You just inherited a codebase. Maybe it's an acquisition. Maybe a departing senior engineer. Maybe you're the new CTO and nobody can explain why there's a utils/legacy_auth.js file with 3,000 lines.
You need to know: How bad is it?
The Old Way: Pain
Traditionally, security audits take weeks. You bring in consultants. They run tools. They produce a 200-page PDF. You file it and forget.
But you don't have weeks. You need a pulse check today.
The 30-Minute Approach
Here's how I assess a new codebase in under 30 minutes.
Step 1: Install (2 minutes)
npm install --save-dev eslint-plugin-secure-coding
npm install --save-dev eslint-plugin-pg
npm install --save-dev eslint-plugin-crypto
Step 2: Configure for Maximum Detection (3 minutes)
// eslint.config.js
import secureCoding from 'eslint-plugin-secure-coding';
import pg from 'eslint-plugin-pg';
import crypto from 'eslint-plugin-crypto';
export default [
secureCoding.configs.strict,
pg.configs.recommended,
crypto.configs.recommended,
];
The strict preset enables all 75 secure-coding rules as errors—perfect for an initial scan.
Step 3: Run the Audit (5 minutes)
npx eslint . --format=json > security-audit.json
You'll see violations like:
src/auth/login.ts
18:5 error 🔒 CWE-798 OWASP:A07-Auth-Failures CVSS:7.5 | Hardcoded API key detected | HIGH
Fix: Move to environment variable: process.env.STRIPE_API_KEY
src/utils/crypto.ts
42:10 error 🔒 CWE-327 OWASP:A02-Crypto-Failures CVSS:7.5 | Weak algorithm (MD5) | HIGH
Fix: Use a strong algorithm: crypto.createHash('sha256')
Step 4: Analyze and Prioritize (20 minutes)
Parse the output by rule to build your risk heatmap:
cat security-audit.json | jq '.[] | .messages[] | .ruleId' | sort | uniq -c | sort -rn
You now have a prioritized list:
-
15 hits on
pg/no-unsafe-query= 🔴 Critical -
8 hits on
secure-coding/no-hardcoded-credentials= 🔴 Critical -
3 hits on
crypto/no-weak-hash= 🟡 Medium
What This Tells You
In 30 minutes, you know:
- The attack surface — Which OWASP categories are most exposed
- The hotspots — Which files have the most issues
- The culture — Did the previous team care about security or not?
This isn't a replacement for a full penetration test. But it's a data-driven starting point for your first board meeting.
Bonus: Let AI Fix It
The structured error messages are designed for AI coding assistants. Once you've identified your top issues, let the AI suggest fixes—most can be resolved with a single keystroke.
What's Next?
- Enforce it — Add the plugin to your CI to block new issues
- Automate compliance — Use the built-in SOC2/PCI tags for audit evidence
- Track progress — Re-run weekly to measure remediation velocity
Quick Install
📦 eslint-plugin-secure-coding — 75 security rules
📦 eslint-plugin-pg — PostgreSQL security
📦 eslint-plugin-crypto — Cryptography security
🚀 What's the worst thing you've found inheriting a codebase? Share your horror stories!
Copyright (c) 2025 Ofri Peretz. All rights reserved.
Top comments (6)
We loved your post so we shared it on social.
Keep up the great work!
Thanks for the share 🧡
Thanks, I used the security plugin and it prevented quite a few traps like prototype pollution. However at that time it did not report the owasp IDs and cwes.
Hi @jankapunkt Appreciate the feedback, can you provide specific examples that you've experienced false negatives, so I will be able to improve the plugin/s?
@ofri-peretz sorry for the confusion. I used
eslint-plugin-securityin the past. The ones you propose look like a massive improvement!What nice feedback to receive! Feel free to share any type of feedback you have. I'm here to iterate on these plugins fast. If you have ideas for more useful rules, lmk.