How to use NodeJsScan for SAST – Step-by-step Guide

NodeJsScan is a static code scanner that is used to find security flaws specifically in Node.js applications. In this post, we will look at how you can use NodeJsScan for SAST.

Configuration & Usage

Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/setting.py
Download the NodeJsScan package from the GitHub repository https://github.com/ajinabraham/NodeJsScan.

Figure 1 Cloning the repository

  • Navigate to the NodeJsScan directory and install all requirements using the command – pip3 install –r requirements.txt.

Figure 2 Installing all requirements to run NodeJsScan

  • Run this command once to create database entries required – python3 migrate.py
  • Run this command to test the testing Environment – python3 app.py
  • Setup gunicorn for the production environment  – gunicorn –b 0.0.0.0:9090 app:app.

Figure 3 Executing app.py to run NodeJsScan

This tool will run NodeJsScan on http://0.0.0.0:9090. If you need to debug, set DEBUG = True in core/settings.py. With periodic updates of this tool, it shows a minimum number of false positives.

Figure 4 NodeJsScan running on http://0.0.0.0:9090/

NodeJsScan CLI

The command-line interface (CLI) allows this tool to integrate with DevSecOps CI/CD pipelines. The results are in JSON format.

Figure 5 NodeJsScan CLI is showing optional arguments.

Docker

Docker images can be built for NodeJsScan using the following steps – 

  • First ensure that you have docker installed into your system.
  • Start the docker service using command – service docker start.
  • Execute this command – docker build -t nodejsscan.
  • Then finally execute this command to run the application – docker run -it -p 9090:9090 nodejsscan.

Now, let’s get started with a demo.

  1. I tested this tool on a repository that contains incomplete and vulnerable code.
  2.  

  3. The NodeJsScan app has compatibility with .zip files to get uploaded. So, first, compress your .js code to a .zip file and then go to your browser and upload the .zip file.
  4.  

  5. After uploading the .zip file, the tool will list all the vulnerabilities for you.
  6.  

Figure 6 Vulnerabilities listed for app.js

Figure 7 NodeJsScan giving a detailed description of the vulnerability

Check out our post on Top 3 Open Source Tools for SAST.

Industry recognitions we have earned

reuters logo cybersecurity_awards_2024 logo winner logo csba logo hot150 logo bloomberg logo top-infosec logo

Fill out the form below to let us know your requirements.
We will contact you to determine if BreachLock is right for your business or organization.

background image