保護DataHogo
Security Encyclopedia/Project Config Best Practices
lowCWE-1076A06:2021

No Security Linting

Without security-focused ESLint rules, common vulnerabilities like XSS sinks, dangerouslySetInnerHTML, and eval() usage slip through code review.

How It Works

Standard ESLint catches code style issues. Security linting plugins like eslint-plugin-security and eslint-plugin-no-unsanitized catch patterns known to cause vulnerabilities — before they reach production. Running them in CI makes security checks automatic on every PR.

Vulnerable Code
// BAD: .eslintrc with no security rules
{
  "extends": ["eslint:recommended", "next/core-web-vitals"]
  // no security plugins — dangerouslySetInnerHTML goes unnoticed
}
Secure Code
// GOOD: add security-focused ESLint plugins
{
  "extends": ["eslint:recommended", "next/core-web-vitals"],
  "plugins": ["security", "no-unsanitized"],
  "rules": {
    "security/detect-object-injection": "warn",
    "security/detect-non-literal-regexp": "warn",
    "no-unsanitized/method": "error"
  }
}

Real-World Example

Shopify's security engineering team published that introducing security linting rules to their CI pipeline caught 40+ security issues per month that would otherwise have reached code review, reducing security review burden significantly.

How to Prevent It

  • Add eslint-plugin-security to your ESLint config and enable its recommended rules
  • Add eslint-plugin-no-unsanitized to catch unsafe innerHTML assignments in React
  • Run ESLint in CI on every PR — don't let security lint failures be optional
  • Review the full list of eslint-plugin-security rules and enable the ones relevant to your stack

Affected Technologies

Node.jsjavascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No .env.example File

low

Without a .env.example file, new contributors don't know what environment variables are required, leading to insecure workarounds like hardcoding values.

CWE-1059

No Git Security Hooks

low

Without pre-commit hooks that scan for secrets and security issues, developers can accidentally push API keys and passwords to the repository.

CWE-1059A02:2021

Inadequate .gitignore

medium

A .gitignore that doesn't cover .env files, build artifacts, and IDE configs can lead to secrets or sensitive data being accidentally committed.

CWE-540A02:2021

Insecure npm Scripts

medium

npm scripts that fetch and execute remote code, or that embed secrets as shell arguments, are a supply chain and credential exposure risk.

CWE-78A06:2021