Governance at scale requires more than a checklist. Here is the engineering standard for mapping your entire Node.js fleet to the OWASP Top 10 through 247 automated static analysis rules.
Your security audit asks: "How do you address OWASP Top 10?"
Here's how to answer with automated evidence using 332 rules across 18 specialized ESLint plugins.
One plugin can't cover everything. SQL injection needs database-aware rules. JWT attacks need token-specific detection. Here's the complete mapping:
| # | Category | Risk | Plugins | Key Rules |
|---|---|---|---|---|
| A01 | Broken Access Control | High | secure-coding, nestjs-security, lambda-security | no-privilege-escalation, require-guards, no-missing-authorization-check |
| A02 | Cryptographic Failures | High | node-security, pg, jwt | no-weak-hash-algorithm, no-hardcoded-credentials, no-weak-secret |
| A03 | Injection | Critical | secure-coding, pg, browser-security | detect-eval-with-expression, no-unsafe-query, no-innerhtml |
| A04 | Insecure Design | Medium | secure-coding, nestjs-security | no-improper-type-validation, no-missing-validation-pipe |
| A05 | Security Misconfiguration | High | express-security, lambda-security | require-helmet, no-permissive-cors, no-exposed-error-details |
| A06 | Vulnerable Components | Medium | secure-coding, import-next | detect-suspicious-dependencies, no-extraneous-dependencies |
| A07 | Auth Failures | High | jwt, express-security | no-algorithm-none, no-algorithm-confusion, no-insecure-cookie-options |
| A08 | Integrity Failures | Medium | secure-coding | no-unsafe-deserialization, no-unsafe-dynamic-require |
| A09 | Logging Failures | Medium | secure-coding, lambda-security | no-pii-in-logs, no-error-swallowing |
| A10 | SSRF | High | secure-coding, lambda-security, vercel-ai-security | require-url-validation, no-user-controlled-requests |
Don't install everything—choose the layers that match your stack. Every protocol starts with the Core, then adds specialized coverage.
# General OWASP coverage (89 rules)
npm install -D eslint-plugin-secure-coding
npm install -D eslint-plugin-node-security # Cryptography & System leaks
npm install -D eslint-plugin-jwt # Token security
npm install -D eslint-plugin-pg # PostgreSQL hardening
# Frontend
npm install -D eslint-plugin-browser-security # DOM/XSS prevention
# Backend Frameworks
npm install -D eslint-plugin-express-security # Express.js protocols
npm install -D eslint-plugin-nestjs-security # NestJS security pipes
npm install -D eslint-plugin-lambda-security # Serverless/AWS Lambda
// eslint.config.js - Full OWASP Top 10 Coverage
import secureCoding from "eslint-plugin-secure-coding";
import nodeSecurity from "eslint-plugin-node-security";
import jwt from "eslint-plugin-jwt";
import pg from "eslint-plugin-pg";
import browserSecurity from "eslint-plugin-browser-security";
import expressSecurity from "eslint-plugin-express-security";
export default [
// Core OWASP preset (A01-A10 general coverage)
secureCoding.configs["owasp-top-10"],
// A02: Cryptographic Failures - specialized detection
nodeSecurity.configs.recommended,
// A07: Authentication Failures - JWT-specific
jwt.configs.recommended,
// A03: Injection - PostgreSQL-specific SQL injection
{
files: ["**/db/**", "**/repositories/**", "**/models/**"],
...pg.configs.recommended,
},
// A03: Injection - DOM XSS for frontend
{
files: ["**/components/**", "**/pages/**", "src/**/*.tsx"],
...browserSecurity.configs.recommended,
},
// A05: Security Misconfiguration - Express-specific
{
files: ["**/routes/**", "**/middleware/**", "app.ts", "server.ts"],
...expressSecurity.configs.recommended,
},
];
src/db/users.ts
42:15 error 🔒 CWE-89 OWASP:A03 | SQL Injection detected
[pg/no-unsafe-query] Use parameterized query: client.query($1, [id])
src/auth/jwt.ts
18:3 error 🔒 CWE-347 OWASP:A07 | Algorithm confusion vulnerability
[jwt/no-algorithm-confusion] Specify algorithms: { algorithms: ['RS256'] }
src/api/crypto.ts
55:10 error 🔒 CWE-328 OWASP:A02 | Weak hash algorithm: MD5
[node-security/no-weak-hash-algorithm] Use SHA-256 or SHA-3
src/components/Comment.tsx
12:5 error 🔒 CWE-79 OWASP:A03 | XSS via innerHTML
[browser-security/no-innerhtml] Use textContent or sanitize with DOMPurify
Injection is #1 for a reason. Here's complete coverage:
| Attack Vector | Plugin | Rule |
|---|---|---|
| SQL Injection (PostgreSQL) | pg | no-unsafe-query |
| SQL Injection (general) | secure-coding | detect-eval-with-expression |
