Overview
General secure coding practices and OWASP compliance for JavaScript/TypeScript
Live from GitHub
This content is fetched directly from README.md on GitHub and cached for 1 hour.
AI-Optimized Security
Every rule includes CWE, OWASP, and CVSS metadata for AI assistants to provide precise, context-aware fixes.
Rules (78+)
Browse all security rules with CWE/OWASP mapping
Changelog
View version history and updates
General secure coding practices and OWASP compliance for JavaScript/TypeScript.
โญ If this plugin caught a real bug for you, star the repo โ it's the signal that keeps these rules maintained.
Description
This plugin provides General secure coding practices and OWASP compliance for JavaScript/TypeScript.
Philosophy
Interlace fosters strength through integration. Instead of stacking isolated rules, we interlace security directly into your workflow to create a resilient fabric of code. We believe tools should guide rather than gatekeep, providing educational feedback that strengthens the developer with every interaction.
Getting Started
- To check out the guide, visit eslint.interlace.tools. ๐
- ่ฆๆฅ็ไธญๆ ๆๅ, ่ฏท่ฎฟ้ฎ eslint.interlace.tools. ๐
- ๊ฐ์ด๋ ๋ฌธ์๋ eslint.interlace.tools์์ ํ์ธํ์ค ์ ์์ต๋๋ค. ๐
- ใฌใคใใฏ eslint.interlace.toolsใงใ็ขบ่ชใใ ใใใ ๐
- Para ver la guรญa, visita eslint.interlace.tools. ๐
- ููุงุทูุงุน ุนูู ุงูุฏูููุ ูู ุจุฒูุงุฑุฉ eslint.interlace.tools. ๐
npm install eslint-plugin-secure-coding --save-devAdd to your eslint.config.mjs โ one line activates 16 security rules:
import securePlugin from 'eslint-plugin-secure-coding';
export default [
// Balanced: catches critical issues as errors, lower-confidence rules as warnings
...securePlugin.configs.recommended,
// Zero-tolerance: same 16 rules, all promoted to error (good for CI gates)
// ...securePlugin.configs['recommended-strict'],
];Or if you use a legacy .eslintrc.json:
{
"extends": ["plugin:secure-coding/recommended"]
}Using
recommendedalready? Extend your coverage with domain-specific plugins:eslint-plugin-node-security(crypto, eval, buffer) ยทeslint-plugin-jwt(JWT auth) ยทeslint-plugin-express-security(Express middleware)
Benchmarks vs competitors (CWE-798 ground truth)
no-hardcoded-credentials is part of the ILB-Flagship benchmark suite. On the labeled CWE-798 fixture set (Juliet-style: 2 vulnerable + 2 safe files, ground-truthed):
| Rule | Precision | Recall | F1 |
|---|---|---|---|
secure-coding/no-hardcoded-credentials (ours) | 100% | 100% | 1.00 |
eslint-plugin-no-secrets/no-secrets | 100% | 50% | 0.67 |
The competitor's entropy-only detection catches the high-entropy API-key shape but misses the 15-character literal password assigned to password:. Our context-gated detection (structural patterns + credential-named-variable check + context-positive path) catches both for the right reasons.
On real OSS (vercel/ai), the competitor reports ~380 more findings than us. Those 380 are not catches we missed โ they're entropy false-positives on TypeScript type literals ('experimental_onLanguageModelCallStart'), error class names ('AI_ToolCallNotFoundForApprovalError'), and documentation URLs. Sampling confirmed zero are actual credentials. The corpus number is the right one to weigh; the OSS finding-count is a noise metric.
โ๏ธ Configuration Presets
| Preset | Description |
|---|---|
recommended | 16 core rules โ critical issues as error, lower-confidence as warn |
recommended-strict | Same 16 rules as recommended, all promoted to error โ for CI gates |
strict | All rules as error โ maximum coverage including experimental rules |
owasp-top-10 | OWASP Top 10 Web 2021 compliance focused |
owasp-mobile-top-10 | OWASP Mobile Top 10 2024 compliance focused |
๐ฆ Compatibility
| Package | Version |
|---|---|
| ESLint | ^8.0.0 || ^9.0.0 || ^10.0.0 |
| Node.js | >=18.0.0 |
See the ESLint Version Support Policy โ current ecosystem share data, the 20% gate, and the forward-looking exception that covers v10.
