Rules

31 Security Rules

Comprehensive coverage of Node.js built-in module security including fs, child_process, vm, and crypto.

All Rules

Legend: Type-unaware Type-awareRecommendedFixableSuggestionsWarns

Rule	🧠	💼	🔧	💡	⚠️	Docs
detect-child-process Detects instances of childprocess & non-literal exec() calls that may allow command injection	🟢
detect-eval-with-expression Detects eval(variable) which can allow an attacker to run arbitrary code inside your process	🟢
detect-non-literal-fs-filename Detects variable in filename argument of fs calls, which might allow an attacker to access anything on your system	🟢
detect-suspicious-dependencies This rule detects package imports that look like typosquatting attempts on popular npm packages	🟢
lock-file CWE: [CWE-829](https://cwe.mitre.org/data/definitions/829.html)	🟢
no-arbitrary-file-access Prevents file system access with unsanitized user input to protect against path traversal attacks.	🟢
no-buffer-overread Detects buffer access beyond bounds	🟢
no-cryptojs Disallow deprecated crypto-js library (use native crypto instead)	🟢
no-cryptojs-weak-random Disallow crypto-js WordArray.random() (CVE-2020-36732)	🟢
no-data-in-temp-storage Temporary directories (/tmp, /var/tmp, temp/) are often world-readable or persist longer than expected	🟢
no-deprecated-buffer Disallow the deprecated `new Buffer()` constructor and `Buffer()` factory call.	🟢
no-deprecated-cipher-method Disallow deprecated crypto.createCipher/createDecipher methods	🟢
no-dynamic-dependency-loading This rule detects dynamically constructed paths in require() and import() statements	🟢
no-dynamic-require Forbid require() calls with non-literal arguments	🟢
no-ecb-mode Disallow ECB encryption mode (use GCM or CBC instead)	🟢
no-insecure-key-derivation Disallow PBKDF2 with insufficient iterations (< 100,000)	🟢
no-insecure-rsa-padding Disallow RSA PKCS#1 v1.5 padding (CVE-2023-46809 Marvin Attack)	🟢
no-math-random-crypto Disallow Math.random() for cryptographic purposes (tokens, keys, secrets, salts, IVs)	🟢
no-self-signed-certs Disallow rejectUnauthorized false in TLS options	🟢
no-sha1-hash Disallow sha1() from crypto-hash package (use sha256 or sha512)	🟢
no-ssrf Detect HTTP requests with user-controlled URLs (server-side request forgery).	🟢
no-static-iv Disallow static or hardcoded initialization vectors (IVs)	🟢
no-timing-unsafe-compare Disallow timing-unsafe comparison of secrets	🟢
no-toctou-vulnerability Detects Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerabilities in file system operations.	🟢
no-unsafe-dynamic-require Disallows dynamic require() calls with non-literal arguments that could lead to security vulnerabilities	🟢
no-weak-cipher-algorithm Disallow weak cipher algorithms (DES, 3DES, RC4, Blowfish, RC2, IDEA)	🟢
no-weak-hash-algorithm Disallow weak hash algorithms (MD5, MD4, SHA-1, RIPEMD)	🟢
no-zip-slip Detects zip slip/archive extraction vulnerabilities	🟢
prefer-native-crypto Prefer native crypto over third-party libraries	🟢
require-dependency-integrity CWE: [CWE-494](https://cwe.mitre.org/data/definitions/494.html)	🟢
require-secure-credential-storage This rule detects when credentials are stored using localStorage.setItem() or fs.writeFile() without encryption	🟢
require-secure-deletion CWE: [CWE-459](https://cwe.mitre.org/data/definitions/459.html)	🟢
require-storage-encryption CWE: [CWE-312](https://cwe.mitre.org/data/definitions/312.html)	🟢

Showing 33 of 33 rules

Rule Categories

Command Injection

Rules detecting child_process vulnerabilities and unsafe command execution.

File System Security

Rules preventing path traversal, TOCTOU vulnerabilities, and unsafe file operations.

Cryptographic Security

Rules enforcing secure crypto implementations and preventing weak algorithms.

Module Security

Rules detecting unsafe require patterns and dependency vulnerabilities.

Data Protection

Rules preventing PII exposure in logs and requiring secure storage.