{"id":13841477,"url":"https://github.com/ajinabraham/njsscan","last_synced_at":"2025-05-14T17:05:41.140Z","repository":{"id":40761695,"uuid":"255793203","full_name":"ajinabraham/njsscan","owner":"ajinabraham","description":"njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.","archived":false,"fork":false,"pushed_at":"2024-11-14T08:58:05.000Z","size":396,"stargazers_count":399,"open_issues_count":5,"forks_count":79,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-05-14T17:04:54.629Z","etag":null,"topics":["appsec","codereview","codescanner","devsecops","expressjs","jslint","lint","linter","njsscan","nodejs","nodejsscan","nodesecurity","python","sast","security","security-tools","semantic","static-analysis","static-analyzer","staticanalysis"],"latest_commit_sha":null,"homepage":"https://opensecurity.in","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ajinabraham.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"ajinabraham","custom":["https://paypal.me/ajinabraham"]}},"created_at":"2020-04-15T03:21:00.000Z","updated_at":"2025-04-30T12:50:40.000Z","dependencies_parsed_at":"2024-11-07T21:30:57.516Z","dependency_job_id":"84de9a3f-d6a6-4370-8de3-f7aec166cbd3","html_url":"https://github.com/ajinabraham/njsscan","commit_stats":{"total_commits":202,"total_committers":10,"mean_commits":20.2,"dds":"0.054455445544554504","last_synced_commit":"370e90445dfdf9fa80db6d45e334971304144c32"},"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajinabraham%2Fnjsscan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajinabraham%2Fnjsscan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajinabraham%2Fnjsscan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajinabraham%2Fnjsscan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ajinabraham","download_url":"https://codeload.github.com/ajinabraham/njsscan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254190396,"owners_count":22029632,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","codereview","codescanner","devsecops","expressjs","jslint","lint","linter","njsscan","nodejs","nodejsscan","nodesecurity","python","sast","security","security-tools","semantic","static-analysis","static-analyzer","staticanalysis"],"created_at":"2024-08-04T17:01:11.904Z","updated_at":"2025-05-14T17:05:41.118Z","avatar_url":"https://github.com/ajinabraham.png","language":"JavaScript","funding_links":["https://github.com/sponsors/ajinabraham","https://paypal.me/ajinabraham"],"categories":["JavaScript","JavaScript (485)","Static Application Security Testing","Companion Tools","Static Application Security Testing (SAST)"],"sub_categories":["SAST","Language Specific"],"readme":"# njsscan\n**njsscan** is a static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from [libsast](https://github.com/ajinabraham/libsast) and syntax-aware semantic code pattern search tool [semgrep](https://github.com/returntocorp/semgrep).\n\nMade with ![Love](https://cloud.githubusercontent.com/assets/4301109/16754758/82e3a63c-4813-11e6-9430-6015d98aeaab.png) in India [![Tweet](https://img.shields.io/twitter/url?url=https://github.com/ajinabraham/njsscan)](https://twitter.com/intent/tweet/?text=njsscan%20is%20a%20semantic%20aware%20SAST%20tool%20that%20can%20find%20insecure%20code%20patterns%20in%20your%20Node.js%20applications%20by%20%40ajinabraham%20%40OpenSecurity_IN\u0026url=https://github.com/ajinabraham/njsscan)\n\n[![PyPI version](https://badge.fury.io/py/njsscan.svg)](https://badge.fury.io/py/njsscan)\n[![platform](https://img.shields.io/badge/platform-osx%2Flinux-green.svg)](https://github.com/ajinabraham/njsscan)\n[![License](https://img.shields.io/:license-lgpl3+-blue.svg)](https://www.gnu.org/licenses/lgpl-3.0.en.html)\n[![python](https://img.shields.io/badge/python-3.7+-blue.svg)](https://www.python.org/downloads/)\n[![Build](https://github.com/ajinabraham/njsscan/workflows/Build/badge.svg)](https://github.com/ajinabraham/njsscan/actions?query=workflow%3ABuild)\n\n### Support njsscan\n\n* **Donate via Paypal:** [![Donate via Paypal](https://user-images.githubusercontent.com/4301109/76471686-c43b0500-63c9-11ea-8225-2a305efb3d87.gif)](https://paypal.me/ajinabraham)\n* **Sponsor