eslint-plugin-crypto

🔐 Security-focused ESLint plugin for cryptographic best practices. Detects weak algorithms, insecure key handling, CVE vulnerabilities, and guides you to modern, secure alternatives.

💡 What You Get

24 security rules covering cryptographic best practices
CVE detection for CVE-2023-46809, CVE-2020-36732, CVE-2023-46233
OWASP Top 10 coverage for cryptographic vulnerabilities
LLM-optimized messages with CWE references and fix guidance
Package support for crypto-hash, crypto-random-string, crypto-js

Features

🔐 24 Rules covering crypto best practices
🎯 CVE Detection (CVE-2023-46809, CVE-2020-36732, CVE-2023-46233)
🤖 AI-Optimized messages with CWE references
⚡ Auto-Fix suggestions where safe
📦 Package Support for crypto-hash, crypto-random-string, crypto-js

Installation

npm install eslint-plugin-crypto --save-dev

🚀 Quick Start

ESLint Flat Config (eslint.config.js)

import crypto from 'eslint-plugin-crypto';

export default [crypto.configs.recommended];

Presets

Preset	Description
`recommended`	Balanced security defaults for most projects
`strict`	All 24 rules as errors for maximum security
`cryptojs-migration`	For teams migrating from crypto-js
`nodejs-only`	Only Node.js crypto rules
`cve-focused`	Rules targeting specific CVEs

🔐 Rules

💼 = Set in recommended | 🔧 = Auto-fixable | 💡 = Has suggestions

Core Node.js Crypto (8 rules)

Rule	CWE	OWASP	Description	💼	💡
no-weak-hash-algorithm	CWE-327	A02:2021	Disallow MD5, SHA1, MD4	💼	💡
no-weak-cipher-algorithm	CWE-327	A02:2021	Disallow DES, 3DES, RC4	💼	💡
no-deprecated-cipher-method	CWE-327	A02:2021	Disallow createCipher()	💼	💡
no-static-iv	CWE-329	A02:2021	Disallow hardcoded IVs	💼	💡
no-ecb-mode	CWE-327	A02:2021	Disallow ECB encryption	💼	💡
no-insecure-key-derivation	CWE-916	A02:2021	Require PBKDF2 ≥100k iterations	💼	💡
no-hardcoded-crypto-key	CWE-321	A02:2021	Disallow hardcoded keys	💼	💡
require-random-iv	CWE-329	A02:2021	Require IV from randomBytes()	💼	💡

CVE-Specific Rules (3 rules)

Rule	CWE	OWASP	Description	💼	💡
no-insecure-rsa-padding	CWE-327	A02:2021	Marvin Attack (CVE-2023-46809)	💼	💡
no-cryptojs-weak-random	CWE-338	A02:2021	Weak PRNG in crypto-js (CVE-2020-36732)	💼	💡
require-secure-pbkdf2-digest	CWE-916	A02:2021	Weak PBKDF2 defaults (CVE-2023-46233)	💼	💡

Advanced Security (7 rules)

Rule	CWE	OWASP	Description	💼	💡
no-math-random-crypto	CWE-338	A07:2021	Disallow Math.random() for crypto	💼	💡
no-predictable-salt	CWE-331	A07:2021	Disallow empty/hardcoded salts	💼	💡
require-authenticated-encryption	CWE-327	A04:2021	Require GCM instead of CBC	💼	💡
no-key-reuse	CWE-323	A02:2021	Warn on key reuse	💼	💡
no-self-signed-certs	CWE-295	A05:2021	Disallow rejectUnauthorized: false	💼	💡
no-timing-unsafe-compare	CWE-208	A02:2021	Require timingSafeEqual()	💼	💡
require-key-length	CWE-326	A02:2021	Require AES-256	💼	💡
no-web-crypto-export	CWE-321	A02:2021	Warn on key export	💼	💡

Package-Specific Rules (6 rules)

Rule	CWE	OWASP	Description	💼	💡
no-sha1-hash	CWE-327	A02:2021	Disallow sha1() (crypto-hash)	💼	💡
require-sufficient-length	CWE-326	A02:2021	Require min 32 chars (crypto-random-string)	💼	💡
no-numeric-only-tokens	CWE-330	A07:2021	Warn on numeric-only (crypto-random-string)	💼	💡
no-cryptojs	CWE-327	A02:2021	Warn on deprecated crypto-js		💡
no-cryptojs-weak-random	CWE-338	A02:2021	CVE-2020-36732 (crypto-js)	💼	💡
prefer-native-crypto	CWE-327	A05:2021	Prefer native crypto		💡

Examples

❌ Bad

// CVE-2023-46809: Marvin Attack
crypto.privateDecrypt({ key, padding: crypto.constants.RSA_PKCS1_PADDING }, buffer);

// CWE-338: Weak random
const token = Math.random().toString(36);

// CWE-327: ECB mode leaks patterns
crypto.createCipheriv('aes-256-ecb', key, iv);

// CWE-208: Timing attack
if (userToken === storedToken) { ... }

✅ Good

// Use OAEP padding
crypto.privateDecrypt({ key, padding: crypto.constants.RSA_PKCS1_OAEP_PADDING }, buffer);

// Secure random
const token = crypto.randomBytes(32).toString('hex');

// GCM provides authentication
crypto.createCipheriv('aes-256-gcm', key, iv);

// Constant-time comparison
if (crypto.timingSafeEqual(Buffer.from(userToken), Buffer.from(storedToken))) { ... }

Peer Dependencies (Optional)

{
  "crypto-hash": ">=3.0.0",
  "crypto-random-string": ">=4.0.0",
  "crypto-js": ">=4.0.0"
}

AI-Optimized Messages

All rules include LLM-optimized error messages with:

CWE references for vulnerability classification
CVE references for known vulnerabilities
Severity levels (CRITICAL, HIGH, MEDIUM, LOW)
Direct fix suggestions with code examples
Documentation links

🗂️ OWASP Top 10 2021 Coverage

OWASP Category	Rules	Coverage
A02:2021 Cryptographic Failures	`no-weak-hash-algorithm`, `no-weak-cipher-algorithm`, `no-static-iv`, `no-ecb-mode`, `no-hardcoded-crypto-key`	✅
A03:2021 Injection	`no-insecure-rsa-padding` (CVE-2023-46809)	✅
A04:2021 Insecure Design	`require-authenticated-encryption`, `require-key-length`, `no-insecure-key-derivation`	✅
A05:2021 Security Misconfiguration	`no-self-signed-certs`, `prefer-native-crypto`	✅
A07:2021 Identification Failures	`no-math-random-crypto`, `no-predictable-salt`, `require-random-iv`	✅

Part of the Interlace ESLint Ecosystem — AI-native security plugins with LLM-optimized error messages:

Plugin	Description	Rules
`eslint-plugin-secure-coding`	Universal security (OWASP Top 10 Web + Mobile)	89
`eslint-plugin-jwt`	JWT security (algorithm confusion, weak secrets, claims)	13
`eslint-plugin-pg`	PostgreSQL/node-postgres security	13
`eslint-plugin-express-security`	Express.js security (CORS, cookies, CSRF, helmet)	8
`eslint-plugin-nestjs-security`	NestJS security (guards, validation pipes, throttler)	5
`eslint-plugin-lambda-security`	AWS Lambda/Middy security (API Gateway, CORS, secrets)	5
`eslint-plugin-browser-security`	Browser security (XSS, postMessage, storage, cookies)	21
`eslint-plugin-vercel-ai-security`	Vercel AI SDK security (OWASP LLM + Agentic Top 10)	19
`eslint-plugin-import-next`	High-performance import linting	12