View on GitHub


nodejsscan is a static security code scanner for Node.js applications.


Static security code scanner (SAST) for Node.js applications.

platform License python Build Status Requirements Status

Configure & Run NodeJsScan

Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/

pip3 install -r requirements.txt
python3 # Run once to create database entries required
python3 # Testing Environment
gunicorn -b app:app --workers 3 --timeout 10000 # Production Environment

This will run NodeJsScan on

If you need to debug, set DEBUG = True in core/

Command Line Interface and Python API


NodeJsScan Docker images can be built for both the Web UI and CLI version.

docker build -t nodejsscan .
docker run -it -p 9090:9090 nodejsscan


Prebuilt Docker images are available from DockerHub.

docker pull opensecurity/nodejsscan
docker run -it -p 9090:9090 opensecurity/nodejsscan:latest

Learn Node.js Security: Pentesting and Exploitation

OpSecX Video Course

NodeJsScan Web UI


Static Analysis

NodeJsScan Static Scan Results NodeJsScan Static Scan Vulnerability Details NodeJsScan CLI