software

入门 eslint-plugin-secure-coding

发布: (2026年1月1日 GMT+8 05:31)
3 min read
原文: Dev.to

Source: Dev.to

Getting Started with eslint-plugin-secure-coding 的封面图片

快速安装

npm install --save-dev eslint-plugin-secure-coding

扁平配置 (ESLint 9+)

// eslint.config.js
import secureCoding from 'eslint-plugin-secure-coding';

export default [secureCoding.configs.recommended];

运行 ESLint

npx eslint .

典型输出:

src/auth.ts
  15:3  error  🔒 CWE-798 OWASP:A02 CVSS:7.5 | Hardcoded credential detected
               Fix: Use environment variable: process.env.DATABASE_PASSWORD

src/utils.ts
  42:5  error  🔒 CWE-95 OWASP:A03 CVSS:9.8 | Dangerous eval() with expression
               Fix: Replace eval() with safer alternatives like JSON.parse()

可用预设

// Balanced for most projects
secureCoding.configs.recommended;

// Maximum security (all 75 rules as errors)
secureCoding.configs.strict;

// Web application compliance
secureCoding.configs['owasp-top-10'];

// Mobile apps (React Native)
secureCoding.configs['owasp-mobile-top-10'];

规则概览

类别规则示例
注入防护11eval(), command injection, GraphQL
加密6Weak hashes, random, timing attacks
认证3Hardcoded credentials, weak passwords
会话/Cookie3Insecure cookies, session fixation
数据泄露5PII in logs, debug code, secrets
输入验证8XSS, path traversal, prototype pollution
OWASP 移动30Insecure storage, certificate validation

自定义规则

// eslint.config.js
import secureCoding from 'eslint-plugin-secure-coding';

export default [
  secureCoding.configs.recommended,

  // Override specific rules
  {
    rules: {
      // Downgrade to warning
      'secure-coding/no-pii-in-logs': 'warn',

      // Disable if not applicable
      'secure-coding/detect-non-literal-fs-filename': 'off',

      // Configure options
      'secure-coding/no-hardcoded-credentials': [
        'error',
        {
          allowTestFiles: true,
        },
      ],
    },
  },
];

忽略误报

// eslint-disable-next-line secure-coding/no-hardcoded-credentials
const EXAMPLE_KEY = 'pk_test_example'; // 测试夹具

或者在配置中:

{
  "files": ["**/*.test.ts"],
  "rules": {
    "secure-coding/no-hardcoded-credentials": "off"
  }
}

CI/CD 集成

GitHub Actions

# .github/workflows/security.yml
name: Security Lint

on: [push, pull_request]

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm ci
      - run: npx eslint . --max-warnings 0

Pre‑commit Hook

npm install --save-dev husky lint-staged
npx husky init
// package.json
{
  "lint-staged": {
    "*.{js,ts}": "eslint --max-warnings 0"
  }
}

IDE 集成

VS Code

ESLint 扩展将在行内显示错误,例如:

🔒 CWE-798 | Hardcoded credential detected

Cursor / Copilot

AI 助手可以读取结构化错误并建议自动修复:

CWE-89 → Parameterized query fix
CWE-798 → Environment variable fix

快速参考

# Install
npm install --save-dev eslint-plugin-secure-coding

# Config (eslint.config.js)
import secureCoding from 'eslint-plugin-secure-coding';
export default [secureCoding.configs.recommended];

# Run
npx eslint .

# Fix auto‑fixable issues
npx eslint . --fix

下一步

  • 阅读规则 – 每条规则都有详细文档和示例。
  • 尝试严格模式secureCoding.configs.strict
  • 添加到 CI – 使用安全问题阻止 PR。
  • 组合插件 – 添加 eslint-plugin-pgeslint-plugin-jwt 以获得专门的覆盖。

📦 npm: eslint-plugin-secure-coding
📖 完整规则列表
在 GitHub 上加星
📖 OWASP 覆盖矩阵

🚀 有问题吗?在 GitHub 上打开 issue!

Back to Blog

相关文章

阅读更多 »

入门 eslint-plugin-pg

快速安装 bash npm install --save-dev eslint-plugin-pg Flat Config js // eslint.config.js import pg from 'eslint-plugin-pg'; export default pg.configs.reco...