the Project:** [![Github Sponsors](https://user-images.githubusercontent.com/4301109/95517226-9e410780-098e-11eb-9ef5-7b8c7561d725.png)](https://github.com/sponsors/ajinabraham)\n\n### e-Learning Courses \u0026 Certifications\n[![OpSecX Video Course](https://user-images.githubusercontent.com/4301109/82597198-99fa8600-9b76-11ea-8243-c604bc7b06b1.png)](https://opsecx.com/index.php/product/node-js-security-pentesting-and-exploitation/?uid=github) [OpSecX Node.js Security: Pentesting and Exploitation - NJS](https://opsecx.com/index.php/product/node-js-security-pentesting-and-exploitation/?uid=github)\n\n## Installation\n\n`pip install njsscan`\n\nRequires Python 3.7+ and supports only Mac and Linux\n\n## Command Line Options\n\n```bash\n$ njsscan\nusage: njsscan [-h] [--json] [--sarif] [--sonarqube] [--html] [-o OUTPUT] [-c CONFIG] [--missing-controls] [-w] [-v] [path ...]\n\npositional arguments:\n path Path can be file(s) or directories with source code\n\noptional arguments:\n -h, --help show this help message and exit\n --json set output format as JSON\n --sarif set output format as SARIF 2.1.0\n --sonarqube set output format compatible with SonarQube\n --html set output format as HTML\n -o OUTPUT, --output OUTPUT\n output filename to save the result\n -c CONFIG, --config CONFIG\n Location to .njsscan config file\n --missing-controls enable missing security controls check\n -w, --exit-warning non zero exit code on warning\n -v, --version show njsscan version\n```\n\n\n## Example Usage\n\n```bash\n$ njsscan test.js\n- Pattern Match ████████████████████████████████████████████████████████████ 1\n- Semantic Grep ███████████████████████████ 160\n\nnjsscan: v0.1.9 | Ajin Abraham | opensecurity.in\n╒═════════════╤═══════════════════════════════════════════════════════════════════════════════════════════════╕\n│ RULE ID │ express_xss │\n├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤\n│ OWASP │ A1: Injection │\n├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤\n│ CWE │ CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') │\n├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤\n│ DESCRIPTION │ Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability. │\n├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤\n│ SEVERITY │ ERROR │\n├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤\n│ FILES │ ╒════════════════╤═══════════════════════════════════════════════╕ │\n│ │ │ File │ test.js │ │\n│ │ ├────────────────┼───────────────────────────────────────────────┤ │\n│ │ │ Match Position │ 5 - 46 │ │\n│ │ ├────────────────┼───────────────────────────────────────────────┤ │\n│ │ │ Line Number(s) │ 7: 8 │ │\n│ │ ├────────────────┼───────────────────────────────────────────────┤ │\n│ │ │ Match String │ const { name } = req.query; │ │\n│ │ │ │ res.send('\u003ch1\u003e Hello :' + name + \"\u003c/h1\u003e\") │ │\n│ │ ╘════════════════╧═══════════════════════════════════════════════╛ │\n╘═════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════╛\n```\n\n## nodejsscan SAST\n\n**nodejsscan**, built on top of **njsscan** provides a full fledged vulnerability management user interface along with other nifty integrations.\n\n![nodejsscan web ui](https://user-images.githubusercontent.com/4301109/83994121-74fe6500-a923-11ea-9ad7-012113f1bb12.png)\n\nSee [nodejsscan](https://github.com/ajinabraham/nodejsscan)\n\n## Python API\n\n```python\n\u003e\u003e\u003e from njsscan.njsscan import NJSScan\n\u003e\u003e\u003e node_source = '/node_source/true_positives/sqli_node.js'\n\u003e\u003e\u003e scanner = NJSScan([node_source], json=True, check_controls=False)\n\u003e\u003e\u003e scanner.scan()\n{\n 'templates': {},\n 'nodejs': {\n 'node_sqli_injection': {\n 'files': [{\n 'file_path': '/node_source/true_positives/sqli_node.js',\n 'match_position': (1, 24),\n 'match_lines': (4, 11),\n 'match_string': 'var employeeId = req.foo;\\n\\nvar sql = \"SELECT * FROM trn_employee WHERE employee_id = \" + employeeId;\\n\\n\\n\\nconnection.query(sql, function (error, results, fields) {\\n\\n if (error) {\\n\\n throw error;\\n\\n }\\n\\n console.log(results);'\n }],\n 'metadata': {\n 'owasp': 'A1: Injection',\n 'cwe': \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\",\n 'description': 'Untrusted input concatinated with raw SQL query can result in SQL Injection.',\n 'severity': 'ERROR'\n }\n }\n },\n 'errors': []\n}\n```\n\n## Configure njsscan\n\nA `.njsscan` file in the root of the source code directory allows you to configure njsscan. You can also use a custom `.njsscan` file using `--config` argument.