{"id":20686645,"url":"https://github.com/ericcornelissen/js-regex-security-scanner","last_synced_at":"2026-02-25T12:27:47.635Z","repository":{"id":60765626,"uuid":"536745625","full_name":"ericcornelissen/js-regex-security-scanner","owner":"ericcornelissen","description":"A static analyzer to scan JavaScript code for problematic regular expressions.","archived":false,"fork":false,"pushed_at":"2025-04-22T06:05:18.000Z","size":1932,"stargazers_count":8,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-22T14:05:37.568Z","etag":null,"topics":["javascript","redos","regex","regular-expression","sast","scanner","security","static-analysis"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/ericornelissen/js-re-scan","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ericcornelissen.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-09-14T20:17:04.000Z","updated_at":"2025-04-21T09:54:51.000Z","dependencies_parsed_at":"2023-11-26T11:25:28.822Z","dependency_job_id":"d689d697-f5ed-4e2a-89d2-22c33e8ccbf7","html_url":"https://github.com/ericcornelissen/js-regex-security-scanner","commit_stats":null,"previous_names":[],"tags_count":45,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericcornelissen%2Fjs-regex-security-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericcornelissen%2Fjs-regex-security-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericcornelissen%2Fjs-regex-security-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericcornelissen%2Fjs-regex-security-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ericcornelissen","download_url":"https://codeload.github.com/ericcornelissen/js-regex-security-scanner/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250255709,"owners_count":21400410,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["javascript","redos","regex","regular-expression","sast","scanner","security","static-analysis"],"created_at":"2024-11-16T22:36:17.307Z","updated_at":"2026-02-25T12:27:47.628Z","avatar_url":"https://github.com/ericcornelissen.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- SPDX-License-Identifier: CC-BY-SA-4.0 --\u003e\n\n# JavaScript Regex Security Scanner\n\nA static analyzer to scan JavaScript and TypeScript code for problematic regular\nexpressions.\n\n## Getting started\n\nThe scanner is available as a container image, install it using:\n\n```shell\ndocker pull docker.io/ericornelissen/js-re-scan:latest\n```\n\nValidate the container provenance using cosign (optional but recommended):\n\n\u003c!-- doctest:ignore --\u003e\n\n```shell\ncosign verify \\\n  --certificate-identity-regexp \\\n    'https://github.com/ericcornelissen/js-regex-security-scanner/.+' \\\n  --certificate-oidc-issuer \\\n    'https://token.actions.githubusercontent.com' \\\n  docker.io/ericornelissen/js-re-scan:latest\n```\n\nNow you can use it to scan a JavaScript or TypeScript project. For example, to\nscan the current directory:\n\n```shell\ndocker run --rm -v $(pwd):/project docker.io/ericornelissen/js-re-scan:latest\n```\n\nTo use [Podman] instead of [Docker] you can replace `docker` by `podman` in any\nexample command. To use the [GitHub Container Registry] instead of [Docker] hub\nyou can use `ghcr.io/ericcornelissen/js-re-scan` instead.\n\n### Ignore patterns\n\nIf necessary you can ignore certain files or directories using the option\n`--ignore-pattern`. For example, to ignore vendored code to focus on problems\nin your own project you can use:\n\n```shell\ndocker run --rm -v $(pwd):/project docker.io/ericornelissen/js-re-scan:latest  \\\n  --ignore-pattern vendor/\n```\n\n### Exit codes\n\nThe scanner has the following exit codes.\n\n| Exit code | Meaning                                          |\n| --------: | :----------------------------------------------- |\n|         0 | No problems found                                |\n|         1 | Files with problematic regular expressions found |\n|         2 | Something went wrong while scanning              |\n\n## Features\n\n- Detect cases of exponential and polynomial backtracking.\n- Detect super-linear worst-case runtime caused by a regex being moved across\n  the input string.\n- Ignore generated code based on standard file and folder patterns.\n- Ignore tests based on standard file and folder patterns.\n- Scan documentation.\n\n## Trophies\n\nThe table below provides an overview of bugs and security advisories discovered\nwith the help of this scanner (from most to least recent). If you reported a bug\nor advisory based on the results of this scanner, feel free to add it to the\nlist!