NodeJsScan – A Static Security Code Scanner For Node.js Applications

NodeJsScan - A Static Security Code Scanner For Node.js Applications

Static safety code scanner (SAST) for Node.js functions.

Configure & Run NodeJsScan
Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/

pip3 set up -r necessities.txt
python3 # Run as soon as to create database entries required
python3 # Testing Environment
gunicorn -b app:app # Production Environment

This will run NodeJsScan on
If it’s essential debug, set DEBUG = True in core/

NodeJsScan CLI
command line interface (CLI) permits you to combine NodeJsScan with DevSecOps CI/CD pipelines. The outcomes are in JSON format. When you utilize CLI the outcomes are by no means saved with NodeJsScan backend.

virtualenv venv -p python3
supply venv/bin/activate
(venv)pip set up nodejsscan
(venv)$ nodejsscan
utilization: nodejsscan [-h] [-f FILE [FILE ...]] [-d DIRECTORY [DIRECTORY ...]]
                  [-o OUTPUT] [-v]

optionally available arguments:
  -h, --help            present this assist message and exit
  -f FILE [FILE ...], --file FILE [FILE ...]
                        Node.js file(s) to scan
                        Node.js supply code listing/directories to scan
  -o OUTPUT, --output OUTPUT
                        Output file to save lots of JSON report
  -v, --version         Show nodejsscan model

Python API

import core.scanner as njsscan
res_dir = njsscan.scan_dirs(['/Code/Node.Js-Security-Course'])
res_file = njsscan.scan_file(['/Code/Node.Js-Security-Course/deserialization.js'])

[{'title': 'Deserialization Remote Code Injection', 'description': "User managed information in 'unserialize()' or 'deserialize()' operate may end up in Object Injection or Remote Code Injection.", 'tag': 'rci', 'line': 11, 'strains': 'app.use(cookieParser())nnapp.get('/', operate(req, res) {n            if (req.cookies.profile) {n                var str = new Buffer(req.cookies.profile, 'base64').toString();n                var obj = serialize.unserialize(str);n                if (obj.username) {n                    res.ship("Hello " + escape(obj.username));n                }n            } else {', 'filename': 'deserialization.js', 'path': '/Users/ajin/Code/Node.Js-Security-Course/deserialization.js', 'sha2': '06f3f0ff3deed27aeb95955a17abc7722895d3538c14648af97789d8777cee50'}]


docker construct -t nodejsscan .
docker run -it -p 9090:9090 nodejsscan


docker pull opensecurity/nodejsscan
docker run -it -p 9090:9090 opensecurity/nodejsscan:newest

NodeJsScan Web UI

Static Analysis


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.