Description

This plugin provides General secure coding practices and OWASP compliance for JavaScript/TypeScript.

Philosophy

Interlace fosters strength through integration. Instead of stacking isolated rules, we interlace security directly into your workflow to create a resilient fabric of code. We believe tools should guide rather than gatekeep, providing educational feedback that strengthens the developer with every interaction.

Getting Started

• To check out the guide, visit eslint.interlace.tools. 📚
• 要查看中文 指南, 请访问 eslint.interlace.tools. 📚
• 가이드 문서는 eslint.interlace.tools에서 확인하실 수 있습니다. 📚
• ガイドは eslint.interlace.toolsでご確認ください。 📚
• Para ver la guía, visita eslint.interlace.tools. 📚
• للاطلاع على الدليل، قم بزيارة eslint.interlace.tools. 📚

npm install eslint-plugin-secure-coding --save-dev

Benchmarks vs competitors (CWE-798 ground truth)

no-hardcoded-credentials is part of the ILB-Flagship benchmark suite. On the labeled CWE-798 fixture set (Juliet-style: 2 vulnerable + 2 safe files, ground-truthed):

| Rule | Precision | Recall | F1 | | :--- | ---: | ---: | ---: | | secure-coding/no-hardcoded-credentials (ours) | 100% | 100% | 1.00 | | eslint-plugin-no-secrets/no-secrets | 100% | 50% | 0.67 |

The competitor's entropy-only detection catches the high-entropy API-key shape but misses the 15-character literal password assigned to password:. Our context-gated detection (structural patterns + credential-named-variable check + context-positive path) catches both for the right reasons.

On real OSS (vercel/ai), the competitor reports ~380 more findings than us. Those 380 are not catches we missed — they're entropy false-positives on TypeScript type literals ('experimental_onLanguageModelCallStart'), error class names ('AI_ToolCallNotFoundForApprovalError'), and documentation URLs. Sampling confirmed zero are actual credentials. The corpus number is the right one to weigh; the OSS finding-count is a noise metric.

⚙️ Configuration Presets

| Preset | Description | | :-------------------- | :-------------------------------------------------------------- | | recommended | Balanced security for most projects (Web + key Mobile security) | | strict | Maximum security enforcement (all rules as errors) | | owasp-top-10 | OWASP Top 10 Web 2021 compliance focused | | owasp-mobile-top-10 | OWASP Mobile Top 10 2024 compliance focused |

📦 Compatibility

| Package | Version | | :--- | :--- | | ESLint | ^8.0.0 \|\| ^9.0.0 \|\| ^10.0.0 | | Node.js | >=18.0.0 |

See the ESLint Version Support Policy — current ecosystem share data, the 20% gate, and the forward-looking exception that covers v10.

Rules

Legend

| Icon | Description | | :---: | :--- | | 💼 | Recommended: Included in the recommended preset. | | ⚠️ | Warns: Set to warn in recommended preset. | | 🔧 | Auto-fixable: Automatically fixable by the --fix CLI option. | | 💡 | Suggestions: Providing code suggestions in IDE. | | 🚫 | Deprecated: This rule is deprecated. | | 🟢 | Type-unaware: AST-only, runs in oxlint JS-plugin tier. | | 🟡 | Type-aware (refining): pure-AST primary path; types refine precision. | | 🟠 | Type-aware (graceful): requires TS program; silent without it. |