\n\n| Project              | Fix / Advisory               |\n| -------------------- | ---------------------------- |\n| [decamelize]         | [`e9e3041`]                  |\n| [browserslist]       | [`c331c95`]                  |\n| [st]                 | [#103][st-103]               |\n| [@std/path]          | [#6764][@std/path-6764]      |\n| [@eslint/markdown]   | [#463][@eslint/markdown-463] |\n| [@eslint/plugin-kit] | [GHSA-xffm-g5w8-qvg7]        |\n| [shescape]           | [CVE-2022-36064]             |\n\n[`c331c95`]: https://github.com/browserslist/browserslist/commit/c331c95c6aaf77ab284d7e338e462ad74bb5081a\n[`e9e3041`]: https://github.com/sindresorhus/decamelize/commit/e9e304170ecaaccc39d3696d7d816408c29eed71\n[@eslint/markdown-463]: https://github.com/eslint/markdown/pull/463\n[@eslint/plugin-kit]: https://www.npmjs.com/package/@eslint/plugin-kit\n[@std/path]: https://jsr.io/@std/path\n[@std/path-6764]: https://github.com/denoland/std/pull/6764\n[browserslist]: https://www.npmjs.com/package/browserslist\n[cve-2022-36064]: https://nvd.nist.gov/vuln/detail/CVE-2022-36064\n[decamelize]: https://www.npmjs.com/package/decamelize\n[ghsa-xffm-g5w8-qvg7]: https://github.com/advisories/GHSA-xffm-g5w8-qvg7\n[shescape]: https://www.npmjs.com/package/shescape\n[st]: https://www.npmjs.com/package/st\n[st-103]: https://github.com/isaacs/st/pull/103\n\n## Migrating to ESLint\n\nIf you have found this scanner helpful, consider using [eslint-plugin-regexp]\ninstead. This [ESLint] plugin is what powers the scanner, and it may integrate\nbetter with your project's existing workflows.\n\nFollow these steps to update your ESLint setup to cover what this scanner does:\n\n1. Install the plugin:\n\n   \u003c!-- doctest:ignore --\u003e\n\n   ```shell\n   npm install --save-dev eslint-plugin-regexp\n   ```\n\n1. Update your ESLint configuration:\n\n   ```javascript\n   import regexp from \"eslint-plugin-regexp\";\n   // ... other plugins you're already using\n\n   export default [\n     {\n       files: [\"**/*.{js,jsx,cjs,mjs,ts,cts,mts}\"],\n       plugins: {\n         regexp,\n       },\n       rules: {\n         \"regexp/no-super-linear-backtracking\": [\n           \"error\",\n           {\n             report: \"certain\",\n           },\n         ],\n         \"regexp/no-super-linear-move\": [\n           \"error\",\n           {\n             ignorePartial: false,\n             ignoreSticky: false,\n             report: \"certain\",\n           },\n         ],\n       },\n     },\n     // ... rest of your configuration\n   ];\n   ```\n\n## Build from source\n\nIf you want you can build the scanner from scratch. From the root of this\nproject run something like:\n\n```shell\ndocker build --file Containerfile .\n```\n\nOr use the convenience [Make] target:\n\n```shell\nmake build ENGINE=docker\n```\n\n## Philosophy\n\nThis scanner aims to provide developers with a tool to find vulnerable regular\nexpression in their code. As such, the goal is to only report _true positives_.\nThe result is that all findings are relevant, but a clean report does not mean\nyour project has no vulnerable regular expressions.\n\nThis is contrast to tools like [redos-detector], which will find vulnerable\nregular expressions this scanner won't, but also reports _false positives_. As\nit is difficult to determine if a particular report is a false positive, other\ntools are hard to use.\n\n## Behind the scenes\n\nThis scanner runs [ESLint] with the [eslint-plugin-regexp] plugin to find and\nreport on regular expressions that violate rules with security implications.\n\nTypeScript support is provided by [@typescript-eslint/parser], MarkDown support\nis provided by [@eslint/markdown].\n\n## License\n\nThis project is licensed under the Apache 2.0 license, see [LICENSE] for the\nfull license text. The documentation text is licensed under [CC BY-SA 4.0].\n\n---\n\nPlease [open an issue] if you found a mistake or if you have a suggestion for\nhow to improve the documentation.\n\n[@eslint/markdown]: https://www.npmjs.com/package/@eslint/markdown\n[@typescript-eslint/parser]: https://www.npmjs.com/package/@typescript-eslint/parser\n[cc by-sa 4.0]: https://creativecommons.org/licenses/by-sa/4.0/\n[docker]: https://www.docker.com/\n[eslint]: https://eslint.org/\n[eslint-plugin-regexp]: https://github.com/ota-meshi/eslint-plugin-regexp\n[github container registry]: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry\n[license]: ./LICENSE\n[make]: https://www.gnu.org/software/make/\n[open an issue]: https://github.com/ericcornelissen/js-regex-security-scanner/issues/new?labels=documentation\u0026template=documentation.md\n[podman]: https://podman.io/\n[redos-detector]: https://github.com/tjenkinson/redos-detector\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fericcornelissen%2Fjs-regex-security-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fericcornelissen%2Fjs-regex-security-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fericcornelissen%2Fjs-regex-security-scanner/lists"}