What is the Interlace ESLint Ecosystem?

The Interlace ESLint Ecosystem is a collection of 18+ production-ready ESLint plugins designed for the AI/Agentic era. These plugins feature LLM-optimized error messages that empower both human developers and AI coding assistants to catch and fix security vulnerabilities automatically.

Why AI-native ESLint plugins?

Traditional ESLint error messages are designed for human developers reading them in an IDE. As AI coding assistants become more prevalent, there's a need for error messages that are also machine-parseable and provide clear remediation guidance. Our plugins bridge this gap.

Which security standards do the plugins cover?

The plugins provide comprehensive coverage for OWASP Top 10 2021, OWASP Mobile 2024, and framework-specific security patterns for Express, NestJS, Lambda, and more. Each plugin includes detailed documentation with Known False Negatives disclosure.

What technologies does Ofri Peretz work with?

Languages: TypeScript, JavaScript, Node.js. Frameworks: React, Express, NestJS. Backend: Kafka, Redis, Serverless. Cloud: AWS, Docker, Kubernetes. DevEx: ESLint, Nx Monorepos, CLIs.

The OWASP Compliance Protocol: Mapping 247 Static Analysis Rules

Name: Interlace ESLint Ecosystem
Author: Ofri Peretz

Governance at scale requires more than a checklist. Here is the engineering standard for mapping your entire Node.js fleet to the OWASP Top 10 through 247 automated static analysis rules.

Your security audit asks: "How do you address OWASP Top 10?"

Here's how to answer with automated evidence using 332 rules across 18 specialized ESLint plugins.

The Multi-Plugin Approach

One plugin can't cover everything. SQL injection needs database-aware rules. JWT attacks need token-specific detection. Here's the complete mapping:

OWASP Top 10 2025 → Plugin Coverage

#	Category	Risk	Plugins	Key Rules
A01	Broken Access Control	High	`secure-coding`, `nestjs-security`, `lambda-security`	`no-privilege-escalation`, `require-guards`, `no-missing-authorization-check`
A02	Cryptographic Failures	High	`node-security`, `pg`, `jwt`	`no-weak-hash-algorithm`, `no-hardcoded-credentials`, `no-weak-secret`
A03	Injection	Critical	`secure-coding`, `pg`, `browser-security`	`detect-eval-with-expression`, `no-unsafe-query`, `no-innerhtml`
A04	Insecure Design	Medium	`secure-coding`, `nestjs-security`	`no-improper-type-validation`, `no-missing-validation-pipe`
A05	Security Misconfiguration	High	`express-security`, `lambda-security`	`require-helmet`, `no-permissive-cors`, `no-exposed-error-details`
A06	Vulnerable Components	Medium	`secure-coding`, `import-next`	`detect-suspicious-dependencies`, `no-extraneous-dependencies`
A07	Auth Failures	High	`jwt`, `express-security`	`no-algorithm-none`, `no-algorithm-confusion`, `no-insecure-cookie-options`
A08	Integrity Failures	Medium	`secure-coding`	`no-unsafe-deserialization`, `no-unsafe-dynamic-require`
A09	Logging Failures	Medium	`secure-coding`, `lambda-security`	`no-pii-in-logs`, `no-error-swallowing`
A10	SSRF	High	`secure-coding`, `lambda-security`, `vercel-ai-security`	`require-url-validation`, `no-user-controlled-requests`

Modular Installation: Build your Security Protocol

Don't install everything—choose the layers that match your stack. Every protocol starts with the Core, then adds specialized coverage.

