ESLint Plugin Security Rules
ESLint security rules to help harden your project as early as possible.
NB: This project was written as an artefact for a master's thesis at the IT University of Copenhagen and it should still be considered a work in progress.
Installation
- Requires Node.js
>=14
- Requires ESLint
>=8
yarn add --dev eslint-plugin-security-rules
Usage
To include the recommended eslint-plugin-security-rules to your ruleset add the following to your .eslintrc configuration:
{
"extends": [
"plugin:security-rules/recommended"
],
// Please include the environments that you use when using this plugin. Doing
// so will enhance the tracing algorithm greatly.
"env": {
"node": true,
"browser": true,
"es6": true
},
"overrides": [
{
"files": ["*.ts", "*.tsx"],
"extends": ["plugin:@typescript-eslint/recommended"],
// If you would like to improve the accuracy of the tracing algorithm
// when using typescript, then please include the "project" configuration
// for the @typescript-eslint/parser.
// See more at
// https://github.com/typescript-eslint/typescript-eslint/tree/main/packages/parser#parseroptionsproject
"parserOptions": {
"project": ["./tsconfig.json"]
}
},
]
}
Rules
eslint-plugin-security-rules comes with several rulesets, scoped to the environment that they target, allowing you to only enable rules relevant to your project.
-
'plugin:security-rules/recommended': recommended security rules, including all available rules that you can drop in without any additional configuration.
-
'plugin:security-rules/node': rules related to vulnerabilities occuring in code that is intended to be executed in a NodeJS environment.
-
'plugin:security-rules/browser': rules related to vulnerabilities occuring in code that is intended to be executed in a browser.
-
'plugin:security-rules/universal': rules related to vulnerabilities that may occur regardless of which environment the code is being run.
-
'plugin:security-rules/package': rules related to ensure safe usage of dependencies by scanning package.json-files.
-
'plugin:security-rules/react': security related rules targeting code using the react package.
-
'plugin:security-rules/pg': security related rules targeting code using the pg (postgres) package.
-
'plugin:security-rules/mysql': security related rules targeting code using the mysql package.
Key:
-
✅ = recommended,
-
🔧 = fixable with suggestion,
-
💭 = enchaned with TypeScript type information,
-
🌩 = requires TypeScript type information
Browser
Node
Universal
Package.json
Package specific rulesets
The following ruleset are related to specific popular packages, scanning for vulnerable usages in these.
React
Postgres (pg)
MySQL