75 security rules. 60 seconds to install. Full OWASP coverage.
Quick Install
npm install --save-dev eslint-plugin-secure-coding
Flat Config (ESLint 9+)
// eslint.config.js
import secureCoding from 'eslint-plugin-secure-coding';
export default [secureCoding.configs.recommended];
Run ESLint
npx eslint .
You'll see output like:
src/auth.ts
15:3 error π CWE-798 OWASP:A02 CVSS:7.5 | Hardcoded credential detected
Fix: Use environment variable: process.env.DATABASE_PASSWORD
src/utils.ts
42:5 error π CWE-95 OWASP:A03 CVSS:9.8 | Dangerous eval() with expression
Fix: Replace eval() with safer alternatives like JSON.parse()
Available Presets
// Balanced for most projects
secureCoding.configs.recommended;
// Maximum security (all 75 rules as errors)
secureCoding.configs.strict;
// Web application compliance
secureCoding.configs['owasp-top-10'];
// Mobile apps (React Native)
secureCoding.configs['owasp-mobile-top-10'];
Rule Overview
| Category | Rules | Examples |
|---|---|---|
| Injection Prevention | 11 | eval(), command injection, GraphQL |
| Cryptography | 6 | Weak hashes, random, timing attacks |
| Authentication | 3 | Hardcoded credentials, weak passwords |
| Session/Cookies | 3 | Insecure cookies, session fixation |
| Data Exposure | 5 | PII in logs, debug code, secrets |
| Input Validation | 8 | XSS, path traversal, prototype pollution |
| OWASP Mobile | 30 | Insecure storage, certificate validation |
Customizing Rules
// eslint.config.js
import secureCoding from 'eslint-plugin-secure-coding';
export default [
secureCoding.configs.recommended,
// Override specific rules
{
rules: {
// Downgrade to warning
'secure-coding/no-pii-in-logs': 'warn',
// Disable if not applicable
'secure-coding/detect-non-literal-fs-filename': 'off',
// Configure options
'secure-coding/no-hardcoded-credentials': [
'error',
{
allowTestFiles: true,
},
],
},
},
];
Ignoring False Positives
// eslint-disable-next-line secure-coding/no-hardcoded-credentials
const EXAMPLE_KEY = 'pk_test_example'; // Test fixture
Or in config:
{
files: ['**/*.test.ts'],
rules: {
'secure-coding/no-hardcoded-credentials': 'off',
},
}
CI/CD Integration
GitHub Actions
# .github/workflows/security.yml
name: Security Lint
on: [push, pull_request]
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- run: npm ci
- run: npx eslint . --max-warnings 0
Pre-commit Hook
npm install --save-dev husky lint-staged
npx husky init
// package.json
{
"lint-staged": {
"*.{js,ts}": "eslint --max-warnings 0"
}
}
IDE Integration
VS Code
ESLint extension will show errors inline:
π CWE-798 | Hardcoded credential detected
Cursor/Copilot
AI assistants read the structured errors and can auto-fix:
CWE-89 β Parameterized query fix
CWE-798 β Environment variable fix
Quick Reference
# Install
npm install --save-dev eslint-plugin-secure-coding
# Config (eslint.config.js)
import secureCoding from 'eslint-plugin-secure-coding';
export default [secureCoding.configs.recommended];
# Run
npx eslint .
# Fix auto-fixable issues
npx eslint . --fix
Next Steps
- Read the rules: Each rule has detailed docs with examples
-
Try strict mode:
secureCoding.configs.strict - Add to CI: Block PRs with security issues
-
Combine plugins: Add
eslint-plugin-pg,eslint-plugin-jwtfor specialized coverage
π¦ npm: eslint-plugin-secure-coding
π Full Rule List
β Star on GitHub
π OWASP Coverage Matrix
π Questions? Open an issue on GitHub!
Top comments (0)