JavaScript & TypeScript SAST
What xgrep detects in JavaScript and TypeScript — injection, XSS, supply-chain, auth, and crypto issues — with Express-aware taint analysis.
JavaScript & TypeScript SAST
xgrep parses .js, .jsx, .mjs, .cjs, .ts, and .tsx into tree-sitter ASTs
and runs the same ruleset across JavaScript and TypeScript. Roughly 200 rules,
35 of them taint-based, follow untrusted request data through Express/Node code
into dangerous sinks.
xgrep scan --include '*.{js,ts,jsx,tsx}' .What xgrep detects
Injection — eval-injection, express-command-injection, header-injection,
format-string, gray-matter-injection.
Cross-site scripting — express-xss, dom-xss-set-attribute,
incomplete-html-attribute-sanitization, double-escaping, incomplete-sanitization.
Path & file access — express-path-traversal, file-access-to-http,
http-to-file-access, insecure-temporary-file.
Auth, sessions & cookies — express-session-fixation, cookie-auth-bypass,
cookie-no-httponly / -samesite / -secure, jwt-none-algorithm,
empty-password-config.
CORS — cors-misconfiguration, cors-origin-injection.
Crypto & TLS — broken-crypto, insecure-tls, disabled-cert-validation,
hardcoded-credentials, hex-encoded-credential, cleartext-storage /
-transmission.
Supply chain — compromised-polyfill, embedded-malicious-code,
insecure-dependency flag known-malicious or risky third-party code.
Availability (DoS) — decompression-bomb, ajv-deep-object-exhaustion, and the
incomplete-* hostname/URL/regex checks that lead to ReDoS or validation bypass.
Correctness — a large set of expressions-* and language-features-* rules
catches missing-await, comparison-with-NaN, self-assignment, dead stores, unbound
event-handler receivers, and similar bugs (run with --category correctness).
Taint analysis
35 rules use taint mode: they fire only when data
from a source (e.g. req.query, req.body, req.params) actually reaches a sink
(e.g. child_process.exec, res.send, eval), rather than matching code shape
alone — which is how xgrep keeps Express findings high-signal.
Frameworks
- Express — request → sink dataflow for command injection, path traversal, XSS,
session fixation, and
helmet/CORS misconfiguration. - Node.js —
child_process,fs,crypto, andvm/evalsinks.
See also Secrets scanning (committed tokens and keys) and the CLI reference.
SAST by language
What xgrep detects in each language — JavaScript/TypeScript, Java, C#, Python, Go, Ruby, Swift — plus infrastructure and config files.
Java
What xgrep detects in Java — injection, deserialization, XXE, SSRF, weak crypto, and Android/Spring-specific issues — with request-to-sink taint analysis.