Ofri Peretz

Posted on Dec 31, 2025 • Edited on Feb 5 • Originally published at ofriperetz.dev

The OWASP Compliance Protocol: Mapping 247 Static Analysis Rules

#security #owasp #eslint #devsecops

Governance at scale requires more than a checklist. Here is the engineering standard for mapping your entire Node.js fleet to the OWASP Top 10 through 247 automated static analysis rules.

Your security audit asks: "How do you address OWASP Top 10?"

Here's how to answer with automated evidence using 332 rules across 18 specialized ESLint plugins.

The Multi-Plugin Approach

One plugin can't cover everything. SQL injection needs database-aware rules. JWT attacks need token-specific detection. Here's the complete mapping:

OWASP Top 10 2025 → Plugin Coverage

#	Category	Risk	Plugins	Key Rules
A01	Broken Access Control	High	`secure-coding`, `nestjs-security`, `lambda-security`	`no-privilege-escalation`, `require-guards`, `no-missing-authorization-check`
A02	Cryptographic Failures	High	`node-security`, `pg`, `jwt`	`no-weak-hash-algorithm`, `no-hardcoded-credentials`, `no-weak-secret`
A03	Injection	Critical	`secure-coding`, `pg`, `browser-security`	`detect-eval-with-expression`, `no-unsafe-query`, `no-innerhtml`
A04	Insecure Design	Medium	`secure-coding`, `nestjs-security`	`no-improper-type-validation`, `no-missing-validation-pipe`
A05	Security Misconfiguration	High	`express-security`, `lambda-security`	`require-helmet`, `no-permissive-cors`, `no-exposed-error-details`
A06	Vulnerable Components	Medium	`secure-coding`, `import-next`	`detect-suspicious-dependencies`, `no-extraneous-dependencies`
A07	Auth Failures	High	`jwt`, `express-security`	`no-algorithm-none`, `no-algorithm-confusion`, `no-insecure-cookie-options`
A08	Integrity Failures	Medium	`secure-coding`	`no-unsafe-deserialization`, `no-unsafe-dynamic-require`
A09	Logging Failures	Medium	`secure-coding`, `lambda-security`	`no-pii-in-logs`, `no-error-swallowing`
A10	SSRF	High	`secure-coding`, `lambda-security`, `vercel-ai-security`	`require-url-validation`, `no-user-controlled-requests`

Modular Installation: Build your Security Protocol

Don't install everything—choose the layers that match your stack. Every protocol starts with the Core, then adds specialized coverage.

1. The Core (Mandatory)

# General OWASP coverage (89 rules)
npm install -D eslint-plugin-secure-coding

2. Specialized Security (Add as needed)

npm install -D eslint-plugin-node-security    # Cryptography & System leaks
npm install -D eslint-plugin-jwt            # Token security
npm install -D eslint-plugin-pg             # PostgreSQL hardening

3. Environment & Framework (Choose your stack)

# Frontend
npm install -D eslint-plugin-browser-security  # DOM/XSS prevention

# Backend Frameworks
npm install -D eslint-plugin-express-security  # Express.js protocols
npm install -D eslint-plugin-nestjs-security   # NestJS security pipes
npm install -D eslint-plugin-lambda-security   # Serverless/AWS Lambda

The Complete Config

// eslint.config.js - Full OWASP Top 10 Coverage
import secureCoding from "eslint-plugin-secure-coding";
import nodeSecurity from "eslint-plugin-node-security";
import jwt from "eslint-plugin-jwt";
import pg from "eslint-plugin-pg";
import browserSecurity from "eslint-plugin-browser-security";
import expressSecurity from "eslint-plugin-express-security";

export default [
  // Core OWASP preset (A01-A10 general coverage)
  secureCoding.configs["owasp-top-10"],

  // A02: Cryptographic Failures - specialized detection
  nodeSecurity.configs.recommended,

  // A07: Authentication Failures - JWT-specific
  jwt.configs.recommended,

  // A03: Injection - PostgreSQL-specific SQL injection
  {
    files: ["**/db/**", "**/repositories/**", "**/models/**"],
    ...pg.configs.recommended,
  },

  // A03: Injection - DOM XSS for frontend
  {
    files: ["**/components/**", "**/pages/**", "src/**/*.tsx"],
    ...browserSecurity.configs.recommended,
  },

  // A05: Security Misconfiguration - Express-specific
  {
    files: ["**/routes/**", "**/middleware/**", "app.ts", "server.ts"],
    ...expressSecurity.configs.recommended,
  },
];

Example Output

src/db/users.ts
  42:15  error  🔒 CWE-89 OWASP:A03 | SQL Injection detected
                [pg/no-unsafe-query] Use parameterized query: client.query($1, [id])

src/auth/jwt.ts
  18:3   error  🔒 CWE-347 OWASP:A07 | Algorithm confusion vulnerability
                [jwt/no-algorithm-confusion] Specify algorithms: { algorithms: ['RS256'] }

src/api/crypto.ts
  55:10  error  🔒 CWE-328 OWASP:A02 | Weak hash algorithm: MD5
                [node-security/no-weak-hash-algorithm] Use SHA-256 or SHA-3

src/components/Comment.tsx
  12:5   error  🔒 CWE-79 OWASP:A03 | XSS via innerHTML
                [browser-security/no-innerhtml] Use textContent or sanitize with DOMPurify

A03 Injection: Multi-Layer Protection

Injection is #1 for a reason. Here's complete coverage:

