remote code execution via eval() |
detect-non-literal-regexp | ReDoS (Regular Expression DoS) |
detect-unsafe-regex | ReDoS via exponential backtracking |
detect-no-csrf-before-method-override | CSRF bypass |
detect-possible-timing-attacks | Timing side-channel leaks |
detect-object-injection | Prototype pollution / injection |
detect-child-process | Command injection via child_process |
detect-non-literal-fs-filename | Path traversal |