The Best Node.js Static Analysis Tools (Linters/Formatters)
We rank 15 Node.js linters, code analyzers, formatters, and more. Find and compare tools like Mega-Linter, Semgrep, ThreatMapper, and more. Please rate and review tools that you've used. This helps others find the best tools for their projects.
2 Node.js Tools
13 Multi-Language Tools
Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes
A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.
Vulnerability Scanner and Risk Evaluation for containers, serverless and hosts at runtime. ThreatMapper generates runtime BOMs from dependencies and operating system packages, matches against multiple threat feeds, scans for unprotected secrets, and scores issues based on severity and risk-of-exploit.
Commercial Static Code Analysis which doesn't require pre-compilation.
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.
Commercial Static Code Analysis system doesn't require building the source code or pre-compilation.
A static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.
WhiteHat Application Security Platform
WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10.
Lint an npm or yarn lockfile to analyze and detect security issues
A static source code analyser for vulnerabilities in PHP scripts.
Sigrid helps you to improve your software by measuring your system's code quality, and then compares the results against a benchmark of thousands of industry systems to give you concrete advice on areas where you can improve.
A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift).
Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.
Help make this list better
Frequently Asked Questions
What are Node.js tools?
What are the best Node.js static analysis tools and linters?
The most popular Node.js tools ranked by user votes are: Mega-Linter, Semgrep, ThreatMapper, Checkmarx CxSAST, NodeJSScan.
Which Node.js services are free for open source projects?
Commercial services with a free plan for open source include Mega-Linter, Semgrep, ThreatMapper, NodeJSScan, trivy, njsscan, lockfile-lint, standard, ShiftLeft Scan.