ngx-security-audit
v2.0.1
Published
The most comprehensive Angular security auditing tool. 150+ rules, 10 scan types (OWASP, API security, performance, accessibility, dependency audit, hacking, complexity, code quality). Auto-fix suggestions, HTML dashboard, SVG badge generation, SARIF expo
Maintainers
noredinebahriKeywords
Readme
🛡️ ngx-security-audit
ngx-security-audit is a comprehensive static analysis security scanner built exclusively for Angular. It combines OWASP vulnerability detection, code quality analysis, API security, dependency auditing, accessibility checks, and more — all in a single CLI tool with 0 config required.
Free forever. No account, no token, no telemetry. Install and scan in 10 seconds.
npm i -g ngx-security-audit && ngx-security-audit scanTable of Contents
- Why ngx-security-audit?
- Features at a Glance
- Installation
- Quick Start
- Feature 1: Interactive Menu
- Feature 2: 10 Scan Types (125+ Rules)
- Feature 3: Auto-Fix Suggestions
- Feature 4: Report Formats (Console, JSON, HTML, SARIF)
- Feature 5: SVG Badge Generation
- Feature 6: Security Scoring & Grading
- Feature 7: Configuration File
- Feature 8: CI/CD Integration
- Feature 9: Freemium License System
- Feature 10: Programmatic API
- Feature 11: Rules Management
- Feature 12: Dependency Vulnerability Database
- Complete Rule Reference
- OWASP Top 10 Coverage
- Exit Codes
- Contributing
- License
🆚 Why ngx-security-audit?
| Feature | ngx-security-audit | SonarQube | Snyk | ESLint Security |
|---|:---:|:---:|:---:|:---:|
| Angular-specific rules | ✅ 125+ | ❌ Generic | ❌ Deps only | ⚠️ ~10 |
| OWASP Top 10 coverage | ✅ Full | ✅ Full | ⚠️ Partial | ❌ |
| Dependency CVE audit | ✅ Built-in | ❌ Separate | ✅ | ❌ |
| API security checks | ✅ 12 rules | ⚠️ Plugin | ❌ | ❌ |
| Accessibility (WCAG) | ✅ 8 rules | ❌ | ❌ | ❌ |
| Performance / DoS | ✅ 10 rules | ❌ | ❌ | ❌ |
| Hacking / pen-test rules | ✅ 17 rules | ❌ | ❌ | ❌ |
| Auto-fix suggestions | ✅ Code snippets | ⚠️ Some | ⚠️ Some | ⚠️ Some |
| HTML dashboard (6 SVG charts) | ✅ | ✅ Paid | ❌ | ❌ |
| SARIF export | ✅ | ✅ | ✅ | ❌ |
| SVG badge generation | ✅ | ❌ | ❌ | ❌ |
| CI/CD exit codes | ✅ | ✅ | ✅ | ✅ |
| Setup complexity | npm i -g | Server + DB | Account + token | Config |
| Price | Free | $150+/mo | $25+/mo | Free |
✨ Features at a Glance
| # | Feature | What it does |
|---|---------|-------------|
| 1 | Interactive Menu | Visual CLI menu — pick any scan type with arrow keys |
| 2 | 10 Scan Types | Security, code quality, complexity, hacking, Angular BP, API, performance, accessibility, dependencies, full |
| 3 | Auto-Fix Engine | Code-level fix suggestions with copy-paste snippets for 22+ rules |
| 4 | 4 Report Formats | Console (colored), JSON (machine), HTML (6 SVG charts dashboard), SARIF (GitHub/Azure) |
| 5 | SVG Badges | 6 badge types for README, PRs, CI dashboards |
| 6 | Security Scoring | 0–100 score, A–F grades, exponential decay algorithm |
| 7 | Configuration | .ngsecurityrc.json or package.json, rule overrides, include/exclude patterns |
| 8 | CI/CD Integration | Exit codes, thresholds, pipeline examples for GitHub Actions, Azure DevOps, GitLab CI |
| 9 | Freemium Licensing | Free (all scans), PRO (HTML, auto-fix, badges, SARIF), Enterprise (team features) |
| 10 | Programmatic API | require('ngx-security-audit') — use in scripts, custom tools, dashboards |
| 11 | Rules Management | List, filter, disable, override severity of any rule |
| 12 | Dependency CVE DB | Built-in database of 30+ packages with known CVEs — no network required |
📦 Installation
# Global (recommended for CLI)
npm install -g ngx-security-audit
# Local (for project integration / CI)
npm install --save-dev ngx-security-audit
# Run without installing (npx)
npx ngx-security-audit scanVerify installation:
ngx-security-audit --version
# → 2.0.0
ngx-security-audit --help🚀 Quick Start
# 1. Navigate to your Angular project
cd my-angular-app
# 2. Run the default OWASP security scan
ngx-security-audit scan
# 3. Or just type the command with no arguments to open the interactive menu
ngx-security-auditThat's it. No config file, no API key, no setup.
🎛️ Feature 1: Interactive Menu
What: A full-screen terminal menu that lets you pick any scan type visually using arrow keys.
How to use:
# Just run with no arguments (must be in a TTY terminal)
ngx-security-auditWhat it looks like:
╔══════════════════════════════════════════╗
║ 🛡️ NGX SECURITY AUDIT v2.0.0 ║
╚══════════════════════════════════════════╝
Use ↑↓ arrows to navigate, Enter to select, q to quit
❯ 🔒 Security Scan (OWASP) XSS, CSRF, injection, auth — OWASP Top 10 [Default]
✨ Code Quality (JS/TS) Anti-patterns, code smells, style issues
🧩 Code Complexity Cyclomatic, cognitive, nesting, coupling
💀 Hacking & Pen-Testing Prototype pollution, SSRF, ReDoS, CORS... [New]
🅰️ Angular Best Practices Standalone, signals, OnPush, lazy loading [New]
🌐 API Security API abuse, input validation, file upload [New]
⚡ Performance & DoS Memory leaks, blocking ops, zone overload [New]
♿ Accessibility (WCAG) ARIA roles, alt text, form labels, tab order [New]
📦 Dependency Audit CVEs, abandoned packages, supply chain risks [New]
─────────────────────────────────
🚀 Full Scan (All) Run all scan categories combinedHow it works:
- Arrow keys ↑↓ to move between options (wraps around)
- Enter to select and run that scan
- q or Ctrl+C to quit
- Automatically runs the selected scan with
consoleformat andhighthreshold - Only appears in interactive terminals (TTY) — in CI/CD, use explicit commands instead
🔍 Feature 2: 10 Scan Types (125+ Rules)
What: Each scan type focuses on a specific domain. Run one at a time or all at once with scan-full.
