A fast, comprehensive security scanner for JavaScript/TypeScript projects written in Rust. This tool analyzes your codebase for security vulnerabilities, suspicious patterns, risky dependencies, and known CVEs.
-
Security Pattern Detection: Identifies risky code patterns including:
eval()and dynamicFunctionconstructors- Obfuscated code (hex/unicode escape sequences)
- Base64 encoded payloads and
atob()usage - Network requests and suspicious API calls
-
AST-based Analysis: Uses SWC to parse and analyze JavaScript/TypeScript files for deeper inspection beyond regex patterns
-
Dependency Analysis: Scans
node_modulesfor suspicious packages and dependencies -
CVE Vulnerability Detection: Optional integration with OSV.dev to check for known vulnerabilities in your dependencies
-
Multiple Output Formats:
- Colorized console output with severity filtering
- JSON report for integration with CI/CD pipelines
-
Smart Ignore Rules: Respects
.security-scan-ignorefiles to exclude false positives
cargo build --releaseThe compiled binary will be available at target/release/security-scan.
Scan a JavaScript/TypeScript project:
security-scan /path/to/projectQuery OSV.dev for known CVEs (requires network access):
security-scan /path/to/project --include-osvOnly show findings at or above a certain severity level:
security-scan /path/to/project --min-severity highAvailable severity levels: low, medium, high
Generate a JSON report for CI/CD integration:
security-scan /path/to/project --output report.jsonSecurity Scan Report
Project: /Users/example/my-project
Generated: 2024-10-31T18:26:00Z
Totals: 3 security, 1 dependency, 2 vulnerability
HIGH 2 security, 0 dependency, 1 vulnerability
[Security] src/utils.js:42:10 - eval call may execute dynamic code
eval(userInput)
[Security] src/obfuscated.js:15:3 - Base64 decoding via atob
const decoded = atob(encodedData)
express@4.16.0 - CVE-2024-29041 (CVSS:7.5)
Denial of Service vulnerability
https://osv.dev/vulnerability/CVE-2024-29041
fixed in 4.19.2
MEDIUM 1 security, 1 dependency, 1 vulnerability
[Security] src/suspicious.js:88:5 - Network request detected
fetch('https://example.com/api')
[Dependency] node_modules/suspicious-pkg/index.js - Obfuscated code detected (suspicious-pkg)
Use --output <file> to generate a full JSON report.
Create a .security-scan-ignore file in your project root to exclude directories:
# Ignore Next.js build directories
next
.next
# Ignore custom build output
dist
build
- JavaScript:
.js,.mjs,.cjs - JSX:
.jsx - TypeScript:
.ts,.tsx - JSON:
.json(limited scanning)
- scanner/security.rs: Regex-based pattern matching for common security issues
- scanner/ast.rs: AST-based analysis using SWC for deeper code inspection
- scanner/node_modules.rs: Dependency and package scanning
- scanner/osv.rs: OSV.dev API integration for CVE lookups
- scanner/ignore.rs: Ignore pattern matching
- report.rs: Output formatting and JSON serialization
- HIGH: Critical security issues (eval, encoded payloads, known CVEs)
- MEDIUM: Suspicious patterns (obfuscated code, network requests)
- LOW: General concerns (other findings)
- Files larger than 512KB are skipped
- Automatically excludes common directories:
node_modules,.git,dist,build,coverage,target - OSV vulnerability checks require network access
Key dependencies:
walkdir: File system traversalswc_ecma_parser: JavaScript/TypeScript AST parsingregex: Pattern matchingserde_json: JSON serializationureq: HTTP client for OSV.dev APIowo-colors: Terminal colorsclap: CLI argument parsing
See repository license for details.
This is a security tool. When contributing:
- Avoid false positives that could cause alert fatigue
- Add tests for new detection patterns
- Update this README with new features
- Consider performance impact on large codebases