1. The Core (Mandatory)

bash

# General OWASP coverage (89 rules)
npm install -D eslint-plugin-secure-coding

2. Specialized Security (Add as needed)

bash

npm install -D eslint-plugin-node-security    # Cryptography & System leaks
npm install -D eslint-plugin-jwt            # Token security
npm install -D eslint-plugin-pg             # PostgreSQL hardening

3. Environment & Framework (Choose your stack)

bash

# Frontend
npm install -D eslint-plugin-browser-security  # DOM/XSS prevention

# Backend Frameworks
npm install -D eslint-plugin-express-security  # Express.js protocols
npm install -D eslint-plugin-nestjs-security   # NestJS security pipes
npm install -D eslint-plugin-lambda-security   # Serverless/AWS Lambda

The Complete Config

javascript

// eslint.config.js - Full OWASP Top 10 Coverage
import secureCoding from "eslint-plugin-secure-coding";
import nodeSecurity from "eslint-plugin-node-security";
import jwt from "eslint-plugin-jwt";
import pg from "eslint-plugin-pg";
import browserSecurity from "eslint-plugin-browser-security";
import expressSecurity from "eslint-plugin-express-security";

export default [
  // Core OWASP preset (A01-A10 general coverage)
  secureCoding.configs["owasp-top-10"],

  // A02: Cryptographic Failures - specialized detection
  nodeSecurity.configs.recommended,

  // A07: Authentication Failures - JWT-specific
  jwt.configs.recommended,

  // A03: Injection - PostgreSQL-specific SQL injection
  {
    files: ["**/db/**", "**/repositories/**", "**/models/**"],
    ...pg.configs.recommended,
  },

  // A03: Injection - DOM XSS for frontend
  {
    files: ["**/components/**", "**/pages/**", "src/**/*.tsx"],
    ...browserSecurity.configs.recommended,
  },

  // A05: Security Misconfiguration - Express-specific
  {
    files: ["**/routes/**", "**/middleware/**", "app.ts", "server.ts"],
    ...expressSecurity.configs.recommended,
  },
];

Example Output

bash

src/db/users.ts
  42:15  error  🔒 CWE-89 OWASP:A03 | SQL Injection detected
                [pg/no-unsafe-query] Use parameterized query: client.query($1, [id])

src/auth/jwt.ts
  18:3   error  🔒 CWE-347 OWASP:A07 | Algorithm confusion vulnerability
                [jwt/no-algorithm-confusion] Specify algorithms: { algorithms: ['RS256'] }

src/api/crypto.ts
  55:10  error  🔒 CWE-328 OWASP:A02 | Weak hash algorithm: MD5
                [node-security/no-weak-hash-algorithm] Use SHA-256 or SHA-3

src/components/Comment.tsx
  12:5   error  🔒 CWE-79 OWASP:A03 | XSS via innerHTML
                [browser-security/no-innerhtml] Use textContent or sanitize with DOMPurify

A03 Injection: Multi-Layer Protection

Injection is #1 for a reason. Here's complete coverage:

Attack Vector	Plugin	Rule
SQL Injection (PostgreSQL)	`pg`	`no-unsafe-query`
SQL Injection (general)	`secure-coding`	`detect-eval-with-expression`
Command Injection	`secure-coding`	`detect-child-process`
LDAP Injection	`secure-coding`	`no-ldap-injection`
XPath Injection	`secure-coding`	`no-xpath-injection`
XXE Injection	`secure-coding`	`no-xxe-injection`
DOM XSS	`browser-security`	`no-innerhtml`, `no-eval`
Prompt Injection	`vercel-ai-security`	`require-validated-prompt`

A02 Cryptographic Failures: 31 Specialized Rules

javascript

// node-security plugin catches what generic plugins miss
import nodeSecurity from "eslint-plugin-node-security";

// Detects:
// - CVE-2023-46809 (Marvin Attack) via no-insecure-rsa-padding
// - CVE-2020-36732 (CryptoJS) via no-cryptojs-weak-random
// - Weak algorithms: MD5, SHA1, DES, RC4, Blowfish
// - Static IVs, ECB mode, predictable salts

A07 Auth Failures: JWT-Specific Detection

javascript

// jwt plugin catches token-specific vulnerabilities
import jwt from "eslint-plugin-jwt";

// Detects:
// - Algorithm "none" attack
// - Algorithm confusion (CVE-2022-23540)
// - jwt.decode() without verify
// - Weak/hardcoded secrets
// - Missing expiration

