What is nodejsscan?
NodeJsScan is an open source static code scanner used to find security flaws specifically in Node.js applications. It is powered by libsast and semgrep.
| Security Stage | SAST (Static Code Analysis) |
| Type | OpenSource |
| Languages | Javascript (Node.js) |
| Site | https://github.com/ajinabraham/NodeJsScan |
Pre-requisites
| 1 | You'll need a Git Address to scan |
How do I set it up?
Adding nodejsscan to your set of security tests is simple. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.
- Click on the application you wish to add the tool for, and edit the version (stage) configuration.
- Ensure that the version's 'Uri' is set to the Git URL of the repo being tested (either through the Uleska UI, or via the CLI/API). This will include the branch and auth details needed.
- Go to the 'Test Tools' tab and click 'Add Tool' for the 'nodejs scan' tool.
- Click Save.
Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the nodejsscan tool will be included in the test run and any results added to your vulnerabilities list.
Notes
Currently, the Bandit adaptor will run the default set of tests, recursively going through the files in the codeline. Configuration for profiles, test ids, and levels are not currently supported but will be included in a future release.