How to run each scan type
# 1. OWASP Security (34 rules) — XSS, CSRF, injection, auth, config
ngx-security-audit scan .
ngx-security-audit s . # short alias
# 2. Code Quality (12 rules) — anti-patterns, smells, any type, magic numbers
ngx-security-audit scan-quality .
ngx-security-audit sq . # short alias
# 3. Code Complexity (8 rules) — cyclomatic, cognitive, nesting, coupling
ngx-security-audit scan-complexity .
ngx-security-audit sc .
# 4. Hacking & Pen-Test (17 rules) — prototype pollution, SSRF, ReDoS, CORS, JWT
ngx-security-audit scan-hacking .
ngx-security-audit sh .
# 5. Angular Best Practices (16 rules) — standalone, signals, OnPush, lazy loading
ngx-security-audit scan-angular .
ngx-security-audit sa .
# 6. API Security (12 rules) — input validation, file upload, GraphQL, rate limiting
ngx-security-audit scan-api .
ngx-security-audit sapi .
# 7. Performance & DoS (10 rules) — memory leaks, blocking ops, zone overload
ngx-security-audit scan-perf .
ngx-security-audit sp .
# 8. Accessibility / WCAG (8 rules) — ARIA, alt text, form labels, tab order
ngx-security-audit scan-a11y .
ngx-security-audit sw .
# 9. Dependency Audit (8 rules) — CVEs, banned packages, supply chain risks
ngx-security-audit scan-deps .
ngx-security-audit sd .
# 10. Full Scan (all 125 rules) — every category combined
ngx-security-audit scan-full .
ngx-security-audit sf .Shared options (work with ANY scan command)
# Change output format
ngx-security-audit scan . --format html
ngx-security-audit scan . --format json
ngx-security-audit scan . --format sarif
ngx-security-audit scan . -f html # short flag
# Save to file
ngx-security-audit scan . --format html --output report.html
ngx-security-audit scan . -f json -o results.json
# Set fail threshold (exit code 1 if findings at/above this level)
ngx-security-audit scan . --threshold critical # only fail on critical
ngx-security-audit scan . --threshold medium # fail on medium+
ngx-security-audit scan . -t low # fail on low+
# Disable specific rules
ngx-security-audit scan . --disable-rules sensitive/console-log,config/budget-check
# Custom file patterns
ngx-security-audit scan . --include "src/**/*.ts,lib/**/*.ts"
ngx-security-audit scan . --exclude "**/*.spec.ts,**/*.test.ts"
# Verbose output (show debug info, stack traces)
ngx-security-audit scan . --verbose
ngx-security-audit scan . -v
# Combine options
ngx-security-audit scan-full . \
--format html \
--output security-report.html \
--threshold high \
--disable-rules sensitive/console-log \
--exclude "**/*.spec.ts" \
--verboseScan a different project
# Scan a specific path (not current directory)
ngx-security-audit scan /path/to/angular/project
ngx-security-audit scan-full C:\Users\me\my-app
ngx-security-audit scan ../other-projectWhat gets scanned
The scanner automatically:
- Detects if the project is Angular (checks
angular.jsonor@angular/core) - Reads
angular.json,package.json,tsconfig.json - Scans
src/**/*.ts,src/**/*.html,src/**/*.jsby default - Ignores
node_modules,dist,build,.angular,coverage,.git,e2e - Detects lockfile presence (
package-lock.json,yarn.lock,pnpm-lock.yaml) - Collects Angular version, project name, SSR status, dependencies
🔧 Feature 3: Auto-Fix Suggestions
What: 22+ rules come with a fix suggestion including a description and a code snippet you can copy-paste. 5 of those are marked auto-fixable (can be applied mechanically).
How to see auto-fix suggestions:
# Auto-fix suggestions appear automatically in console output
ngx-security-audit scan .
# They also appear in HTML reports
ngx-security-audit scan . --format html --output report.htmlConsole output example:
🔴 CRITICAL xss/bypass-security-trust
src/app/widget.component.ts:42
Dangerous bypassSecurityTrust usage — disables Angular's built-in XSS protection
🔧 Auto-fix: Use Angular's built-in sanitization instead of bypassing
⚡ Auto-fixable
┌──────────────────────────────────────────────────
│ // Instead of:
│ this.sanitizer.bypassSecurityTrustHtml(userInput);
│
│ // Use Angular's safe pipe or sanitize manually:
│ this.sanitizer.sanitize(SecurityContext.HTML, userInput);
└──────────────────────────────────────────────────Fix statistics section (appears at the bottom of console output):
🔧 Fix Suggestions
Suggestions available: 12 of 19 findings
Auto-fixable: 5 findings
Coverage: 63%Rules with auto-fix suggestions (22 rules):
| Rule ID | Auto-fixable? | Fix description |
|---------|:---:|---|
| xss/bypass-security-trust | — | Use sanitizer.sanitize() instead |
| xss/inner-html-binding | — | Use sanitization pipe |
| xss/dom-manipulation | — | Use Renderer2 instead of nativeElement |
| injection/eval-usage | — | Use JSON.parse() or safe alternatives |
| injection/function-constructor | ✅ | Replace with regular function |
| auth/missing-route-guards | — | Add canActivate guard pattern |
| auth/jwt-in-localstorage | — | Use httpOnly cookies |
| http/missing-xsrf-protection | — | Add withXsrfConfiguration() |
| http/insecure-url | ✅ | Replace http:// with https:// |
| sensitive/hardcoded-secrets | — | Move to environment variables |
| sensitive/console-log | ✅ | Replace with LogService |
| hacking/prototype-pollution | — | Use Object.create(null) + safe merge |
| hacking/weak-crypto | — | Use SHA-256, AES-256-GCM |
| hacking/open-redirect | — | URL allowlist validation |
| angular-bp/prefer-standalone | ✅ | Add standalone: true |
| angular-bp/prefer-onpush | ✅ | Add ChangeDetectionStrategy.OnPush |
| angular-bp/unsubscribe | — | Use takeUntilDestroyed() |
| quality/no-any-type | — | Use specific/generic types |
| quality/no-nested-subscriptions | — | Use switchMap/mergeMap |
| api/insecure-file-upload | — | Add file validation |
| deps/known-vulnerabilities | — | Run npm audit fix |
In HTML reports: Each finding displays a styled auto-fix block with a green header, code block, and "Auto-fixable" badge. A Fix Statistics section appears at the top with 4 stat cards (total, with fix, auto-fixable, coverage %).