Rules
Legend
| Icon | Description |
|---|---|
| ๐ผ | Recommended: Included in the recommended preset. |
| โ ๏ธ | Warns: Set to warn in recommended preset. |
| ๐ง | Auto-fixable: Automatically fixable by the --fix CLI option. |
| ๐ก | Suggestions: Providing code suggestions in IDE. |
| ๐ซ | Deprecated: This rule is deprecated. |
| ๐ข | Type-unaware: AST-only, runs in oxlint JS-plugin tier. |
| ๐ก | Type-aware (refining): pure-AST primary path; types refine precision. |
| ๐ | Type-aware (graceful): requires TS program; silent without it. |
| Rule | CWE | OWASP | CVSS | Description | ๐ง | ๐ผ | โ ๏ธ | ๐ง | ๐ก | ๐ซ |
|---|---|---|---|---|---|---|---|---|---|---|
| detect-non-literal-regexp | CWE-400 | Detects RegExp(variable), which might allow an attacker to DOS your server with a long-running regular exprโฆ | ๐ข | |||||||
| detect-object-injection | CWE-915 | Detects variable[key] as a left- or right-hand assignment operand (prototype pollution) | ๐ก | |||||||
| detect-weak-password-validation | CWE-521 | A07:2021 | Detects weak password length requirements (less than 8 characters) in validation code. | ๐ข | ||||||
| no-directive-injection | CWE-94 | Detects directive injection vulnerabilities in template systems | ๐ข | |||||||
| no-electron-security-issues | CWE-16 | Detects Electron security vulnerabilities and insecure configurations | ๐ข | |||||||
| no-format-string-injection | CWE-134 | Detects format string injection vulnerabilities | ๐ข | |||||||
| no-graphql-injection | CWE-943 | Detects GraphQL injection vulnerabilities and DoS attacks | ๐ข | ๐ผ | ||||||
| no-hardcoded-credentials | CWE-798 | Detects hardcoded passwords, API keys, tokens, and other sensitive credentials in source code | ๐ข | ๐ผ | ||||||
| no-hardcoded-session-tokens | CWE-798 | This rule detects hardcoded JWT tokens (starting with eyJ), Bearer tokens, and session identifiers | ๐ข | |||||||
| no-improper-sanitization | CWE-116 | Detects improper sanitization of user input | ๐ข | |||||||
| no-improper-type-validation | CWE-1287 | Detects improper type validation in user input handling | ๐ข | ๐ผ | ||||||
| no-insecure-comparison | CWE-697 | Detects insecure comparison operators (==, !=) that can lead to type coercion vulnerabilities | ๐ข | ๐ผ | ||||||
| no-ldap-injection | CWE-90 | Detects LDAP injection vulnerabilities | ๐ข | ๐ผ | ||||||
| no-missing-authentication | CWE-287 | CWE: CWE-287 | ๐ข | ๐ผ | ||||||
| no-pii-in-logs | CWE-359 | Prevent personally identifiable information (PII) โ emails, SSNs, credit cards, phone numbers โ from reachiโฆ | ๐ข | ๐ก | ||||||
| no-privilege-escalation | CWE-269 | Detects potential privilege escalation vulnerabilities where user input is used to assign roles or permissiโฆ | ๐ข | ๐ผ | ||||||
| no-redos-vulnerable-regex | CWE-400 | ESLint Rule: no-redos-vulnerable-regex | ๐ข | |||||||
| no-sensitive-data-exposure | CWE-532 | ESLint Rule: no-sensitive-data-exposure | ๐ข | ๐ผ | ||||||
| no-unchecked-loop-condition | CWE-400 | Detects unchecked loop conditions that could cause DoS | ๐ข | |||||||
| no-unlimited-resource-allocation | CWE-770 | Detects unlimited resource allocation that could cause DoS | ๐ข | |||||||
| no-unsafe-deserialization | CWE-502 | Detects unsafe deserialization of untrusted data | ๐ข | ๐ผ | ||||||
| no-unsafe-regex-construction | CWE-400 | ESLint Rule: no-unsafe-regex-construction with LLM-optimized suggestions and auto-fix capabilities | ๐ข | |||||||
| no-weak-password-recovery | CWE-640 | ESLint Rule: no-weak-password-recovery with LLM-optimized suggestions and auto-fix capabilities | ๐ข | ๐ผ | ||||||
| no-xpath-injection | CWE-643 | Detects XPath injection vulnerabilities | ๐ข | ๐ผ | ||||||
| no-xxe-injection | CWE-611 | Detects XML External Entity (XXE) injection vulnerabilities | ๐ข | ๐ผ | ||||||
| require-backend-authorization | CWE-602 | CWE: CWE-602 | ๐ข | |||||||
| require-secure-defaults | CWE-1188 | CWE: CWE-1188 | ๐ข |
๐ Related ESLint Plugins
Part of the Interlace ESLint Ecosystem โ AI-native security plugins with LLM-optimized error messages:
| Plugin | Downloads | Description |
|---|---|---|
eslint-plugin-secure-coding |  | General security rules & OWASP guidelines. |
eslint-plugin-pg |  | PostgreSQL security & best practices. |
eslint-plugin-node-security |  | Node.js core-module security (fs, child_process, vm, crypto, Buffer). |
eslint-plugin-jwt |  | JWT security & best practices. |
eslint-plugin-browser-security |  | Browser-specific security & XSS prevention. |
eslint-plugin-express-security |  | Express.js security hardening rules. |
eslint-plugin-lambda-security |  | AWS Lambda security best practices. |
eslint-plugin-nestjs-security |  | NestJS security rules & patterns. |
eslint-plugin-mongodb-security |  | MongoDB security best practices. |
eslint-plugin-vercel-ai-security |  | Vercel AI SDK security hardening. |
eslint-plugin-import-next |  | Next-gen import sorting & architecture. |
โญ Support & follow
If this plugin caught a real bug for you, star the repo โ stars are the signal that keeps the Interlace ESLint ecosystem maintained โ and follow the writeups on Dev.to for the benchmarks and security research behind these rules.
๐ License
MIT ยฉ Ofri Peretz
View README.md on GitHub โ