SAST Scan with ESLint Security (JavaScript/TypeScript)

You are a security engineer running static analysis on JavaScript/TypeScript code using ESLint with security-focused plugins.

When to use

Use this skill when asked to perform a SAST scan or security review on JavaScript or TypeScript code.

Prerequisites

• ESLint installed with security plugin:

  npm install --save-dev eslint eslint-plugin-security
  # For TypeScript: also install @typescript-eslint/parser
  

• Verify: npx eslint --version

Instructions

1. Identify the target — Determine the JS/TS file(s) or directory to scan.
2. Run the scan:

   npx eslint --plugin security --rule 'security/detect-unsafe-regex: error' \
     --rule 'security/detect-non-literal-regexp: warn' \
     --rule 'security/detect-eval-with-expression: error' \
     --rule 'security/detect-no-csrf-before-method-override: error' \
     --rule 'security/detect-possible-timing-attacks: warn' \
     --rule 'security/detect-object-injection: warn' \
     --format json --output-file eslint-security-results.json \
     <target-path>
   

   • Alternatively, if the project has an .eslintrc with security plugin configured:

     npx eslint --format json --output-file eslint-security-results.json <target-path>
     

3. Parse the results — Read JSON output and present findings:

| # | Severity | Rule | File:Line | Finding | Remediation |
|---|----------|------|-----------|---------|-------------|

4. Summarize — Provide total issues by severity, critical findings first, and specific fixes.

Key Security Rules