Unfortunately I don't have any particular recommendations for eslint specifically. You certainly appear to have a reasonable list there ( P.S. looks like formatting has truncated your links! ).
The only advice I have in this area ( perhaps more of an opinion ) is to make sure you don't rely 100% on static code analysis tools for your security process. In a similar manner to say testing ( though in some schools of thought security concerns come under the testing bracket ) I would try to work with a hollistic view to ensure good coverage - apply static analysis as well as patching ( this is where Snyk comes in for NPM modules in this article, but also machine / container patching ), WAF, programmer education and processes ( training, code reviews etc. ), integration / e2e tests etc. See the OWASP controls site for a great list of controls to consider when working on your security and threat modelling and mitigation.
Static analysis can be great as provides really fast feedback which is ideal for agile working and quick iterations, but sadly suffers from some well documented disadvantages, e.g. this list taken from the OWASP site:
Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc.
The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
High numbers of false positives.
Frequently canβt find configuration issues, since they are not represented in the code.
Difficult to βproveβ that an identified security issue is an actual vulnerability.
If your focus is on exploring the static code analysis side of things, I would also recommend checking out this OWASP community list of tools which has a great list of free and paid-for tooling.
Apologies for not particularly answering the question ( especially if you know all of the above anyway as well! ) π I guess sadly the reality is that there isn't a simple one solution solves all at the code level yet - it certainly would be amazing if could just install a plugin and 99% of security issues were discovered statically! π€
As a slightly more related commentary, just take care ( as general practice when picking modules to use in your workflow ) of the health of the modules, e.g. github.com/nodesecurity/eslint-plu... though potentially the most popular module on your list ( by stars and downloads - not always the best metrics but gives an idea, also not sure what all the listed modules are due to the truncation in your post ) also hasn't been maintained since 2019 with several opened and ignored issues and PRs so risks not providing the coverage you may need as Node evolves and potentially breaking if eslint ever does a major bump with breaking changes ( unlikely though ) π
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Gosh, a really good and tough question! π
Unfortunately I don't have any particular recommendations for eslint specifically. You certainly appear to have a reasonable list there ( P.S. looks like formatting has truncated your links! ).
The only advice I have in this area ( perhaps more of an opinion ) is to make sure you don't rely 100% on static code analysis tools for your security process. In a similar manner to say testing ( though in some schools of thought security concerns come under the testing bracket ) I would try to work with a hollistic view to ensure good coverage - apply static analysis as well as patching ( this is where Snyk comes in for NPM modules in this article, but also machine / container patching ), WAF, programmer education and processes ( training, code reviews etc. ), integration / e2e tests etc. See the OWASP controls site for a great list of controls to consider when working on your security and threat modelling and mitigation.
Static analysis can be great as provides really fast feedback which is ideal for agile working and quick iterations, but sadly suffers from some well documented disadvantages, e.g. this list taken from the OWASP site:
If your focus is on exploring the static code analysis side of things, I would also recommend checking out this OWASP community list of tools which has a great list of free and paid-for tooling.
Apologies for not particularly answering the question ( especially if you know all of the above anyway as well! ) π I guess sadly the reality is that there isn't a simple one solution solves all at the code level yet - it certainly would be amazing if could just install a plugin and 99% of security issues were discovered statically! π€
As a slightly more related commentary, just take care ( as general practice when picking modules to use in your workflow ) of the health of the modules, e.g. github.com/nodesecurity/eslint-plu... though potentially the most popular module on your list ( by stars and downloads - not always the best metrics but gives an idea, also not sure what all the listed modules are due to the truncation in your post ) also hasn't been maintained since 2019 with several opened and ignored issues and PRs so risks not providing the coverage you may need as Node evolves and potentially breaking if eslint ever does a major bump with breaking changes ( unlikely though ) π