Skip to main content

Static security code scanner (SAST) for Node.js applications

Project description

# NodeJsScan

Static security code scanner (SAST) for Node.js applications.

[![Requirements Status](](

### Configure & Run NodeJsScan

Install Postgres and configure `SQLALCHEMY_DATABASE_URI` in `core/`

pip3 install -r requirements.txt
python3 # Run once to create database entries required
python3 # Testing Environment
gunicorn -b app:app # Production Environment

This will run NodeJsScan on ``

If you need to debug, set `DEBUG = True` in `core/`

### NodeJsScan CLI

The command line interface (CLI) allows you to integrate NodeJsScan with DevSecOps CI/CD pipelines. The results are in JSON format. When you use CLI the results are never stored with NodeJsScan backend.

virtualenv venv -p python3
source venv/bin/activate
(venv)pip install nodejsscan
(venv)$ nodejsscan
usage: nodejsscan [-h] [-f FILE [FILE ...]] [-d DIRECTORY [DIRECTORY ...]]
[-o OUTPUT] [-v]

optional arguments:
-h, --help show this help message and exit
-f FILE [FILE ...], --file FILE [FILE ...]
Node.js file(s) to scan
Node.js source code directory/directories to scan
-o OUTPUT, --output OUTPUT
Output file to save JSON report
-v, --version Show nodejsscan version

#### Python API

import core.scanner as njsscan
res_dir = njsscan.scan_dirs(['/Code/Node.Js-Security-Course'])
res_file = njsscan.scan_file(['/Code/Node.Js-Security-Course/deserialization.js'])

[{'title': 'Deserialization Remote Code Injection', 'description': "User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.", 'tag': 'rci', 'line': 11, 'lines': 'app.use(cookieParser())\n\napp.get(\'/\', function(req, res) {\n if (req.cookies.profile) {\n var str = new Buffer(req.cookies.profile, \'base64\').toString();\n var obj = serialize.unserialize(str);\n if (obj.username) {\n res.send("Hello " + escape(obj.username));\n }\n } else {', 'filename': 'deserialization.js', 'path': '/Users/ajin/Code/Node.Js-Security-Course/deserialization.js', 'sha2': '06f3f0ff3deed27aeb95955a17abc7722895d3538c14648af97789d8777cee50'}]


### Docker

docker build -t nodejsscan .
docker run -it -p 9090:9090 nodejsscan

### DockerHub

docker pull opensecurity/nodejsscan
docker run -it -p 9090:9090 opensecurity/nodejsscan:latest

### Learn Node.js Security: Pentesting and Exploitation

[![OpSecX Video Course](](

#### NodeJsScan Web UI

#### Static Analysis
![NodeJsScan Static Scan Results](
![NodeJsScan Static Scan Vulnerability Details](
![NodeJsScan CLI](

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

nodejsscan-3.4-py3-none-any.whl (14.4 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page