njsscan is a SAST tool that can find insecure code patterns in your Node.js applications.
Project description
njsscan
njsscan is a static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.
Made with 
Support njsscan
- Donate via Paypal:
- Sponsor the Project:
e-Learning Courses & Certifications
Installation
pip install njsscan
Requires Python 3.7+ and supports only Mac and Linux
Command Line Options
$ njsscan
usage: njsscan [-h] [--json] [--sarif] [--sonarqube] [--defectdojo] [--html] [-o OUTPUT] [-c CONFIG] [--missing-controls] [-w] [-v] [path ...]
positional arguments:
path Path can be file(s) or directories with source code
optional arguments:
-h, --help show this help message and exit
--json set output format as JSON
--sarif set output format as SARIF 2.1.0
--sonarqube set output format compatible with SonarQube
--defectdojo set output format compatible with Defect Dojo
--html set output format as HTML
-o OUTPUT, --output OUTPUT
output filename to save the result
-c CONFIG, --config CONFIG
Location to .njsscan config file
--missing-controls enable missing security controls check
-w, --exit-warning non zero exit code on warning
-v, --version show njsscan version
Example Usage
$ njsscan test.js
- Pattern Match ████████████████████████████████████████████████████████████ 1
- Semantic Grep ███████████████████████████ 160
njsscan: v0.1.9 | Ajin Abraham | opensecurity.in
╒═════════════╤═══════════════════════════════════════════════════════════════════════════════════════════════╕
│ RULE ID │ express_xss │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ OWASP │ A1: Injection │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ CWE │ CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ DESCRIPTION │ Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability. │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ SEVERITY │ ERROR │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ FILES │ ╒════════════════╤═══════════════════════════════════════════════╕ │
│ │ │ File │ test.js │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Match Position │ 5 - 46 │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Line Number(s) │ 7: 8 │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Match String │ const { name } = req.query; │ │
│ │ │ │ res.send('<h1> Hello :' + name + "</h1>") │ │
│ │ ╘════════════════╧═══════════════════════════════════════════════╛ │
╘═════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════╛
nodejsscan SAST
nodejsscan, built on top of njsscan provides a full fledged vulnerability management user interface along with other nifty integrations.
See nodejsscan
Python API
>>> from njsscan.njsscan import NJSScan
>>> node_source = '/node_source/true_positives/sqli_node.js'
>>> scanner = NJSScan([node_source], json=True, check_controls=False)
>>> scanner.scan()
{
'templates': {},
'nodejs': {
'node_sqli_injection': {
'files': [{
'file_path': '/node_source/true_positives/sqli_node.js',
'match_position': (1, 24),
'match_lines': (4, 11),
'match_string': 'var employeeId = req.foo;\n\nvar sql = "SELECT * FROM trn_employee WHERE employee_id = " + employeeId;\n\n\n\nconnection.query(sql, function (error, results, fields) {\n\n if (error) {\n\n throw error;\n\n }\n\n console.log(results);'
}],
'metadata': {
'owasp': 'A1: Injection',
'cwe': "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
'description': 'Untrusted input concatinated with raw SQL query can result in SQL Injection.',
'severity': 'ERROR'
}
}
},
'errors': []
}
Configure njsscan
A .njsscan file in the root of the source code directory allows you to configure njsscan. You can also use a custom .njsscan file using --config argument.
---
- nodejs-extensions:
- .js
template-extensions:
- .new
- .hbs
- ''
ignore-filenames:
- skip.js
ignore-paths:
- __MACOSX
- skip_dir
- node_modules
ignore-extensions:
- .jsx
ignore-rules:
- regex_injection_dos
- pug_jade_template
severity-filter:
- WARNING
- ERROR
Suppress Findings
You can suppress findings from javascript source files by adding the comment // njsscan-ignore: rule_id1, rule_id2 to the line that trigger the findings.
Example:
app.get('/some/redirect', function (req, res) {
var target = req.param("target");
res.redirect(target); // njsscan-ignore: express_open_redirect
});
CI/CD Integrations
You can enable njsscan in your CI/CD or DevSecOps pipelines.
Github Action
Add the following to the file .github/workflows/njsscan.yml.
name: njsscan
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
njsscan:
runs-on: ubuntu-latest
name: njsscan check
steps:
- name: Checkout the code
uses: actions/checkout@v4.2.2
- uses: actions/setup-python@v5.3.0
with:
python-version: '3.12'
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@master
with:
args: '.'
Example: dvna with njsscan github action
Github Code Scanning Integration
Add the following to the file .github/workflows/njsscan_sarif.yml.
name: njsscan sarif
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
njsscan:
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
- name: Checkout the code
uses: actions/checkout@v4.2.2
- uses: actions/setup-python@v5.3.0
with:
python-version: '3.12'
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@master
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Gitlab CI/CD
Add the following to the file .gitlab-ci.yml.
stages:
- test
njsscan:
image: python
before_script:
- pip3 install --upgrade njsscan
script:
- njsscan .
Example: dvna with njsscan gitlab
Travis CI
Add the following to the file .travis.yml.
language: python
install:
- pip3 install --upgrade njsscan
script:
- njsscan .
Circle CI
Add the following to the file .circleci/config.yaml
version: 2.1
jobs:
njsscan:
docker:
- image: cimg/python:3.9.6
steps:
- checkout
- run:
name: Install njsscan
command: pip install --upgrade njsscan
- run:
name: njsscan check
command: njsscan .
Docker
Prebuilt image from DockerHub
docker pull opensecurity/njsscan
docker run -v /path-to-source-dir:/src opensecurity/njsscan /src
Build Locally
docker build -t njsscan .
docker run -v /path-to-source-dir:/src njsscan /src
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cdmx_njsscan-1.0.1.tar.gz.
File metadata
- Download URL: cdmx_njsscan-1.0.1.tar.gz
- Upload date:
- Size: 40.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.8.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
42f466e5b4e47ae26088c79ca9c523a627dc05fea27b2733c2ce9d52412a558a
|
|
| MD5 |
0512ca6750ce735bd58b9e1f93911335
|
|
| BLAKE2b-256 |
d24078d31e2b729c4bad436527b195088af28b16207052b657bec96fefdcaa32
|
File details
Details for the file cdmx_njsscan-1.0.1-py3-none-any.whl.
File metadata
- Download URL: cdmx_njsscan-1.0.1-py3-none-any.whl
- Upload date:
- Size: 69.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.8.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b16f3ec9d3edc27ede0fd7353ff3637e384113f8d1b9c40f8be9506b4f32de6e
|
|
| MD5 |
9404219b74c5d52e697321aa4615cdf8
|
|
| BLAKE2b-256 |
2f1231889ab4ddfa0ed5dd64a23b288858cf0c2875ad655738549ec3ae2a835e
|