📊 Feature 4: Report Formats (Console, JSON, HTML, SARIF)
Format 1: Console (default)
How:
ngx-security-audit scan .
# or explicitly:
ngx-security-audit scan . --format consoleWhat you get:
- Color-coded terminal output with Unicode box characters
- Header with project name, Angular version, date, files scanned, rules count
- Score gauge:
Score: 72/100 (Grade: C)— green/yellow/red colored - Summary table: count per severity level
- Detailed findings sorted by severity (CRITICAL first), each with:
- Rule ID, severity icon, message
- File path and line number
- Code snippet (2 lines of context above and below)
- Recommendation text
- Auto-fix suggestion (if available)
- Fix statistics section
- Pass/fail status with threshold used
- Upgrade prompt (for free tier users)
Format 2: JSON
How:
ngx-security-audit scan . --format json --output results.jsonWhat you get:
{
"success": true,
"projectPath": "/path/to/project",
"projectName": "my-app",
"angularVersion": "17.0.0",
"scanDate": "2026-03-07T10:30:00.000Z",
"scanType": "security",
"score": 72,
"grade": "C",
"passed": false,
"threshold": "high",
"summary": {
"critical": 2,
"high": 5,
"medium": 8,
"low": 3,
"info": 1,
"total": 19
},
"findings": [
{
"severity": "CRITICAL",
"ruleId": "xss/bypass-security-trust",
"category": "XSS",
"message": "Dangerous bypassSecurityTrust usage...",
"file": "src/app/widget.component.ts",
"line": 42,
"code": "this.sanitizer.bypassSecurityTrustHtml(userInput)",
"recommendation": "Use Angular's built-in sanitization...",
"fix": {
"description": "Use Angular's built-in sanitization instead of bypassing",
"code": "this.sanitizer.sanitize(SecurityContext.HTML, userInput);",
"autoFixable": false
}
}
],
"fixStats": {
"totalFindings": 19,
"withFixSuggestions": 12,
"autoFixable": 5,
"coveragePercent": 63
},
"metadata": { ... },
"filesScanned": 47,
"rulesExecuted": 34
}Use cases: Custom dashboards, trend tracking, CI/CD post-processing.
Format 3: HTML Dashboard
How:
ngx-security-audit scan . --format html --output report.html
# Full scan for the most comprehensive report:
ngx-security-audit scan-full . --format html --output full-report.htmlWhat you get: A self-contained HTML file (no external dependencies) with:
| Section | Description | |---------|-------------| | Header | ngx-security-audit v2.0.0, project name, date | | Executive Summary | Score gauge, grade, total findings, pass/fail, scan type | | 6 SVG Charts | (see below) | | Fix Statistics | 4 stat cards: total findings, with fix, auto-fixable, coverage % | | OWASP Compliance | Matrix showing coverage for each OWASP Top 10 category | | Top Risks | Priority table of the most critical findings with locations | | All Findings | Full detailed list with severity, rule ID, file, line, code, recommendation, auto-fix blocks | | Severity Filter | Click severity icons to show/hide finding levels | | Footer | Metadata, generation timestamp |
6 Interactive SVG Charts:
| Chart | How to read it | |-------|---------------| | 🍩 Severity Donut | Proportional breakdown by severity. Larger slice = more issues. | | 📊 Severity Bar Chart | Bar height shows count per severity level. Quick visual comparison. | | 🎯 Score Gauge | Circular 270° arc from 0–100. Green ≥80, Yellow ≥60, Red <60. | | 🕸️ OWASP Radar | Spider chart with 10 axes (OWASP A01–A10). Filled area shows coverage. | | 📈 Category Breakdown | Horizontal bars by category (XSS, Injection, Auth, etc.). | | 🔥 File Heatmap | Top 10 files ranked by finding count. Red = most issues. |
Features:
- Dark theme (
#0a0e1abackground), professional design - Fully responsive (desktop + mobile)
- Print / PDF export: click the browser print button or Ctrl+P — dedicated print CSS
- Self-contained — single
.htmlfile, embed anywhere - No JavaScript dependencies — pure CSS + inline SVG
Format 4: SARIF
How:
ngx-security-audit scan . --format sarif --output results.sarifWhat you get: SARIF 2.1.0 compliant JSON file.
How to use it:
# Upload to GitHub Code Scanning (in GitHub Actions)
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
# Azure DevOps — upload as build artifact, view in Security tabSeverity mapping:
| ngx-security-audit | SARIF level | SARIF rank |
|----|---|---|
| CRITICAL | error | 9.5 |
| HIGH | error | 8.0 |
| MEDIUM | warning | 5.0 |
| LOW | note | 3.0 |
| INFO | note | 1.0 |
🏅 Feature 5: SVG Badge Generation
What: Generate shields.io-style SVG badge files locally. No external service needed.
How:
# Generate badges for the current project
ngx-security-audit badge .
# Specify output directory
ngx-security-audit badge . -o ./badges
# Badges for a different project
ngx-security-audit badge /path/to/project -o ./my-badgesWhat it produces (up to 6 SVG files):
| File | Label | Value | Colors |
|------|-------|-------|--------|
| security-score.svg | "security score" | 72/100 | Green ≥80, Yellow ≥60, Red <60 |
| security-grade.svg | "security grade" | C | Green=A/B, Yellow=C, Red=D/F |
| security-findings.svg | "vulnerabilities" | 19 | Green=0, Orange=has high, Red=has critical |
| security-scanType.svg | "scan" | full | Blue |
| security-status.svg | "security audit" | passing/failing | Green/Red |
| security-critical.svg | "critical issues" | 2 | Red (only generated if critical > 0) |
Add to your README:
The badge command also prints a ready-to-copy Markdown snippet.
