Node.js

The Best Node.js Static Analysis Tools (Linters/Formatters)

We rank 15 Node.js linters, code analyzers, formatters, and more. Find and compare tools like Mega-Linter, Semgrep, ThreatMapper, and more. Please rate and review tools that you've used. This helps others find the best tools for their projects.

2 Node.js Tools

NodeJSScan

A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status.

standard

An npm module that checks for Javascript Styleguide issues.

13 Multi-Language Tools

Mega-Linter

Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 68% upvoted

Semgrep

Sponsor

A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter
  • 79% upvoted

ThreatMapper

Vulnerability Scanner and Risk Evaluation for containers, serverless and hosts at runtime. ThreatMapper generates runtime BOMs from dependencies and operating system packages, matches against multiple threat feeds, scans for unprotected secrets, and scores issues based on severity and risk-of-exploit.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedservice
  • Maintainedlinter
  • 83% upvoted

Sigrid

Sigrid helps you to improve your software by measuring your system's code quality, and then compares the results against a benchmark of thousands of industry systems to give you concrete advice on areas where you can improve.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter
  • 96% upvoted

trivy

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 83% upvoted

Offensive 360

Sponsor

Commercial Static Code Analysis system doesn't require building the source code or pre-compilation.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedservice
  • Maintainedlinter
  • 64% upvoted

Checkmarx CxSAST

Commercial Static Code Analysis which doesn't require pre-compilation.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 52% upvoted

njsscan

A static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 100% upvoted

RIPS

A static source code analyser for vulnerabilities in PHP scripts.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 67% upvoted

lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 0% upvoted

Synopsys

A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 43% upvoted

WhiteHat Application Security Platform

WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter
  • 33% upvoted

ShiftLeft Scan

Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter
  • 38% upvoted

Frequently Asked Questions

What are Node.js tools?

Node.js is a runtime environment and library for running JavaScript applications outside of the browser. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

What are the best Node.js static analysis tools and linters?

The most popular Node.js tools ranked by user votes are: Mega-Linter, Semgrep, ThreatMapper, Sigrid, trivy.

Which Node.js services are free for open source projects?

Commercial services with a free plan for open source include Mega-Linter, Semgrep, ThreatMapper, trivy, njsscan, NodeJSScan, standard, lockfile-lint, ShiftLeft Scan.

Related Tags

Our Sponsors

This website is completely open source. To fund our work, we fully rely on sponsors. Thanks to them, we can keep the site free for everybody. Please check out their offers below.

  • BugProve
  • Pixee
  • semgrep
  • Offensive 360
  • BetterScan