Skip to main content

njsscan is a SAST tool that can find insecure code patterns in your Node.js applications.

Project description


njsscan is a static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.

Made with Love in India Tweet

PyPI version platform License python

Language grade: Python Requirements Status Build

e-Learning Courses & Certifications

OpSecX Video Course OpSecX Node.js Security: Pentesting and Exploitation - NJS


pip install njsscan

Requires Python 3.6+ and supports only Mac and Linux

Command Line Options

$ njsscan
usage: njsscan [-h] [--json] [--sonarqube] [-o OUTPUT] [--missing-controls]
               [-w] [-v]
               [path [path ...]]

positional arguments:
  path                  Path can be file(s) or directories with source code

optional arguments:
  -h, --help            show this help message and exit
  --json                set output format as JSON
  --sonarqube           set output format compatible with SonarQube
  -o OUTPUT, --output OUTPUT
                        output filename to save the result
  --missing-controls    enable missing security controls check
  -w, --exit-warning    non zero exit code on warning
  -v, --version         show njsscan version

Example Usage

$ njsscan xss_node.js
- Pattern Match ████████████████████████████████████████████████████████████ 1
- Semantic Grep ████████████████████████████████████████████████████████████ 53

RULE ID: express_xss
OWASP: A1: Injection
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DESCRIPTION: Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.


File: xss_node.js
Match Position: 5 - 37
Line Number(s): 5: 6
Match String:     var html = "Hello" + + ". How are you?"

    res.write('Response</br>' + html);

nodejsscan SAST

nodejsscan, built on top of njsscan provides a full fledged vulnerability management user interface along with other nifty integrations.

nodejsscan web ui

See nodejsscan

Python API

>>> from njsscan.njsscan import NJSScan
>>> node_source = '/node_source/true_positives/sqli_node.js'
>>> scanner = NJSScan([node_source], json=True, check_controls=False)
>>> scanner.scan()
    'templates': {},
    'nodejs': {
        'node_sqli_injection': {
            'files': [{
                'file_path': '/node_source/true_positives/sqli_node.js',
                'match_position': (1, 24),
                'match_lines': (4, 11),
                'match_string': 'var employeeId =;\n\nvar sql = "SELECT * FROM trn_employee WHERE employee_id = " + employeeId;\n\n\n\nconnection.query(sql, function (error, results, fields) {\n\n    if (error) {\n\n        throw error;\n\n    }\n\n    console.log(results);'
            'metadata': {
                'owasp': 'A1: Injection',
                'cwe': "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                'description': 'Untrusted input concatinated with raw SQL query can result in SQL Injection.',
                'severity': 'ERROR'
    'errors': []

Configure njsscan

A .njsscan file in the root of the source code directory allows you to configure njsscan.

- nodejs-extensions:
  - .js

  - .new
  - .hbs
  - ''

  - skip.js

  - __MACOSX
  - skip_dir
  - node_modules

  - .jsx

  - regex_injection_dos
  - pug_jade_template

Suppress Findings

You can suppress findings from javascript source files by adding the comment //ignore: rule_id1, rule_id2 to the line that trigger the findings.


app.get('/some/redirect', function (req, res) {
    var target = req.param("target");
    res.redirect(target); //ignore: express_open_redirect

CI/CD Integrations

You can enable njsscan in your CI/CD or DevSecOps pipelines.

Github Action

Add the following to the file .github/workflows/njsscan.yml.

name: njsscan
    branches: [ master ]
    branches: [ master ]
    runs-on: ubuntu-latest
    name: njsscan check
    - uses: actions/checkout@v1
    - name: njsscan
      id: njsscan
      uses: ajinabraham/njsscan-action@v5
        args: '.'

Example: dvna with njsscan github action

Gitlab CI/CD

Add the following to the file .gitlab-ci.yml.

    - test
    image: python
        - pip3 install --upgrade njsscan
        - njsscan .

Example: dvna with njsscan gitlab

Travis CI

Add the following to the file .travis.yml.

language: python
    - pip3 install --upgrade njsscan
    - njsscan .


Prebuilt image from DockerHub

docker pull opensecurity/njsscan
docker run -v /path-to-source-dir:/src opensecurity/njsscan /src

Build Locally

docker build -t njsscan .
docker run -v /path-to-source-dir:/src njsscan /src

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for njsscan, version 0.1.5
Filename, size File type Python version Upload date Hashes
Filename, size njsscan-0.1.5.tar.gz (33.6 kB) File type Source Python version None Upload date Hashes View
Filename, size njsscan-0.1.5-py3-none-any.whl (68.3 kB) File type Wheel Python version py3 Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page