\n\n```yaml\n---\n- nodejs-extensions:\n - .js\n\n template-extensions:\n - .new\n - .hbs\n - ''\n\n ignore-filenames:\n - skip.js\n\n ignore-paths:\n - __MACOSX\n - skip_dir\n - node_modules\n\n ignore-extensions:\n - .jsx\n\n ignore-rules:\n - regex_injection_dos\n - pug_jade_template\n\n severity-filter:\n - WARNING\n - ERROR\n```\n\n## Suppress Findings\n\nYou can suppress findings from javascript source files by adding the comment `// njsscan-ignore: rule_id1, rule_id2` to the line that trigger the findings.\n\nExample:\n\n```javascript\napp.get('/some/redirect', function (req, res) {\n var target = req.param(\"target\");\n res.redirect(target); // njsscan-ignore: express_open_redirect\n});\n```\n\n## CI/CD Integrations\n\nYou can enable njsscan in your CI/CD or DevSecOps pipelines.\n\n#### Github Action\n\nAdd the following to the file `.github/workflows/njsscan.yml`.\n\n```yaml\nname: njsscan\non:\n push:\n branches: [ master, main ]\n pull_request:\n branches: [ master, main ]\njobs:\n njsscan:\n runs-on: ubuntu-latest\n name: njsscan check\n steps:\n - name: Checkout the code\n uses: actions/checkout@v4.2.2\n - uses: actions/setup-python@v5.3.0\n with:\n python-version: '3.12'\n - name: nodejsscan scan\n id: njsscan\n uses: ajinabraham/njsscan-action@master\n with:\n args: '.'\n```\nExample: [dvna with njsscan github action](https://github.com/ajinabraham/dvna/actions?query=workflow%3Anjsscan)\n\n#### Github Code Scanning Integration\n\nAdd the following to the file `.github/workflows/njsscan_sarif.yml`.\n\n```yaml\nname: njsscan sarif\non:\n push:\n branches: [ master, main ]\n pull_request:\n branches: [ master, main ]\njobs:\n njsscan:\n runs-on: ubuntu-latest\n name: njsscan code scanning\n steps:\n - name: Checkout the code\n uses: actions/checkout@v4.2.2\n - uses: actions/setup-python@v5.3.0\n with:\n python-version: '3.12'\n - name: nodejsscan scan\n id: njsscan\n uses: ajinabraham/njsscan-action@master\n with:\n args: '. --sarif --output results.sarif || true'\n - name: Upload njsscan report\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n```\n![nodejsscan web ui](https://user-images.githubusercontent.com/4301109/99230041-cfe29500-27bc-11eb-8baa-d5b30e21348d.png)\n\n\n#### Gitlab CI/CD\n\nAdd the following to the file `.gitlab-ci.yml`.\n\n```yaml\nstages:\n - test\nnjsscan:\n image: python\n before_script:\n - pip3 install --upgrade njsscan\n script:\n - njsscan .\n```\nExample: [dvna with njsscan gitlab](https://gitlab.com/ajinabraham/dvna/-/jobs/602110439)\n\n\n#### Travis CI\n\nAdd the following to the file `.travis.yml`.\n\n```yaml\nlanguage: python\ninstall:\n - pip3 install --upgrade njsscan\nscript:\n - njsscan .\n```\n\n#### Circle CI\n\nAdd the following to the file `.circleci/config.yaml`\n\n```yaml\nversion: 2.1\njobs:\n njsscan:\n docker:\n - image: cimg/python:3.9.6\n steps:\n - checkout\n - run:\n name: Install njsscan\n command: pip install --upgrade njsscan\n - run:\n name: njsscan check\n command: njsscan .\n```\n\n## Docker\n\n### Prebuilt image from [DockerHub](https://hub.docker.com/r/opensecurity/njsscan)\n\n```bash\ndocker pull opensecurity/njsscan\ndocker run -v /path-to-source-dir:/src opensecurity/njsscan /src\n```\n\n### Build Locally\n\n```\ndocker build -t njsscan .\ndocker run -v /path-to-source-dir:/src njsscan /src\n```\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fajinabraham%2Fnjsscan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fajinabraham%2Fnjsscan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fajinabraham%2Fnjsscan/lists"}