Attack Vector	Plugin	Rule
SQL Injection (PostgreSQL)	`pg`	`no-unsafe-query`
SQL Injection (general)	`secure-coding`	`detect-eval-with-expression`
Command Injection	`secure-coding`	`detect-child-process`
LDAP Injection	`secure-coding`	`no-ldap-injection`
XPath Injection	`secure-coding`	`no-xpath-injection`
XXE Injection	`secure-coding`	`no-xxe-injection`
DOM XSS	`browser-security`	`no-innerhtml`, `no-eval`
Prompt Injection	`vercel-ai-security`	`require-validated-prompt`

A02 Cryptographic Failures: 31 Specialized Rules

// node-security plugin catches what generic plugins miss
import nodeSecurity from "eslint-plugin-node-security";

// Detects:
// - CVE-2023-46809 (Marvin Attack) via no-insecure-rsa-padding
// - CVE-2020-36732 (CryptoJS) via no-cryptojs-weak-random
// - Weak algorithms: MD5, SHA1, DES, RC4, Blowfish
// - Static IVs, ECB mode, predictable salts

A07 Auth Failures: JWT-Specific Detection

// jwt plugin catches token-specific vulnerabilities
import jwt from "eslint-plugin-jwt";

// Detects:
// - Algorithm "none" attack
// - Algorithm confusion (CVE-2022-23540)
// - jwt.decode() without verify
// - Weak/hardcoded secrets
// - Missing expiration

For OWASP Mobile Top 10

import secureCoding from "eslint-plugin-secure-coding";

export default [
  {
    files: ["apps/mobile/**", "**/*.native.ts"],
    ...secureCoding.configs["owasp-mobile-top-10"],
  },
];

Covers all 10 mobile categories:

#	Category	Rules
M1	Improper Credential Usage	`require-secure-credential-storage`
M2	Inadequate Supply Chain	`detect-suspicious-dependencies`, `require-package-lock`
M3	Insecure Auth	`no-client-side-auth-logic`, `require-backend-authorization`
M4	Insufficient I/O Validation	`no-unvalidated-user-input`, `no-unvalidated-deeplinks`
M5	Insecure Communication	`no-http-urls`, `require-https-only`, `no-allow-arbitrary-loads`
M6	Inadequate Privacy	`no-pii-in-logs`, `no-tracking-without-consent`
M7	Binary Protection	`require-code-minification`
M8	Security Misconfiguration	`require-secure-defaults`, `no-verbose-error-messages`
M9	Insecure Data Storage	`require-storage-encryption`, `no-data-in-temp-storage`
M10	Insufficient Crypto	Use `eslint-plugin-node-security`

For OWASP LLM Top 10

Building AI applications? Add the Vercel AI Security plugin:

import vercelAI from "eslint-plugin-vercel-ai-security";

export default [
  {
    files: ["**/ai/**", "**/agents/**"],
    ...vercelAI.configs.recommended,
  },
];

100% OWASP LLM Top 10 2025 coverage with 22 rules.

Getting Audit Evidence

Run ESLint with JSON output:

npx eslint . --format json > security-report.json

Parse for OWASP tags:

const report = require("./security-report.json");

const owaspFindings = report
  .flatMap((file) => file.messages)
  .filter((msg) => msg.message.includes("OWASP:"));

// Group by OWASP category
const byCategory = owaspFindings.reduce((acc, finding) => {
  const match = finding.message.match(/OWASP:(A\d+)/);
  if (match) {
    acc[match[1]] = (acc[match[1]] || 0) + 1;
  }
  return acc;
}, {});

console.log("OWASP Coverage Report:", byCategory);

Rule Count Summary

Plugin	Rules	Focus
`eslint-plugin-secure-coding`	89	Core OWASP coverage
`eslint-plugin-node-security`	31	Cryptography
`eslint-plugin-jwt`	13	JWT/Authentication
`eslint-plugin-pg`	15	PostgreSQL
`eslint-plugin-browser-security`	52	Browser/DOM
`eslint-plugin-vercel-ai-security`	22	AI/LLM
`eslint-plugin-express-security`	14	Express.js
`eslint-plugin-lambda-security`	16	AWS Lambda
`eslint-plugin-nestjs-security`	10	NestJS
`eslint-plugin-import-next`	61	Import/Dependencies
Total	332

Turn compliance questions into automated answers.

📦 All Plugins:

eslint-plugin-secure-coding — Core OWASP coverage
eslint-plugin-node-security — Cryptography
eslint-plugin-jwt — JWT security
eslint-plugin-pg — PostgreSQL
eslint-plugin-browser-security — Browser/DOM
eslint-plugin-vercel-ai-security — AI/LLM
eslint-plugin-express-security — Express.js
eslint-plugin-lambda-security — AWS Lambda
eslint-plugin-nestjs-security — NestJS
eslint-plugin-import-next — Import management

⭐ Star on GitHub — 18 plugins, 332 rules

The Interlace ESLint Ecosystem
Interlace is a high-fidelity suite of static code analyzers designed to automate security, performance, and reliability for the modern Node.js stack. With over 330 rules across 18 specialized plugins, it provides 100% coverage for OWASP Top 10, LLM Security, and Database Hardening.

Explore the full Documentation

Build Securely.
I'm Ofri Peretz, a Security Engineering Leader and the architect of the Interlace Ecosystem. I build static analysis standards that automate security and performance for Node.js fleets at scale.

ofriperetz.dev | LinkedIn | GitHub

DEV Community