How to use NodeJsScan for SAST – Step-by-step Guide .

NodeJsScan is a static code scanner which is used to find security flaws specifically in Node.js applications. In this post, we will look at how you can use NodeJsScan for SAST.  

Configuration & Usage 

Figure 1 Cloning the repository

  • Navigate to the NodeJsScan directory and install all requirements using the command – pip3 install –r requirements.txt. 

Figure 2 Installing all requirements to run NodeJsScan

  • Run this command once to create database entries required – python3 
  • Run this command to test the testing Environment – python3 
  • Setup gunicorn for the production environment   gunicorn –b app:app. 

Figure 3 Executing to run NodeJsScan

This tool will run NodeJsScan on If you need to debug, set DEBUG = True in core/ With periodic updates of this tool, it shows a minimum number of false positives. 

Figure 4 NodeJsScan running on

NodeJsScan CLI 

The command line interface (CLI) allows this tool to integrate with DevSecOps CI/CD pipelines. The results are in JSON format.  

Figure 5 NodeJsScan CLI is showing optional arguments.


Docker images can be built for NodeJsScan using the following steps – 

  • First, ensure that you have docker installed into your system. 
  • Start the docker service using command – service docker start. 
  • Execute this command – docker build -t nodejsscan. 
  • Then finally execute this command to run the application – docker run -it -p 9090:9090 nodejsscan. 

Now, let’s get started with a demo. 

  • I tested this tool on a repository that contains incomplete and vulnerable code. 
  • The NodeJsScan app has compatibility with .zip files to get uploaded. So, first, compress your .js code to .zip file and then go to your browser and upload the .zip file. 
  • After uploading the .zip file, the tool will list all the vulnerabilities for you. 

Figure 6 Vulnerabilities listed for app.js

Figure 7 NodeJsScan giving a detailed description of the vulnerability


The post How to use NodeJsScan for SAST – Step-by-step Guide . appeared first on BreachLock.

*** This is a Security Bloggers Network syndicated blog from Blog – BreachLock authored by Sudhansu Shekhar. Read the original post at: