Frameworks & libraries scanned
We test fixture coverage on these frameworks. New patterns are added with each builtin rule release.
Top CWE classes detected
These CWE classes appear most often in modern codebases of this language. StaticCodeAudit ships dedicated rules for each, mapped to OWASP Top 10 / ISO 27001 / ASVS where relevant.
CWE-79
Cross-Site Scripting (XSS)
innerHTML, dangerouslySetInnerHTML in React, v-html in Vue, Angular bypassSecurityTrust* with user data. Stored, reflected and DOM-based variants covered.
Detected by SCA rule: xss_innerhtml
CWE-1321
Prototype Pollution
Recursive Object.assign, _.merge, or unguarded obj[key] = value when key comes from user input. A single __proto__ key can break every downstream object.
Detected by SCA rule: prototype_pollution
CWE-89
SQL Injection
Sequelize.literal(), raw queries in Prisma $queryRaw\`${input}\`, Mongoose $where with strings, Knex .raw() with concat.
Detected by SCA rule: sql_injection_concat
CWE-918
SSRF
axios.get(url), fetch(url), http.get on user URLs. Particularly dangerous in serverless functions reachable via internal metadata endpoints.
Detected by SCA rule: taint_ssrf
CWE-798
Hardcoded Credentials
API keys committed in .env.example, config.js, or React process.env.REACT_APP_* exposed to client bundle.
Detected by SCA rule: hardcoded_secret
CWE-915
Mass Assignment
User.update(req.body) without field allow-list. Lets attackers escalate privileges (isAdmin: true) via JSON body.
Detected by SCA rule: mass_assignment
Vulnerable vs. clean — three quick examples
CWE-79
Detected by SCA rule: xss_innerhtml
// Vulnerable — React dangerouslySetInnerHTML
function Bio({ user }) {
return <div dangerouslySetInnerHTML={{ __html: user.bio }} />;
}// Clean — text content, no HTML interpretation
function Bio({ user }) {
return <div>{user.bio}</div>;
}CWE-1321
Detected by SCA rule: prototype_pollution
// Vulnerable — deep merge without proto guard
function merge(target, source) {
for (const key in source) {
if (typeof source[key] === "object") {
merge(target[key] = target[key] || {}, source[key]);
} else { target[key] = source[key]; }
}
}// Clean — block __proto__/constructor
function merge(target, source) {
for (const key of Object.keys(source)) {
if (key === "__proto__" || key === "constructor") continue;
if (typeof source[key] === "object") {
merge(target[key] = target[key] || {}, source[key]);
} else { target[key] = source[key]; }
}
}CWE-89
Detected by SCA rule: sql_injection_concat
// Vulnerable — concat in Sequelize.literal
const users = await User.findAll({
where: sequelize.literal(`name = \'${req.query.name}\'`)
});// Clean — parameter binding
const users = await User.findAll({
where: { name: req.query.name }
});What StaticCodeAudit detects (this language)
- XSS in React
dangerouslySetInnerHTML, Vuev-html, Angular trust bypass, vanillainnerHTML - Prototype pollution via deep merge, dynamic key assignment
- SQL injection in Sequelize, Mongoose, Prisma, TypeORM, Knex raw queries
- NoSQL injection (Mongoose
$wherewith strings, Mongo operators in user input) - SSRF via
axios,fetch,httpwith user URLs - Hardcoded secrets (API keys, JWT secrets, AWS, Stripe, GitHub, Slack tokens)
- Mass assignment in Sequelize/Mongoose without field allow-list
- Insecure cookies (
httpOnly,secure,sameSiteflags) - CSRF token missing in Express forms
- Path traversal in
fs.readFilewith user input - Insecure crypto (MD5 in
crypto, hardcoded IV, weak random) - Open redirect (
res.redirect(req.query.url)) - Outdated dependencies via
package.jsonpatterns - CI/CD misconfigurations (.gitlab-ci, GitHub Actions, npm scripts)
Audit your codebase
Audit your Node.js backends and front-end frameworks (React, Vue, Angular, Svelte) for XSS, prototype pollution, injection flaws and supply-chain risks — without uploading a line to the cloud.
Download demo binary Book a walkthrough