Updated On May 25, 2019 How to use NodeJsScan for SAST – Step-by-step Guide NodeJsScan is a static code scanner that is used to find security flaws specifically in Node.js applications. In this post, we will look at how you can use NodeJsScan for SAST. Configuration & Usage Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/setting.py Download the NodeJsScan package from the GitHub repository https://github.com/ajinabraham/NodeJsScan. Figure 1 Cloning the repository Navigate to the NodeJsScan directory and install all requirements using the command – pip3 install –r requirements.txt. Figure 2 Installing all requirements to run NodeJsScan Run this command once to create database entries required – python3 migrate.py Run this command to test the testing Environment – python3 app.py Setup gunicorn for the production environment – gunicorn –b 0.0.0.0:9090 app:app. Figure 3 Executing app.py to run NodeJsScan This tool will run NodeJsScan on http://0.0.0.0:9090. If you need to debug, set DEBUG = True in core/settings.py. With periodic updates of this tool, it shows a minimum number of false positives. Figure 4 NodeJsScan running on http://0.0.0.0:9090/ NodeJsScan CLI The command-line interface (CLI) allows this tool to integrate with DevSecOps CI/CD pipelines. The results are in JSON format. Figure 5 NodeJsScan CLI is showing optional arguments. Docker Docker images can be built for NodeJsScan using the following steps – First, ensure that you have docker installed into your system. Start the docker service using command – service docker start. Execute this command – docker build -t nodejsscan. Then finally execute this command to run the application – docker run -it -p 9090:9090 nodejsscan. Now, let’s get started with a demo. I tested this tool on a repository that contains incomplete and vulnerable code. The NodeJsScan app has compatibility with .zip files to get uploaded. So, first, compress your .js code to a .zip file and then go to your browser and upload the .zip file. After uploading the .zip file, the tool will list all the vulnerabilities for you. Figure 6 Vulnerabilities listed for app.js Figure 7 NodeJsScan giving a detailed description of the vulnerability Check out our post on Top 3 Open Source Tools for SAST. Penetration Testing Penetration Testing Service Cloud Penetration Testing Services Network Penetration Testing Application Penetration Testing Web Application Penetration Testing Social Engineering Follow us