express-sec-audit

v0.1.4

Published

a month ago

Security auditor for Node.js Express apps (JS & TS)

0High
0Medium
0Low

kshitijsatija

security express nodejs audit static-analysis

🚀 express-sec-audit

by Kshitij Satija

Enterprise-grade static + runtime security auditing framework for Node.js / Express apps.

✔ SARIF output for GitHub security alerts
✔ CWE mapping for industry classification
✔ Fix suggestions inside GitHub PR UI
✔ Baseline diffing for CI noise reduction
✔ Multi-thread AST scanning + caching for performance

✨ Features

✔ Static code analysis (JS + TS)
✔ Runtime config scanning
✔ OpenAPI contract enforcement
✔ SQL Injection detection (heuristics + taint)
✔ NoSQL Injection detection
✔ Secrets exposure detection
✔ File upload security analysis (magic bytes, polyglots)
✔ JWT configuration analysis
✔ Session hardening checks
✔ Helmet deep inspection (CSP parsing, unsafe-inline detection)
✔ CORS misconfiguration + trust boundary analysis
✔ SARIF export with CWE mapping + autofix suggestions
✔ HTML & JSON reporting formats
✔ Baseline comparison mode for CI systems
✔ Multi-thread parsing engine with AST caching

🛠 Installation

npm install -g express-sec-audit

🔍 Usage

Scan current directory

express-sec-audit .

Output SARIF for GitHub Security

express-sec-audit . --format=sarif

Save results as HTML

express-sec-audit . --format=html

Save with custom file name

express-sec-audit . --log-name=my-audit

🔁 CI Baseline Support

First run — create baseline

express-sec-audit . --format=sarif --baseline-save

Subsequent CI runs — only show NEW findings

express-sec-audit . --format=sarif --baseline=./baseline.sarif.json

⚙️ Major Internal Components

🔹 Static Analyzer

Parses JS/TS via Babel
Detects security patterns AST-based
Runs multi-thread via worker pool
Uses file hash caching to skip unchanged files

🔹 SARIF Writer

CWE tagging
Fix suggestions embedded
GitHub Code Scanning compatible

🔹 Rule Framework

Rules implement:

module.exports = {
  id: "rule-name",
  async run(ctx) { ... }
}

ctx includes:

ast
filename
traverse
openApi contract if available
report() → register finding

🧠 Supported Security Areas

✔ Core Web Safety

Helmet enforcement
CORS correctness

✔ Authentication

JWT security heuristic rules
Session cookie hardening

✔ Injection Classes

SQL injection detection
- string concat, template literals, taint analysis
NoSQL injection detection
- tainted operators, regex exploitation, aggregation taint

✔ Supply Chain

Secret leakage scanning
Hardcoded token detector (entropy + pattern)

✔ Upload Processing

MIME mismatch rules
Magic byte verification
Polyglot detection indicators

✔ API Contracting

OpenAPI schema mismatch detection
Missing validation paths

✔ Config / Runtime Failures

Missing helmet policies
Missing secure session flags

📦 Output Formats

| Format | Command | |--------|---------| | Console | express-sec-audit . | | JSON | --format=json | | HTML | --format=html | | SARIF | --format=sarif |

SARIF is CI friendly and works with:

✔ GitHub Code Scanning
✔ Azure DevOps
✔ Sonar ingestion

🧩 Performance Architecture

Worker pool using Node worker_threads
AST parsing distributed per CPU core
On-disk cache .express-sec-audit-cache.json
Only changed files re-analyzed

Real projects see:

First run: full scan
Later runs: 8–25× faster

🏗 Folder Structure

EXPRESS-SEC-AUDIT/
 ├─ .github/
 │   ├─ ISSUE_TEMPLATE/
 │   ├─ PULL_REQUEST_TEMPLATE.md
 │   ├─ SECURITY.md
 │   └─ ... (optional CI workflows later)
 │
 ├─ bin/
 │   └─ express-sec-audit.js        # CLI entry point
 │
 ├─ node_modules/                   # dependencies (ignored from npm publish)
 │
 ├─ src/
 │   ├─ analyzers/                  # (future runtime analyzers)
 │   ├─ openapi/                    # OpenAPI spec loaders + parsers
 │   ├─ reporters/                  # console, html, json, sarif, file reporters
 │   ├─ runtime/                    # runtime middleware hooks (optional)
 │   ├─ static/                     # static analysis core
 │   │   ├─ runner.js               # worker pool controller
 │   │   ├─ worker.js               # AST worker threads
 │   │   └─ rules/                  # all security rule implementations
 │   │
 │   ├─ baseline.js                 # baseline diff + regression tracking
 │   ├─ engine.js                   # orchestrates full audit flow
 │   ├─ index.js                    # module entry (if required via require/import)
 │   └─ types.js                    # createFinding(), schemas, rule types, etc.
 │
 ├─ .npmignore                      # controls publish contents
 │
 ├─ CODE_OF_CONDUCT.md              # community standards
 ├─ CONTRIBUTING.md                 # how to contribute
 ├─ LICENSE                         # MIT license text
 ├─ README.md                       # main documentation
 ├─ SUPPORT.md                      # project support policy
 │
 ├─ package.json                    # npm configuration
 └─ package-lock.json               # dependency lockfile

✍️ Example Finding Output

1. [HIGH] Possible SQL injection detected
   File: routes/user.js:22
   Rule: sql-injection (static)
   More info: https://owasp.org/www-community/attacks/SQL_Injection

🚀 GitHub Security Integration

Run audit in CI
Upload SARIF file

✔ GitHub will show findings in:

Security tab
Pull request review UI
Files changed view

👤 Author

Kshitij Satija
Creator & maintainer of express-sec-audit

GitHub: https://github.com/Kshitij-Satija
LinkedIn: https://www.linkedin.com/in/kshitijsatija
Email: [email protected]

🤝 Contributing

Pull requests welcome!

Especially for:

new rule packs
deeper taint tracing engines
SARIF action metadata extensions

📜 License

MIT — Build safer software 🔐