Ofri Peretz
eslint

Runtime Security at Scale: The Node.js Static Analysis Standard

The automated standard for Node.js core security. 31 engineering rules to detect weak crypto and system leaks in CI/CD via static analysis.

Ofri PeretzOfri Peretz
2 min read
Runtime Security at Scale: The Node.js Static Analysis Standard

💬 Join the conversation on DEV.to

React, comment, and engage with the community

Share:
#eslint
#node
#security
#cryptography

Node.js runtime security requires more than just dependencies updates. Here is the automated standard for hardening Node.js core—from crypto safety to process isolation—using 31 deep static analysis rules.

Quick Install

bash
npm install --save-dev eslint-plugin-node-security

Flat Config

javascript
// eslint.config.js
import nodeSecurity from 'eslint-plugin-node-security';

export default [nodeSecurity.configs.recommended];

Run ESLint

bash
npx eslint .

You'll see output like:

bash
src/auth/hash.ts
  15:27 error  🔒 CWE-328 CVSS:7.5 | Weak hash algorithm: MD5
               [node-security/no-weak-hash-algorithm] Use crypto.createHash('sha256')

src/api/exec.ts
  10:5  error  🔒 CWE-78 | Detected child process execution
               [node-security/detect-child-process] Avoid exec(), use spawn() or execFile()

Rule Overview

CategoryRulesExamples
Cryptography12Weak hashes, static IVs, ECB mode
System & Process5exec(), eval(), unsafe require
File System6Zip Slip, TOCTOU, path injection
Best Practices8PII in logs, insecure temp storage

Quick Wins

1. Cryptography

javascript
// ❌ Weak hash
crypto.createHash('md5').update(data);

// ✅ Strong hash
crypto.createHash('sha256').update(data);

2. System Security

javascript
// ❌ Shell injection risk
require('child_process').exec(`ls ${userInput}`);

// ✅ Safer execution
require('child_process').execFile('ls', [userInput]);

3. File System

javascript
// ❌ Path traversal risk
fs.readFile(`/data/${userInput}`, cb);

// ✅ Validated path
if (isValid(userInput)) fs.readFile(path.join(ROOT, userInput), cb);

Available Presets

javascript
import nodeSecurity from 'eslint-plugin-node-security';

export default [
    // Recommended (Low false positives, High impact)
    nodeSecurity.configs.recommended,
    
    // All Rules (Stricter auditing)
    nodeSecurity.configs.all
];

Quick Reference

bash
# Install
npm install --save-dev eslint-plugin-node-security

# Config (eslint.config.js)
import nodeSecurity from 'eslint-plugin-node-security';
export default [nodeSecurity.configs.recommended];

# Run
npx eslint .

The Interlace ESLint Ecosystem Interlace is a high-fidelity suite of static code analyzers designed to automate security, performance, and reliability for the modern Node.js stack. With over 330 rules across 18 specialized plugins, it provides 100% coverage for OWASP Top 10, LLM Security, and Database Hardening.

Explore the full Documentation

© 2026 Ofri Peretz. All rights reserved.

Build Securely. I'm Ofri Peretz, a Security Engineering Leader and the architect of the Interlace Ecosystem. I build static analysis standards that automate security and performance for Node.js fleets at scale.

ofriperetz.dev | LinkedIn | GitHub

Built with Nuxt UI • © 2026 Ofri Peretz