📈 Feature 6: Security Scoring & Grading
What: Every scan produces a 0–100 score and A–F grade using an exponential decay algorithm.
Severity Weights
| Severity | Weight | What it means | |----------|--------|---------------| | 🔴 CRITICAL | 20 | Immediate exploitation risk — fix before deployment | | 🟠 HIGH | 10 | Significant security risk — fix as priority | | 🟡 MEDIUM | 5 | Moderate risk — plan to fix | | 🔵 LOW | 2 | Minor risk — fix when convenient | | ⚪ INFO | 0 | Informational — no score impact |
How the score works
The algorithm uses exponential decay with diminishing returns:
totalPenalty = Σ (weight × √count) for each severity
score = max(0, round(100 × e^(-totalPenalty / 89.66)))- Diminishing returns: The 10th critical finding hurts less than the 1st (penalty scales as √N, not N)
- Calibration: 1 critical finding = score 80, so real projects always get a meaningful score
- INFO findings have weight 0 — they don't reduce the score
Example scores
| Scenario | Score | Grade | |----------|-------|-------| | No findings | 100 | A | | 1 critical | 80 | B | | 2 high + 5 medium + 3 low | 73 | C | | 1 critical + 5 high + 12 medium + 8 low | 48 | F | | 3 critical + 10 high + 25 medium + 15 low | 33 | F |
Grading scale
| Grade | Score Range | Meaning | |-------|-------------|---------| | A | 90–100 | Excellent — minimal risk | | B | 80–89 | Good — low risk | | C | 70–79 | Fair — review recommended | | D | 60–69 | Poor — action required | | F | 0–59 | Fail — remediation needed |
Pass / Fail logic
The --threshold flag controls exit codes. Any finding at or above the threshold severity causes exit code 1 (fail):
ngx-security-audit scan . --threshold critical # only fail on CRITICAL
ngx-security-audit scan . --threshold high # fail on HIGH or CRITICAL (default)
ngx-security-audit scan . --threshold medium # fail on MEDIUM+
ngx-security-audit scan . --threshold low # fail on LOW+
ngx-security-audit scan . --threshold info # fail on ANY finding⚙️ Feature 7: Configuration File
What: Customize scan behavior via a .ngsecurityrc.json file or a package.json key. CLI flags always take priority.
Create a config file
ngx-security-audit initThis creates .ngsecurityrc.json in the current directory.
Configuration options
{
"threshold": "high",
"format": "console",
"output": null,
"include": ["src/**/*.ts", "src/**/*.html", "src/**/*.js"],
"exclude": ["**/*.spec.ts", "**/*.test.ts"],
"disabledRules": ["sensitive/console-log", "config/budget-check"],
"ruleOverrides": {
"xss/inner-html-binding": "low",
"config/strict-mode": "medium"
},
"verbose": false
}| Field | Type | Default | Description |
|-------|------|---------|-------------|
| threshold | string | "high" | Severity threshold for exit code. Options: critical, high, medium, low, info |
| format | string | "console" | Default output format. Options: console, json, html, sarif |
| output | string | null | Default output file path (null = stdout) |
| include | string[] | ["src/**/*.ts", "src/**/*.html", "src/**/*.js"] | Glob patterns of files to scan |
| exclude | string[] | [] | Glob patterns of files to skip |
| disabledRules | string[] | [] | Rule IDs to skip entirely |
| ruleOverrides | object | {} | Override severity per rule ID (e.g., downgrade a rule to "low") |
| verbose | boolean | false | Enable verbose/debug output |
Alternative: package.json
Add an ngxSecurityAudit key to your package.json:
{
"name": "my-app",
"ngxSecurityAudit": {
"threshold": "high",
"disabledRules": ["sensitive/console-log"],
"exclude": ["**/*.spec.ts"]
}
}Priority order
CLI flags → .ngsecurityrc.json → package.json → defaults
# Config file says threshold: "high", but CLI overrides to "critical"
ngx-security-audit scan . --threshold criticalAutomatically ignored directories
These are always ignored regardless of config: node_modules, dist, build, .angular, coverage, .git, e2e.
🏗️ Feature 8: CI/CD Integration
What: Use thresholds and exit codes to fail builds when security issues are found.
Exit codes
| Code | Meaning | When |
|------|---------|------|
| 0 | Pass | No findings at or above threshold |
| 1 | Fail | Findings found at or above threshold |
| 2 | Error | Invalid project, config error, crash |
GitHub Actions — Full example
name: Angular Security Audit
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
# Install the scanner
- run: npm install -g ngx-security-audit
# Step 1: Quick security scan — fail the build on HIGH+
- name: Security scan
run: ngx-security-audit scan . --threshold high
# Step 2: Full scan → HTML report (always, even on failure)
- name: Full scan with HTML report
run: ngx-security-audit scan-full . --format html --output security-report.html
if: always()
# Step 3: SARIF → GitHub Security tab
- name: SARIF export
run: ngx-security-audit scan . --format sarif --output results.sarif
if: always()
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: results.sarif
# Step 4: Upload HTML report as artifact
- name: Upload HTML report
uses: actions/upload-artifact@v4
if: always()
with:
name: security-report
path: security-report.html
# Step 5: Generate badges (optional — commit to repo or upload)
- name: Generate badges
run: ngx-security-audit badge . -o ./badges
if: always()Azure DevOps
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- script: npm ci
displayName: 'Install dependencies'
- script: npm install -g ngx-security-audit
displayName: 'Install ngx-security-audit'
- script: ngx-security-audit scan . --threshold high
displayName: 'Security Audit (fail on HIGH+)'
- script: ngx-security-audit scan-full . --format html --output $(Build.ArtifactStagingDirectory)/report.html
condition: always()
displayName: 'Generate HTML Report'
- script: ngx-security-audit scan . --format json --output $(Build.ArtifactStagingDirectory)/results.json
condition: always()
displayName: 'Generate JSON Report'
- task: PublishBuildArtifacts@1
condition: always()
inputs:
artifactName: 'SecurityReport'GitLab CI
security_scan:
image: node:20-alpine
stage: test
script:
- npm ci
- npm install -g ngx-security-audit
- ngx-security-audit scan . --threshold high
- ngx-security-audit scan-full . --format html --output security-report.html
- ngx-security-audit scan . --format json --output security-results.json
artifacts:
paths:
- security-report.html
- security-results.json
when: always
expire_in: 30 daysMulti-scan CI strategy
Run multiple scan types independently to get granular feedback:
# In CI, run scans in sequence — each with its own threshold
ngx-security-audit scan . --threshold critical # OWASP — block on critical only
ngx-security-audit scan-hacking . --threshold high # Pen-test — block on high+
ngx-security-audit scan-deps . --threshold high # Dependencies — block on known CVEs
ngx-security-audit scan-a11y . --threshold medium # Accessibility — advisory
# Combine all into one HTML report for review
ngx-security-audit scan-full . --format html --output full-report.html🔑 Feature 9: Freemium License System
What: Three tiers — Free, PRO, Enterprise. The free tier includes all scan types and all 125+ rules.
