JSPM

node-protect

1.1.0
    • ESM via JSPM
    • ES Module Entrypoint
    • Export Map
    • Keywords
    • License
    • Repository URL
    • TypeScript Types
    • README
    • Created
    • Published
    • Downloads 4
    • Score
      100M100P100Q23773F
    • License ISC

    Security scanner for Node.js projects checking for OWASP Top 10 risks

    Package Exports

    • node-protect
    • node-protect/dist/index.js

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (node-protect) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    Node-Protect 🛡️

    A lightweight, zero-config security scanner for Node.js applications.
    Detects vulnerabilities from the OWASP Top 10 without blocking your workflow.

    License: ISC Values: Warning Only

    🚀 Key Features

    • Non-blocking: Runs in the background and warns you about issues. It never crashes your app.
    • Zero Config: Works out of the box. Just install and run.
    • Comprehensive Coverage: Checks for issues across the OWASP Top 10 (2021).

    What it Checks

    Category Description
    A01 Broken Access Control Permissive CORS, hardcoded role checks
    A02 Cryptographic Failures Weak hashing (MD5/SHA1), hardcoded IVs
    A03 Injection eval(), innerHTML, unsafe SQL interpolation
    A04 Insecure Design Leaky headers (X-Powered-By)
    A05 Misconfiguration Debug mode on, hardcoded ports
    A06 Vulnerable Components Wraps npm audit to check dependencies
    A07 Authentication Failures Hardcoded Secrets (AWS keys, API tokens, passwords)
    A08 Integrity Failures Missing SRI, integrity checks
    A09 Logging Failures console.log usage, empty catch blocks
    A10 SSRF Unsafe data fetching in axios/fetch

    📦 Installation

    Install as a development dependency:

    npm install --save-dev node-protect

    💻 Usage

    1. As a CLI Tool

    Great for CI/CD pipelines or local checks.

    # Scan current directory
npx protect scan .

# Scan specific folder
npx protect scan ./src

# Scan only for secrets and code issues (skip dependencies)
npx protect scan . --type=secrets,code

    2. As a Library (Programmatic)

    Perfect for adding a security check to your server startup sequence. It runs asynchronously ("fire-and-forget").

    Example: Express Server Integration

    /* index.js */
const http = require('http');
const { protect } = require('node-protect');

console.log('--- Server Startup ---');

// 1. Run security scan in background
// It will log warnings if found, but won't stop the server
protect();

// 2. Start your server immediately
http.createServer((req, res) => {
    res.writeHead(200);
    res.end('Hello Secure World!');
}).listen(3000, () => {
    console.log('Server running on port 3000');
});

    Custom Handling

    If you want to wait for results or handle them manually:

    const { protect, printReport } = require('node-protect');

// Await the results
protect(process.cwd(), { types: ['full'], log: false }).then(results => {
  if (results.length > 0) {
    console.error(`🚨 Found ${results.length} vulnerabilities!`);
    printReport(results); // Pretty print to console
    // process.exit(1); // Optional: Exit if you want to block
  } else {
    console.log('✅ App is secure.');
  }
});

    🛠️ Configuration

    The protect() function accepts an options object:

    interface ScanOptions {
    log?: boolean;       // Default: true (Auto-print warnings to console)
    types?: string[];    // Default: ['full']. Options: 'secrets', 'code', 'dependencies'
}

    📝 License

    ISC