Getting Started with eslint-plugin-secure-coding

Source: Dev.to

Quick Install

npm install --save-dev eslint-plugin-secure-coding

Flat Config (ESLint 9+)

// eslint.config.js
import secureCoding from 'eslint-plugin-secure-coding';

export default [secureCoding.configs.recommended];

Run ESLint

npx eslint .

Typical output:

src/auth.ts
  15:3  error  🔒 CWE-798 OWASP:A02 CVSS:7.5 | Hardcoded credential detected
               Fix: Use environment variable: process.env.DATABASE_PASSWORD

src/utils.ts
  42:5  error  🔒 CWE-95 OWASP:A03 CVSS:9.8 | Dangerous eval() with expression
               Fix: Replace eval() with safer alternatives like JSON.parse()

Available Presets

// Balanced for most projects
secureCoding.configs.recommended;

// Maximum security (all 75 rules as errors)
secureCoding.configs.strict;

// Web application compliance
secureCoding.configs['owasp-top-10'];

// Mobile apps (React Native)
secureCoding.configs['owasp-mobile-top-10'];

Rule Overview

Customizing Rules

// eslint.config.js
import secureCoding from 'eslint-plugin-secure-coding';

export default [
  secureCoding.configs.recommended,

  // Override specific rules
  {
    rules: {
      // Downgrade to warning
      'secure-coding/no-pii-in-logs': 'warn',

      // Disable if not applicable
      'secure-coding/detect-non-literal-fs-filename': 'off',

      // Configure options
      'secure-coding/no-hardcoded-credentials': [
        'error',
        {
          allowTestFiles: true,
        },
      ],
    },
  },
];

Ignoring False Positives

// eslint-disable-next-line secure-coding/no-hardcoded-credentials
const EXAMPLE_KEY = 'pk_test_example'; // Test fixture

Or in config:

{
  "files": ["**/*.test.ts"],
  "rules": {
    "secure-coding/no-hardcoded-credentials": "off"
  }
}

CI/CD Integration

GitHub Actions

# .github/workflows/security.yml
name: Security Lint

on: [push, pull_request]

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm ci
      - run: npx eslint . --max-warnings 0

Pre‑commit Hook

npm install --save-dev husky lint-staged
npx husky init

// package.json
{
  "lint-staged": {
    "*.{js,ts}": "eslint --max-warnings 0"
  }
}

IDE Integration

VS Code

The ESLint extension will show errors inline, e.g.:

🔒 CWE-798 | Hardcoded credential detected

Cursor / Copilot

AI assistants can read the structured errors and suggest auto‑fixes:

CWE-89 → Parameterized query fix
CWE-798 → Environment variable fix

Quick Reference

# Install
npm install --save-dev eslint-plugin-secure-coding

# Config (eslint.config.js)
import secureCoding from 'eslint-plugin-secure-coding';
export default [secureCoding.configs.recommended];

# Run
npx eslint .

# Fix auto‑fixable issues
npx eslint . --fix

Next Steps

• Read the rules – each rule has detailed docs with examples.
• Try strict mode – secureCoding.configs.strict.
• Add to CI – block PRs with security issues.
• Combine plugins – add eslint-plugin-pg, eslint-plugin-jwt for specialized coverage.

📦 npm: eslint-plugin-secure-coding
📖 Full Rule List
⭐ Star on GitHub
📖 OWASP Coverage Matrix

🚀 Questions? Open an issue on GitHub!