Tier comparison
| Feature | Free | PRO | Enterprise | |---------|:---:|:---:|:---:| | All 125+ security rules | ✅ | ✅ | ✅ | | All 10 scan types | ✅ | ✅ | ✅ | | Console reporter | ✅ | ✅ | ✅ | | JSON reporter | ✅ | ✅ | ✅ | | Interactive menu | ✅ | ✅ | ✅ | | CI/CD exit codes | ✅ | ✅ | ✅ | | HTML dashboard report | — | ✅ | ✅ | | SARIF reporter | — | ✅ | ✅ | | Auto-fix suggestions | — | ✅ | ✅ | | SVG badge generation | — | ✅ | ✅ | | Dependency deep scan | — | ✅ | ✅ | | API security scan | — | ✅ | ✅ | | Performance scan | — | ✅ | ✅ | | Accessibility scan | — | ✅ | ✅ | | Trend tracking | — | ✅ | ✅ | | Custom rules | — | ✅ | ✅ | | Priority support | — | ✅ | ✅ | | Team dashboard | — | — | ✅ | | Policy enforcement | — | — | ✅ | | Audit log | — | — | ✅ | | SSO integration | — | — | ✅ | | White-label | — | — | ✅ | | SLA support | — | — | ✅ |
How to activate a license
# Activate a PRO license key
ngx-security-audit activate NGX-PRO-XXXXXXXX
# Output:
# 💎 License activated: Professional
# Full access to all PRO features
# Saved to: /home/user/.ngx-security-licenseWhere the license is stored
The license key is checked in this order:
.ngx-security-licensefile in the project root~/.ngx-security-licensefile in your home directoryNGX_SECURITY_LICENSEenvironment variable
# Alternative: set as environment variable (useful in CI)
export NGX_SECURITY_LICENSE="NGX-PRO-XXXXXXXX"
ngx-security-audit scan .Check current tier
const { getCurrentTier, isFeatureAvailable } = require('ngx-security-audit');
console.log(getCurrentTier()); // 'free', 'pro', or 'enterprise'
console.log(isFeatureAvailable('html-dashboard-report', 'pro')); // true📚 Feature 10: Programmatic API
What: Use ngx-security-audit from your own Node.js scripts, custom tools, or dashboards.
Installation for API usage
npm install ngx-security-auditFull API reference
const {
// Core
audit, // (projectPath, options) → Promise<AuditResult>
generateReport, // (result, format) → string
listRules, // (scanType?) → Rule[]
Scanner, // Class: new Scanner(path, options).scan()
// Scoring
SEVERITY, // { CRITICAL, HIGH, MEDIUM, LOW, INFO }
calculateScore, // (findings) → number (0–100)
getGrade, // (score) → 'A'|'B'|'C'|'D'|'F'
// Rules
rulesByType, // { security: Rule[], 'code-quality': Rule[], ... }
// Auto-fix
enrichWithFixes, // (findings) → findings with .fix attached
getFixStats, // (findings) → { totalFindings, withFixSuggestions, autoFixable, coveragePercent }
getFixSuggestion, // (finding) → { description, code, autoFixable } | null
// Badges
generateBadges, // (result, outputDir) → { score, grade, findings, ... }
generateBadgeMarkdown, // (result, baseUrl) → string
// License
getCurrentTier, // (projectPath?) → 'free' | 'pro' | 'enterprise'
isFeatureAvailable, // (feature, tier) → boolean
TIERS, // { FREE: 'free', PRO: 'pro', ENTERPRISE: 'enterprise' }
} = require('ngx-security-audit');Example: Basic audit
const { audit, generateReport } = require('ngx-security-audit');
async function runAudit() {
const result = await audit('/path/to/angular/project', {
threshold: 'high',
scanType: 'security', // or 'full', 'api-security', etc.
});
if (!result.success) {
console.error('Error:', result.error);
return;
}
console.log(`Score: ${result.score}/100 (Grade: ${result.grade})`);
console.log(`Findings: ${result.summary.total}`);
console.log(`Passed: ${result.passed}`);
// Generate HTML report
const html = generateReport(result, 'html');
require('fs').writeFileSync('report.html', html);
}
runAudit();Example: Full scan with all features
const {
audit, generateReport, enrichWithFixes, getFixStats,
generateBadges, generateBadgeMarkdown,
} = require('ngx-security-audit');
async function fullAudit() {
// 1. Run full scan
const result = await audit('/path/to/project', {
scanType: 'full',
threshold: 'high',
});
// 2. Get fix statistics
console.log('Fix stats:', result.fixStats);
// { totalFindings: 19, withFixSuggestions: 12, autoFixable: 5, coveragePercent: 63 }
// 3. Generate all report formats
const html = generateReport(result, 'html');
const json = generateReport(result, 'json');
const sarif = generateReport(result, 'sarif');
// 4. Generate badges
const badges = generateBadges(result, './badges');
const markdown = generateBadgeMarkdown(result, './badges');
console.log('Badge markdown:\n', markdown);
// 5. Process findings programmatically
for (const finding of result.findings) {
if (finding.severity === 'CRITICAL') {
console.log(`🔴 ${finding.ruleId} in ${finding.file}:${finding.line}`);
if (finding.fix) {
console.log(` Fix: ${finding.fix.description}`);
}
}
}
}
fullAudit();Example: Custom rule filtering
const { audit } = require('ngx-security-audit');
const result = await audit('.', {
scanType: 'security',
disabledRules: ['sensitive/console-log', 'config/budget-check'],
include: ['src/**/*.ts'],
exclude: ['**/*.spec.ts'],
});
// Filter findings by severity
const criticals = result.findings.filter(f => f.severity === 'CRITICAL');
const highs = result.findings.filter(f => f.severity === 'HIGH');Example: List and inspect rules
const { listRules, rulesByType } = require('ngx-security-audit');
// Get all rules
const allRules = listRules();
console.log(`Total rules: ${allRules.length}`); // 125
// Get rules for a specific scan type
const hackingRules = rulesByType['hacking'];
console.log(`Hacking rules: ${hackingRules.length}`); // 17
// Inspect a rule
hackingRules.forEach(rule => {
console.log(`${rule.id} [${rule.severity}] — ${rule.name}`);
console.log(` OWASP: ${rule.owasp}, CWE: ${rule.cwe}`);
});📜 Feature 11: Rules Management
What: List, filter, search, and manage the 125+ rules.
List all rules
# Colored table in terminal
ngx-security-audit rules
# JSON output (for scripts)
ngx-security-audit rules --json
# Filter by category
ngx-security-audit rules --category XSS
ngx-security-audit rules --category Authentication
ngx-security-audit rules --category "Sensitive Data"
# Filter by scan type
ngx-security-audit rules --type hacking
ngx-security-audit rules --type api-security
ngx-security-audit rules --type accessibilityDisable rules
# Via CLI (comma-separated)
ngx-security-audit scan . --disable-rules sensitive/console-log,config/budget-check
# Via config file
{
"disabledRules": [
"sensitive/console-log",
"config/budget-check",
"quality/no-magic-numbers"
]
}Override rule severity
{
"ruleOverrides": {
"xss/inner-html-binding": "low",
"config/strict-mode": "high",
"quality/no-any-type": "critical"
}
}🗄️ Feature 12: Dependency Vulnerability Database
What: A built-in, offline CVE database covering 30+ commonly used npm packages. No network calls — works completely offline.
How it works
# Run the dependency scan
ngx-security-audit scan-deps .The scanner reads your package.json (both dependencies and devDependencies) and checks against a curated database.
Packages in the database
The built-in CVE database covers:
| Package | Known CVEs |
|---------|-----------|
| lodash | Prototype pollution (< 4.17.21) |
| axios | SSRF (< 0.21.1) |
| express | Multiple < 4.17.3 |
| jsonwebtoken | < 9.0.0 |
| moment | ReDoS, deprecated |
| minimist | Prototype pollution |
| node-fetch | < 2.6.7 |
| tar | Path traversal |
| glob-parent | ReDoS |
| marked | XSS < 4.0.10 |
| highlight.js | < 10.4.1 |
| sanitize-html | Bypass < 2.3.2 |
| ua-parser-js | Supply chain attack |
| event-stream | Malicious code injection |
| colors | Supply chain sabotage |
| faker | Supply chain sabotage |
| crypto-js | Weak randomness |
| follow-redirects | SSRF |
| ... and 15+ more |
What it checks
| Rule | Severity | What |
|------|----------|------|
| deps/known-vulnerabilities | 🟠 HIGH | Matches your deps against the CVE database |
| deps/banned-packages | 🔴 CRITICAL | Flags packages like eval, node-serialize, js-yaml<3.14.0 |
| deps/outdated-major | 🟡 MEDIUM | Major version behind current (estimated) |
| deps/missing-lockfile | 🟡 MEDIUM | No package-lock.json, yarn.lock, or pnpm-lock.yaml |
| deps/unpinned-versions | 🔵 LOW | Using ^ or ~ prefixes (risky for reproducibility) |
| deps/dev-in-production | 🔵 LOW | Dev-only packages in dependencies |
| deps/missing-security-packages | ⚪ INFO | Missing helmet, csurf, express-rate-limit |
| deps/excessive-dependencies | ⚪ INFO | More than 50 production dependencies |
📖 Complete Rule Reference
| # | Rule ID | Severity | Name | OWASP | CWE |
|---|---------|----------|------|-------|-----|
| 1 | xss/bypass-security-trust | CRITICAL | Dangerous bypassSecurityTrust Usage | A03 | CWE-79 |
| 2 | xss/inner-html-binding | MEDIUM | innerHTML Binding Detection | A03 | CWE-79 |
| 3 | xss/dom-manipulation | HIGH | Direct DOM Manipulation | A03 | CWE-79 |
| 4 | xss/unsafe-template-concat | CRITICAL | Unsafe Template Construction | A03 | CWE-94 |
| 5 | injection/eval-usage | CRITICAL | eval() Usage | A03 | CWE-95 |
| 6 | injection/function-constructor | CRITICAL | Function Constructor Usage | A03 | CWE-95 |
| 7 | injection/settimeout-string | HIGH | setTimeout/setInterval with String | A03 | CWE-95 |
| 8 | injection/script-tag-in-template | HIGH | Script Tag in Template | A03 | CWE-79 |
| 9 | auth/missing-route-guards | HIGH | Routes Without Guards | A01 | CWE-862 |
| 10 | auth/missing-auth-interceptor | MEDIUM | Missing HTTP Auth Interceptor | A07 | CWE-287 |
| 11 | auth/jwt-in-localstorage | HIGH | JWT Token in localStorage | A07 | CWE-922 |
| 12 | auth/hardcoded-roles | MEDIUM | Hardcoded Authorization Roles | A01 | CWE-863 |
| 13 | sensitive/hardcoded-secrets | CRITICAL | Hardcoded Secrets Detection | A02 | CWE-798 |
| 14 | sensitive/environment-secrets | HIGH | Secrets in Environment Files | A02 | CWE-312 |
| 15 | sensitive/console-log | LOW | Console Log Statements | A09 | CWE-532 |
| 16 | sensitive/local-storage-sensitive | MEDIUM | Sensitive Data in Browser Storage | A02 | CWE-922 |
| 17 | http/missing-xsrf-protection | HIGH | Missing XSRF/CSRF Protection | A05 | CWE-352 |
| 18 | http/insecure-url | MEDIUM | Insecure HTTP URLs | A02 | CWE-319 |
| 19 | http/cors-wildcard | MEDIUM | CORS Wildcard Configuration | A05 | CWE-942 |
| 20 | http/missing-error-handler | LOW | Missing Global HTTP Error Handler | A09 | CWE-390 |
| 21 | config/aot-disabled | HIGH | AOT Compilation Check | A05 | CWE-94 |
| 22 | config/source-maps-prod | MEDIUM | Source Maps in Production | A05 | CWE-540 |
| 23 | config/strict-mode | LOW | TypeScript Strict Mode | A04 | CWE-1078 |
| 24 | config/outdated-angular | MEDIUM | Angular Version Check | A06 | CWE-1104 |
| 25 | config/budget-check | INFO | Bundle Budget Configuration | A04 | CWE-400 |
| 26 | config/csp-meta-tag | MEDIUM | Content Security Policy | A05 | CWE-1021 |
