Rules
All ESLint security rules provided by eslint-plugin-secure-coding
78+ Security Rules
Comprehensive coverage of OWASP Top 10 vulnerabilities and secure coding best practices.
All Rules
| Rule | 🧠 | 💼 | 🔧 | 💡 | ⚠️ | Docs |
|---|---|---|---|---|---|---|
| secure-coding/no-hardcoded-credentials (ours) | 🟢 | |||||
| eslint-plugin-no-secrets/no-secrets | 🟢 | |||||
| detect-non-literal-regexp Detects RegExp(variable), which might allow an attacker to DOS your server with a long-running regular expression | 🟢 | |||||
| detect-object-injection Detects variable[key] as a left- or right-hand assignment operand (prototype pollution) | 🟡 | |||||
| detect-weak-password-validation Detects weak password length requirements (less than 8 characters) in validation code. | 🟢 | |||||
| no-directive-injection Detects directive injection vulnerabilities in template systems | 🟢 | |||||
| no-electron-security-issues Detects Electron security vulnerabilities and insecure configurations | 🟢 | |||||
| no-format-string-injection Detects format string injection vulnerabilities | 🟢 | |||||
| no-graphql-injection Detects GraphQL injection vulnerabilities and DoS attacks | 🟢 | |||||
| no-hardcoded-credentials Detects hardcoded passwords, API keys, tokens, and other sensitive credentials in source code | 🟢 | |||||
| no-hardcoded-session-tokens This rule detects hardcoded JWT tokens (starting with eyJ), Bearer tokens, and session identifiers | 🟢 | |||||
| no-improper-sanitization Detects improper sanitization of user input | 🟢 | |||||
| no-improper-type-validation Detects improper type validation in user input handling | 🟢 | |||||
| no-insecure-comparison Detects insecure comparison operators (==, !=) that can lead to type coercion vulnerabilities | 🟢 | |||||
| no-ldap-injection Detects LDAP injection vulnerabilities | 🟢 | |||||
| no-missing-authentication CWE: [CWE-287](https://cwe.mitre.org/data/definitions/287.html) | 🟢 | |||||
| no-pii-in-logs Prevent personally identifiable information (PII) — emails, SSNs, credit cards, phone numbers — from reaching console / logger output. | 🟢 | |||||
| no-privilege-escalation Detects potential privilege escalation vulnerabilities where user input is used to assign roles or permissions withou... | 🟢 | |||||
| no-redos-vulnerable-regex ESLint Rule: no-redos-vulnerable-regex | 🟢 | |||||
| no-sensitive-data-exposure ESLint Rule: no-sensitive-data-exposure | 🟢 | |||||
| no-unchecked-loop-condition Detects unchecked loop conditions that could cause DoS | 🟢 | |||||
| no-unlimited-resource-allocation Detects unlimited resource allocation that could cause DoS | 🟢 | |||||
| no-unsafe-deserialization Detects unsafe deserialization of untrusted data | 🟢 | |||||
| no-unsafe-regex-construction ESLint Rule: no-unsafe-regex-construction with LLM-optimized suggestions and auto-fix capabilities | 🟢 | |||||
| no-weak-password-recovery ESLint Rule: no-weak-password-recovery with LLM-optimized suggestions and auto-fix capabilities | 🟢 | |||||
| no-xpath-injection Detects XPath injection vulnerabilities | 🟢 | |||||
| no-xxe-injection Detects XML External Entity (XXE) injection vulnerabilities | 🟢 | |||||
| require-backend-authorization CWE: [CWE-602](https://cwe.mitre.org/data/definitions/602.html) | 🟢 | |||||
| require-secure-defaults CWE: [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html) | 🟢 |
Rule Categories
Injection Prevention
Rules that prevent SQL injection, XSS, command injection, and other injection attacks.
Authentication & Authorization
Rules for secure authentication patterns, session management, and access control.
Cryptography
Rules ensuring proper use of cryptographic functions and secure random number generation.
Data Protection
Rules preventing exposure of sensitive data in logs, storage, and transmission.
Input Validation
Rules enforcing proper input validation and sanitization.