Static Code Analysis evaluates a code without executing it. A lint, or linter, is a static code analysis tool used to improve source code by finding and flagging programming errors, bugs, and patterns that may compromise security. Some of the most popular JavaScript linters are:

We can customize the linter rules to fit our needs using configuration files or third-party plugins. eslint-plugin-security is a plugin that adds rules to detect several security vulnerabilities including all of the aforementioned security risks in this lesson.

Linter configuration and usage are beyond the scope of this introductory lesson, but we can see some of their power in the following instructions.


Take a look at the .json files where we’ve added .json

In this directory, we have files from the previous exercises in the src folder: eval.js, fs.js, and regex.js. Let’s see whether a linter can detect the security flaws (dangerous JavaScript functions) in those files.

Run ESLint in the current directory with the command eslint ..

Wow, look at that! The eslint-plugin-security plugin of ESLint caught the issues we discussed previously. Not only does it state the description of the problem, but it also provides the file name and the line number of the problematic code.

Press Next to move on to the next exercise.

Sign up to start coding

Mini Info Outline Icon
By signing up for Codecademy, you agree to Codecademy's Terms of Service & Privacy Policy.

Or sign up using:

Already have an account?