| 27 | config/allowed-hosts-ssr | HIGH | SSR Allowed Hosts (SSRF) | A10 | CWE-918 |
| 28 | best-practice/noopener-noreferrer | LOW | Missing rel="noopener" | A04 | CWE-1022 |
| 29 | best-practice/trusted-types | INFO | Trusted Types Not Configured | A03 | CWE-79 |
| 30 | best-practice/production-mode | LOW | Production Mode Check | A05 | CWE-489 |
| 31 | best-practice/dependency-audit | HIGH | Known Vulnerable Dependencies | A06 | CWE-1104 |
| 32 | best-practice/form-autocomplete | LOW | Sensitive Form autocomplete | A04 | CWE-525 |
| 33 | best-practice/iframe-sandbox | MEDIUM | Unsandboxed iframes | A04 | CWE-1021 |
| 34 | best-practice/postmessage-origin | HIGH | postMessage Without Origin Validation | A01 | CWE-346 |
| # | Rule ID | Severity | Name |
|---|---------|----------|------|
| 1 | quality/no-any-type | MEDIUM | Avoid "any" Type Usage |
| 2 | quality/no-magic-numbers | LOW | Avoid Magic Numbers |
| 3 | quality/no-console-statements | LOW | Remove Console Statements |
| 4 | quality/no-long-functions | MEDIUM | Functions Too Long (>50 lines) |
| 5 | quality/no-large-files | MEDIUM | File Too Large (>400 lines) |
| 6 | quality/no-nested-subscriptions | HIGH | Nested Subscriptions |
| 7 | quality/no-unused-imports | INFO | Potentially Unused Imports |
| 8 | quality/no-duplicate-code | LOW | Potential Code Duplication |
| 9 | quality/no-deprecated-apis | MEDIUM | Deprecated API Usage |
| 10 | quality/no-missing-return-types | INFO | Missing Return Type Annotations |
| 11 | quality/no-god-class | HIGH | God Class Detection (>15 methods) |
| 12 | quality/prefer-readonly | LOW | Properties Should Be Readonly |
| # | Rule ID | Severity | Name |
|---|---------|----------|------|
| 1 | complexity/cyclomatic | HIGH/CRITICAL | High Cyclomatic Complexity (>10, critical >20) |
| 2 | complexity/cognitive | HIGH/CRITICAL | High Cognitive Complexity (>15, critical >30) |
| 3 | complexity/deep-nesting | HIGH | Deeply Nested Code (>4 levels) |
| 4 | complexity/too-many-parameters | MEDIUM | Too Many Parameters (>4) |
| 5 | complexity/large-switch | MEDIUM | Large Switch Statement (>7 cases) |
| 6 | complexity/long-method-chain | LOW | Long Method Chain (6+ links) |
| 7 | complexity/file-dependencies | MEDIUM | Too Many File Dependencies (>10 imports) |
| 8 | complexity/constructor-complexity | MEDIUM | Complex Constructor (>10 lines) |
| # | Rule ID | Severity | Name |
|---|---------|----------|------|
| 1 | hacking/prototype-pollution | CRITICAL | Prototype Pollution Risk |
| 2 | hacking/ssrf-risk | HIGH | SSRF — Dynamic URL Construction |
| 3 | hacking/open-redirect | HIGH | Open Redirect Vulnerability |
| 4 | hacking/clickjacking | MEDIUM | Clickjacking Protection Missing |
| 5 | hacking/redos | HIGH | ReDoS — Vulnerable Regex |
| 6 | hacking/path-traversal | CRITICAL | Path Traversal Risk |
| 7 | hacking/insecure-deserialization | CRITICAL | Insecure Deserialization |
| 8 | hacking/timing-attack | MEDIUM | Timing Attack Vulnerability |
| 9 | hacking/mass-assignment | HIGH | Mass Assignment Risk |
| 10 | hacking/weak-crypto | CRITICAL | Weak Cryptography (MD5, SHA1, DES, RC4) |
| 11 | hacking/info-disclosure | MEDIUM | Information Disclosure |
| 12 | hacking/postmessage-vuln | HIGH | Insecure postMessage Usage |
| 13 | hacking/insecure-jwt | HIGH | Insecure JWT Handling |
| 14 | hacking/subdomain-takeover | MEDIUM | Potential Subdomain Takeover |
| 15 | hacking/cors-misconfiguration | HIGH | CORS Misconfiguration |
| 16 | hacking/command-injection | CRITICAL | Command Injection |
| 17 | hacking/insecure-cookies | HIGH | Insecure Cookie Configuration |
| # | Rule ID | Severity | Name |
|---|---------|----------|------|
| 1 | angular-bp/prefer-standalone | INFO | Prefer Standalone Components |
| 2 | angular-bp/prefer-onpush | LOW | Prefer OnPush Change Detection |
| 3 | angular-bp/prefer-signals | INFO | Consider Using Signals |
| 4 | angular-bp/trackby-ngfor | MEDIUM | Missing trackBy in *ngFor |
| 5 | angular-bp/lazy-loading | MEDIUM | Feature Routes Not Lazy Loaded |
| 6 | angular-bp/prefer-async-pipe | MEDIUM | Prefer Async Pipe Over Subscribe |
| 7 | angular-bp/unsubscribe | HIGH | Missing Unsubscribe Pattern |
| 8 | angular-bp/feature-folder-structure | INFO | Feature Folder Structure |
| 9 | angular-bp/no-logic-in-templates | MEDIUM | Complex Logic in Templates |
| 10 | angular-bp/input-output-naming | LOW | Avoid Renaming Inputs/Outputs |
| 11 | angular-bp/prefer-inject | INFO | Prefer inject() Over Constructor DI |
| 12 | angular-bp/smart-dumb-pattern | LOW | Component Does Too Much |
| 13 | angular-bp/no-hardcoded-urls | MEDIUM | Hardcoded API URLs |
| # | Rule ID | Severity | Name |
|---|---------|----------|------|
| 1 | api/unsanitized-response | HIGH | Unsanitized API Response Rendering |
| 2 | api/missing-rate-limiting | MEDIUM | Missing API Rate Limiting |
| 3 | api/graphql-introspection | HIGH | GraphQL Introspection Exposed |