| Rule | CWE | OWASP | CVSS | Description | 🧠 | 💼 | ⚠️ | 🔧 | 💡 | 🚫 | | :--- | :---: | :---: | :---: | :--- | :---: | :---: | :---: | :---: | :---: | :---: | | detect-non-literal-regexp | CWE-400 | | | Detects RegExp(variable), which might allow an attacker to DOS your server with a long-running regular expr… | 🟢 | | | | | | | detect-object-injection | CWE-915 | | | Detects variable[key] as a left- or right-hand assignment operand (prototype pollution) | 🟡 | | | | | | | detect-weak-password-validation | CWE-521 | A07:2021 | | Detects weak password length requirements (less than 8 characters) in validation code. | 🟢 | | | | | | | no-directive-injection | CWE-94 | | | Detects directive injection vulnerabilities in template systems | 🟢 | | | | | | | no-electron-security-issues | CWE-16 | | | Detects Electron security vulnerabilities and insecure configurations | 🟢 | | | | | | | no-format-string-injection | CWE-134 | | | Detects format string injection vulnerabilities | 🟢 | | | | | | | no-graphql-injection | CWE-943 | | | Detects GraphQL injection vulnerabilities and DoS attacks | 🟢 | 💼 | | | | | | no-hardcoded-credentials | CWE-798 | | | Detects hardcoded passwords, API keys, tokens, and other sensitive credentials in source code | 🟢 | 💼 | | | | | | no-hardcoded-session-tokens | CWE-798 | | | This rule detects hardcoded JWT tokens (starting with eyJ), Bearer tokens, and session identifiers | 🟢 | | | | | | | no-improper-sanitization | CWE-116 | | | Detects improper sanitization of user input | 🟢 | | | | | | | no-improper-type-validation | CWE-1287 | | | Detects improper type validation in user input handling | 🟢 | 💼 | | | | | | no-insecure-comparison | CWE-697 | | | Detects insecure comparison operators (==, !=) that can lead to type coercion vulnerabilities | 🟢 | 💼 | | | | | | no-ldap-injection | CWE-90 | | | Detects LDAP injection vulnerabilities | 🟢 | 💼 | | | | | | no-missing-authentication | CWE-287 | | | CWE: CWE-287 | 🟢 | 💼 | | | | | | no-pii-in-logs | CWE-359 | | | Prevent personally identifiable information (PII) — emails, SSNs, credit cards, phone numbers — from reachi… | 🟢 | | | | 💡 | | | no-privilege-escalation | CWE-269 | | | Detects potential privilege escalation vulnerabilities where user input is used to assign roles or permissi… | 🟢 | 💼 | | | | | | no-redos-vulnerable-regex | CWE-400 | | | ESLint Rule: no-redos-vulnerable-regex | 🟢 | | | | | | | no-sensitive-data-exposure | CWE-532 | | | ESLint Rule: no-sensitive-data-exposure | 🟢 | 💼 | | | | | | no-unchecked-loop-condition | CWE-400 | | | Detects unchecked loop conditions that could cause DoS | 🟢 | | | | | | | no-unlimited-resource-allocation | CWE-770 | | | Detects unlimited resource allocation that could cause DoS | 🟢 | | | | | | | no-unsafe-deserialization | CWE-502 | | | Detects unsafe deserialization of untrusted data | 🟢 | 💼 | | | | | | no-unsafe-regex-construction | CWE-400 | | | ESLint Rule: no-unsafe-regex-construction with LLM-optimized suggestions and auto-fix capabilities | 🟢 | | | | | | | no-weak-password-recovery | CWE-640 | | | ESLint Rule: no-weak-password-recovery with LLM-optimized suggestions and auto-fix capabilities | 🟢 | 💼 | | | | | | no-xpath-injection | CWE-643 | | | Detects XPath injection vulnerabilities | 🟢 | 💼 | | | | | | no-xxe-injection | CWE-611 | | | Detects XML External Entity (XXE) injection vulnerabilities | 🟢 | 💼 | | | | | | require-backend-authorization | CWE-602 | | | CWE: CWE-602 | 🟢 | | | | | | | require-secure-defaults | CWE-1188 | | | CWE: CWE-1188 | 🟢 | | | | | |

🔗 Related ESLint Plugins

Part of the Interlace ESLint Ecosystem — AI-native security plugins with LLM-optimized error messages:

| Plugin | Downloads | Description | | :--- | :---: | :--- | | eslint-plugin-secure-coding | | General security rules & OWASP guidelines. | | eslint-plugin-pg | | PostgreSQL security & best practices. | | eslint-plugin-node-security | | Node.js core-module security (fs, child_process, vm, crypto, Buffer). | | eslint-plugin-jwt | | JWT security & best practices. | | eslint-plugin-browser-security | | Browser-specific security & XSS prevention. | | eslint-plugin-express-security | | Express.js security hardening rules. | | eslint-plugin-lambda-security | | AWS Lambda security best practices. | | eslint-plugin-nestjs-security | | NestJS security rules & patterns. | | eslint-plugin-mongodb-security | | MongoDB security best practices. | | eslint-plugin-vercel-ai-security | | Vercel AI SDK security hardening. | | eslint-plugin-import-next | | Next-gen import sorting & architecture. |

📄 License

MIT © Ofri Peretz