For OWASP Mobile Top 10

javascript

import secureCoding from "eslint-plugin-secure-coding";

export default [
  {
    files: ["apps/mobile/**", "**/*.native.ts"],
    ...secureCoding.configs["owasp-mobile-top-10"],
  },
];

Covers all 10 mobile categories:

#	Category	Rules
M1	Improper Credential Usage	`require-secure-credential-storage`
M2	Inadequate Supply Chain	`detect-suspicious-dependencies`, `require-package-lock`
M3	Insecure Auth	`no-client-side-auth-logic`, `require-backend-authorization`
M4	Insufficient I/O Validation	`no-unvalidated-user-input`, `no-unvalidated-deeplinks`
M5	Insecure Communication	`no-http-urls`, `require-https-only`, `no-allow-arbitrary-loads`
M6	Inadequate Privacy	`no-pii-in-logs`, `no-tracking-without-consent`
M7	Binary Protection	`require-code-minification`
M8	Security Misconfiguration	`require-secure-defaults`, `no-verbose-error-messages`
M9	Insecure Data Storage	`require-storage-encryption`, `no-data-in-temp-storage`
M10	Insufficient Crypto	Use `eslint-plugin-node-security`

For OWASP LLM Top 10

Building AI applications? Add the Vercel AI Security plugin:

javascript

import vercelAI from "eslint-plugin-vercel-ai-security";

export default [
  {
    files: ["**/ai/**", "**/agents/**"],
    ...vercelAI.configs.recommended,
  },
];

100% OWASP LLM Top 10 2025 coverage with 22 rules.

Getting Audit Evidence

Run ESLint with JSON output:

bash

npx eslint . --format json > security-report.json

Parse for OWASP tags:

javascript

const report = require("./security-report.json");

const owaspFindings = report
  .flatMap((file) => file.messages)
  .filter((msg) => msg.message.includes("OWASP:"));

// Group by OWASP category
const byCategory = owaspFindings.reduce((acc, finding) => {
  const match = finding.message.match(/OWASP:(A\d+)/);
  if (match) {
    acc[match[1]] = (acc[match[1]] || 0) + 1;
  }
  return acc;
}, {});

console.log("OWASP Coverage Report:", byCategory);

Rule Count Summary

Plugin	Rules	Focus
`eslint-plugin-secure-coding`	89	Core OWASP coverage
`eslint-plugin-node-security`	31	Cryptography
`eslint-plugin-jwt`	13	JWT/Authentication
`eslint-plugin-pg`	15	PostgreSQL
`eslint-plugin-browser-security`	52	Browser/DOM
`eslint-plugin-vercel-ai-security`	22	AI/LLM
`eslint-plugin-express-security`	14	Express.js
`eslint-plugin-lambda-security`	16	AWS Lambda
`eslint-plugin-nestjs-security`	10	NestJS
`eslint-plugin-import-next`	61	Import/Dependencies
Total	332

Turn compliance questions into automated answers.

📦 All Plugins:

eslint-plugin-secure-coding — Core OWASP coverage
eslint-plugin-node-security — Cryptography
eslint-plugin-jwt — JWT security
eslint-plugin-pg — PostgreSQL
eslint-plugin-browser-security — Browser/DOM
eslint-plugin-vercel-ai-security — AI/LLM
eslint-plugin-express-security — Express.js
eslint-plugin-lambda-security — AWS Lambda
eslint-plugin-nestjs-security — NestJS
eslint-plugin-import-next — Import management

⭐ Star on GitHub — 18 plugins, 332 rules

The Interlace ESLint Ecosystem Interlace is a high-fidelity suite of static code analyzers designed to automate security, performance, and reliability for the modern Node.js stack. With over 330 rules across 18 specialized plugins, it provides 100% coverage for OWASP Top 10, LLM Security, and Database Hardening.

Explore the full Documentation

Build Securely. I'm Ofri Peretz, a Security Engineering Leader and the architect of the Interlace Ecosystem. I build static analysis standards that automate security and performance for Node.js fleets at scale.

ofriperetz.dev | LinkedIn | GitHub