| Command Injection | secure-coding | detect-child-process |
| LDAP Injection | secure-coding | no-ldap-injection |
| XPath Injection | secure-coding | no-xpath-injection |
| XXE Injection | secure-coding | no-xxe-injection |
| DOM XSS | browser-security | no-innerhtml, no-eval |
| Prompt Injection | vercel-ai-security | require-validated-prompt |
// node-security plugin catches what generic plugins miss
import nodeSecurity from "eslint-plugin-node-security";
// Detects:
// - CVE-2023-46809 (Marvin Attack) via no-insecure-rsa-padding
// - CVE-2020-36732 (CryptoJS) via no-cryptojs-weak-random
// - Weak algorithms: MD5, SHA1, DES, RC4, Blowfish
// - Static IVs, ECB mode, predictable salts
// jwt plugin catches token-specific vulnerabilities
import jwt from "eslint-plugin-jwt";
// Detects:
// - Algorithm "none" attack
// - Algorithm confusion (CVE-2022-23540)
// - jwt.decode() without verify
// - Weak/hardcoded secrets
// - Missing expiration
import secureCoding from "eslint-plugin-secure-coding";
export default [
{
files: ["apps/mobile/**", "**/*.native.ts"],
...secureCoding.configs["owasp-mobile-top-10"],
},
];
Covers all 10 mobile categories:
| # | Category | Rules |
|---|---|---|
| M1 | Improper Credential Usage | require-secure-credential-storage |
| M2 | Inadequate Supply Chain | detect-suspicious-dependencies, require-package-lock |
| M3 | Insecure Auth | no-client-side-auth-logic, require-backend-authorization |
| M4 | Insufficient I/O Validation | no-unvalidated-user-input, no-unvalidated-deeplinks |
| M5 | Insecure Communication | no-http-urls, require-https-only, no-allow-arbitrary-loads |
| M6 | Inadequate Privacy | no-pii-in-logs, no-tracking-without-consent |
| M7 | Binary Protection | require-code-minification |
| M8 | Security Misconfiguration | require-secure-defaults, no-verbose-error-messages |
| M9 | Insecure Data Storage | require-storage-encryption, no-data-in-temp-storage |
| M10 | Insufficient Crypto | Use eslint-plugin-node-security |
Building AI applications? Add the Vercel AI Security plugin:
import vercelAI from "eslint-plugin-vercel-ai-security";
export default [
{
files: ["**/ai/**", "**/agents/**"],
...vercelAI.configs.recommended,
},
];
100% OWASP LLM Top 10 2025 coverage with 22 rules.
Run ESLint with JSON output:
npx eslint . --format json > security-report.json
Parse for OWASP tags:
const report = require("./security-report.json");
const owaspFindings = report
.flatMap((file) => file.messages)
.filter((msg) => msg.message.includes("OWASP:"));
// Group by OWASP category
const byCategory = owaspFindings.reduce((acc, finding) => {
const match = finding.message.match(/OWASP:(A\d+)/);
if (match) {
acc[match[1]] = (acc[match[1]] || 0) + 1;
}
return acc;
}, {});
console.log("OWASP Coverage Report:", byCategory);
| Plugin | Rules | Focus |
|---|---|---|
eslint-plugin-secure-coding | 89 | Core OWASP coverage |
eslint-plugin-node-security | 31 | Cryptography |
eslint-plugin-jwt | 13 | JWT/Authentication |
eslint-plugin-pg | 15 | PostgreSQL |
eslint-plugin-browser-security | 52 | Browser/DOM |
eslint-plugin-vercel-ai-security | 22 | AI/LLM |
eslint-plugin-express-security | 14 | Express.js |
eslint-plugin-lambda-security | 16 | AWS Lambda |
eslint-plugin-nestjs-security | 10 | NestJS |
eslint-plugin-import-next | 61 | Import/Dependencies |
| Total | 332 |
Turn compliance questions into automated answers.
📦 All Plugins:
- eslint-plugin-secure-coding — Core OWASP coverage
- eslint-plugin-node-security — Cryptography
- eslint-plugin-jwt — JWT security
- eslint-plugin-pg — PostgreSQL
- eslint-plugin-browser-security — Browser/DOM
- eslint-plugin-vercel-ai-security — AI/LLM
- eslint-plugin-express-security — Express.js
- eslint-plugin-lambda-security — AWS Lambda
- eslint-plugin-nestjs-security — NestJS
- eslint-plugin-import-next — Import management
⭐ Star on GitHub — 18 plugins, 332 rules
The Interlace ESLint Ecosystem Interlace is a high-fidelity suite of static code analyzers designed to automate security, performance, and reliability for the modern Node.js stack. With over 330 rules across 18 specialized plugins, it provides 100% coverage for OWASP Top 10, LLM Security, and Database Hardening.
Explore the full Documentation
© 2026 Ofri Peretz. All rights reserved.
Build Securely. I'm Ofri Peretz, a Security Engineering Leader and the architect of the Interlace Ecosystem. I build static analysis standards that automate security and performance for Node.js fleets at scale.