| 4 | api/overly-permissive-endpoints | MEDIUM | Overly Permissive API Endpoints |
| 5 | api/missing-input-validation | HIGH | Missing API Input Validation |
| 6 | api/hardcoded-api-key | CRITICAL | Hardcoded API Key in HTTP Call |
| 7 | api/missing-content-type | LOW | Missing Content-Type Header |
| 8 | api/sensitive-query-params | HIGH | Sensitive Data in Query Parameters |
| 9 | api/unhandled-http-errors | MEDIUM | Unhandled HTTP Error Responses |
| 10 | api/insecure-file-upload | HIGH | Insecure File Upload |
| 11 | api/missing-timeout | LOW | Missing HTTP Request Timeout |
| 12 | api/debug-endpoints | HIGH | Debug/Admin Endpoint References |
| # | Rule ID | Severity | Name |
|---|---------|----------|------|
| 1 | perf/event-listener-leak | MEDIUM | Event Listener Memory Leak |
| 2 | perf/sync-storage-critical | LOW | Synchronous Storage in Critical Path |
| 3 | perf/excessive-dom-ops | MEDIUM | Excessive Direct DOM Manipulation |
| 4 | perf/unbounded-array | MEDIUM | Unbounded Array Growth |
| 5 | perf/zone-overload | MEDIUM | Zone.js Change Detection Overload |
| 6 | perf/blocking-main-thread | MEDIUM | Blocking Main Thread Operations |
| 7 | perf/missing-lazy-images | LOW | Missing Image Lazy Loading |
| 8 | perf/barrel-import | LOW | Barrel Import Anti-Pattern |
| 9 | perf/large-list-no-virtual | LOW | Large List Without Virtual Scrolling |
| 10 | perf/websocket-no-reconnect | MEDIUM | WebSocket Without Reconnection |
| # | Rule ID | Severity | Name | WCAG |
|---|---------|----------|------|------|
| 1 | a11y/missing-alt-text | MEDIUM | Missing Image Alt Text | 1.1.1 |
| 2 | a11y/missing-form-label | MEDIUM | Missing Form Input Label | 1.3.1 |
| 3 | a11y/missing-aria-roles | LOW | Missing ARIA Landmark Roles | — |
| 4 | a11y/color-only-indicator | LOW | Color-Only Status Indicators | 1.4.1 |
| 5 | a11y/missing-skip-nav | LOW | Missing Skip Navigation Link | — |
| 6 | a11y/empty-interactive | MEDIUM | Empty Buttons or Links | — |
| 7 | a11y/autofocus-misuse | LOW | Autofocus Attribute Misuse | — |
| 8 | a11y/tabindex-positive | MEDIUM | Positive tabindex Values | — |
| # | Rule ID | Severity | Name |
|---|---------|----------|------|
| 1 | deps/known-vulnerabilities | HIGH | Known Vulnerable Dependencies (30+ CVE DB) |
| 2 | deps/banned-packages | CRITICAL | Banned/Risky Dependencies |
| 3 | deps/outdated-major | MEDIUM | Severely Outdated Dependencies |
| 4 | deps/missing-lockfile | MEDIUM | Missing Package Lock File |
| 5 | deps/unpinned-versions | LOW | Unpinned Dependency Versions |
| 6 | deps/dev-in-production | LOW | Dev Dependencies Misplaced |
| 7 | deps/missing-security-packages | INFO | Missing Recommended Security Packages |
| 8 | deps/excessive-dependencies | INFO | Excessive Production Dependencies (>50) |
🌐 OWASP Top 10 Coverage
| OWASP Category | Rules | |----------------|-------| | A01: Broken Access Control | Route guards, postMessage origin, hardcoded roles, mass assignment | | A02: Cryptographic Failures | Hardcoded secrets, environment secrets, insecure HTTP, browser storage, weak crypto | | A03: Injection | XSS (4 rules), eval, Function constructor, template injection, command injection | | A04: Insecure Design | Strict mode, noopener, form autocomplete, iframe sandbox | | A05: Security Misconfiguration | CSRF, AOT, source maps, CSP, GraphQL introspection, CORS | | A06: Vulnerable Components | Outdated Angular, known CVEs (30+ packages), banned packages, supply chain | | A07: Auth Failures | Auth interceptor, JWT in localStorage, insecure JWT, missing rate limiting | | A08: Data Integrity | Unpinned versions, missing lockfile, dev deps in production, insecure deserialization | | A09: Logging Failures | Console statements, error handlers, debug endpoints, info disclosure | | A10: SSRF | SSR allowed hosts, dynamic URL construction, open redirect |
🎯 Exit Codes
| Code | Meaning | When |
|------|---------|------|
| 0 | Pass | No findings at or above the --threshold level |
| 1 | Fail | One or more findings at or above the --threshold level |
| 2 | Error | Invalid project, configuration error, or internal error |
# Use in CI scripts
ngx-security-audit scan . --threshold high
echo $? # 0 = pass, 1 = fail, 2 = error
# Bash conditional
if ngx-security-audit scan . --threshold high; then
echo "Security check passed!"
else
echo "Security issues found!"
fi🤝 Contributing
Contributions are welcome! To add a new security rule:
- Create your rule in the appropriate file under
src/rules/ - Follow the existing structure:
{ id: 'category/rule-name', name: 'Human Readable Name', description: 'What this rule detects', category: 'Category Name', severity: 'HIGH', // CRITICAL, HIGH, MEDIUM, LOW, INFO owasp: 'A03', // OWASP Top 10 category cwe: 'CWE-79', // CWE identifier check: (content, filePath, metadata) => { // Return array of findings: [{ file, line, code, message, recommendation }] } } - Add tests in
test/run-tests.js - Submit a PR
📄 License
MIT © noredinebahri