Penetration Testing Services Cloud Cloud Pentesting Penetration Network Pentesting Application Pentesting Web Application Pentesting Social Engineering May 25, 2019 How to use NodeJsScan for SAST – Step-by-step Guide NodeJsScan is a static code scanner that is used to find security flaws specifically in Node.js applications. In this post, we will look at how you can use NodeJsScan for SAST. Configuration & Usage Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/setting.py Download the NodeJsScan package from the GitHub repository https://github.com/ajinabraham/NodeJsScan. Figure 1 Cloning the repository Navigate to the NodeJsScan directory and install all requirements using the command – pip3 install –r requirements.txt. Figure 2 Installing all requirements to run NodeJsScan Run this command once to create database entries required – python3 migrate.py Run this command to test the testing Environment – python3 app.py Setup gunicorn for the production environment – gunicorn –b 0.0.0.0:9090 app:app. Figure 3 Executing app.py to run NodeJsScan This tool will run NodeJsScan on http://0.0.0.0:9090. If you need to debug, set DEBUG = True in core/settings.py. With periodic updates of this tool, it shows a minimum number of false positives. Figure 4 NodeJsScan running on http://0.0.0.0:9090/ NodeJsScan CLI The command-line interface (CLI) allows this tool to integrate with DevSecOps CI/CD pipelines. The results are in JSON format. Figure 5 NodeJsScan CLI is showing optional arguments. Docker Docker images can be built for NodeJsScan using the following steps – First ensure that you have docker installed into your system. Start the docker service using command – service docker start. Execute this command – docker build -t nodejsscan. Then finally execute this command to run the application – docker run -it -p 9090:9090 nodejsscan. Now, let’s get started with a demo. I tested this tool on a repository that contains incomplete and vulnerable code. The NodeJsScan app has compatibility with .zip files to get uploaded. So, first, compress your .js code to a .zip file and then go to your browser and upload the .zip file. After uploading the .zip file, the tool will list all the vulnerabilities for you. Figure 6 Vulnerabilities listed for app.js Figure 7 NodeJsScan giving a detailed description of the vulnerability Check out our post on Top 3 Open Source Tools for SAST. Industry recognitions we have earned Tell us about your requirements and we will respond within 24 hours. Fill out the form below to let us know your requirements. We will contact you to determine if BreachLock is right for your business or organization.