njsscan

0.4.3 · active · verified Fri Apr 17

njsscan is a Static Application Security Testing (SAST) tool designed to identify insecure code patterns within Node.js applications. It leverages the `semgrep` engine for its scanning capabilities. The library is actively maintained, currently at version 0.4.3, with frequent minor updates focusing on rule improvements, performance, and bug fixes.

Common errors

```
semgrep: command not found
```
cause The `njsscan` tool internally calls the `semgrep` command. This error indicates that `semgrep` is not installed or not accessible in your system's PATH.

fix Install `semgrep` by running `pip install semgrep` or follow the official `semgrep` installation guide. Verify it's in your PATH by typing `semgrep --version` in your terminal.
```
Error: path not found or not a valid directory: /path/to/my/project
```
cause The project path provided to `njsscan -p` does not exist or is not a valid directory.

fix Double-check the provided path. Ensure the directory exists and you have read permissions. Use an absolute path or ensure your relative path is correct from your current working directory.
```
Command 'njsscan' not found
```
cause The `njsscan` package is either not installed or its executable script is not in your system's PATH.

fix Install `njsscan` using `pip install njsscan`. If it's installed but still not found, ensure your Python environment's script directory is in your system's PATH (e.g., `~/.local/bin` for user installs).

Warnings

gotcha njsscan relies on the `semgrep` tool being installed separately and available in your system's PATH. Without `semgrep`, njsscan will not be able to perform scans and will likely report 'semgrep: command not found' errors.
Fix: Ensure `semgrep` is installed (e.g., `pip install semgrep` or via official `semgrep` installation methods) and its executable is accessible in your system's PATH.
breaking Support for Python 3.6 was dropped in version 0.3.2. Users on Python 3.6 will encounter compatibility errors.
Fix: Upgrade to Python 3.7 or newer. The library is tested against recent Python versions.
gotcha Older versions of njsscan (prior to 0.3.6) may exhibit significantly slower performance, especially on large Node.js projects, due to less optimized underlying library versions.
Fix: Upgrade to the latest version of njsscan (0.3.6 or newer) to benefit from performance improvements and updated underlying dependencies like `libsast` and `semgrep`.
gotcha Early versions of njsscan might have had compatibility issues or suboptimal performance on M1 Mac (ARM) architectures. Full support and testing for M1 Mac ARM was explicitly added in version 0.3.2.
Fix: Upgrade to njsscan version 0.3.2 or newer to ensure full compatibility and optimized performance on M1 Mac ARM systems.

Install

pip install njsscan Install njsscan
pip install semgrep Install Semgrep (required external dependency)

Imports

main
```
from njsscan.cli import main
```
While njsscan has a programmatic entry point, it is primarily designed and documented for command-line interface (CLI) usage.

Quickstart

njsscan is primarily used as a command-line tool. This example demonstrates how to scan a Node.js project located at `./my_nodejs_project` and output the results to a JSON file.

njsscan -p ./my_nodejs_project -o results.json -f json
cat results.json

view raw JSON →