Static Application Security Testing (SAST) CLI tool for Node.js backends.

Features

• 42 Security Rules across 10 categories (SQL Injection, XSS, NoSQL Injection, Command Injection, Path Traversal, Authentication, Secrets, Error Handling, Misconfiguration, Dependency Checking)
• Taint Analysis — tracks data flow from user input (req.query, req.body, etc.) to dangerous sinks
• Framework Detection — auto-detects Express, NestJS, Mongoose, TypeORM, Fastify, Koa, and Prisma
• Dependency Checking — detects outdated packages with known CVEs, vulnerable dependencies (via pnpm/npm audit), unused dependencies, and lockfile mismatches
• Sensitive File Protection — .env and credential files are completely ignored by default unless explicitly allowed with --read-env
• Multiple Output Formats — Terminal (colored tables), JSON, SARIF, HTML, Markdown. Non-terminal formats auto-save to ~/.basesec/
• Analysis Cache — hash-based per-file caching for 10x speedup on incremental scans
• Worker Threads — multi-core parallel analysis for large codebases
• Custom Rules — load external rule files (MJS/CJS) via .basesecrc
• AI-Powered Analysis — enriches findings with AI explanations and detects suspicious taint flows (Ollama or OpenAI)
• Zero Configuration — works out of the box with sensible defaults

Quick Start

Install

npm install -g basesec
# or
pnpm add -g basesec
# or
yarn global add basesec

Scan

# Scan current directory
basesec scan

# Scan specific directory
basesec scan ./src

# JSON output (auto-saved to ~/.basesec/scan-<timestamp>.json)
basesec scan ./src --format json

# Custom output path
basesec scan ./src --format json --output report.json

# Only critical/high findings, strict exit code
basesec scan ./src --severity high --strict

Framework Support

Framework	Auto-Detection	Notes
Express	Yes	Route handlers, middleware, res.send(), res.set()
NestJS	Yes	Decorators (@Controller, @Get, etc.), guards
Fastify	Yes	Route handlers, rate limit, helmet, CORS
Koa	Yes	Context assignments (ctx.body), middleware
Mongoose	Yes	Query chains, $where, lean()
TypeORM	Yes	Query builder, raw queries
Prisma	Yes	Raw queries ($queryRaw, $executeRaw)

Configuration

Create a .basesecrc file in your project root:

export default {
  severity: 'low',
  framework: 'auto',
  ignore: ['node_modules', 'dist', 'coverage'],
  taintAnalysis: true,
  sanitizers: [],
  rules: [],
  rulesConfig: {},
  maxFileSize: 512000,
  maxFiles: 10000,
  cache: {
    maxAge: 86400000,
    dir: '.basesec/cache',
  },
  workers: {
    threshold: 50,
    max: 8,
  },
  output: {
    format: 'terminal',
    filePath: '',
  },
  // AI disabled by default for maximum privacy
  ai: {
    enabled: false,
    provider: 'ollama',
    model: 'llama3.2',
    contextLevel: 'minimal',
    baseUrl: 'http://localhost:11434',
    maxFindings: 10,
    timeout: 30000,
  },
};

See CONFIGURATION.md for full options.

Performance

BaseSec uses two core optimizations:

1. Analysis Cache (enabled by default) — SHA-256 file + config hashing, skips unchanged files
2. Worker Threads (auto-enabled for >50 files) — parallel analysis across CPU cores

Combined, these deliver ~12x speedup on rescans. See PERFORMANCE.md for benchmark data.

Documentation

• INSTALLATION.md — Detailed installation options
• USAGE.md — CLI commands and flags
• CONFIGURATION.md — Configuration file reference
• RULES.md — Complete rule catalog
• PERFORMANCE.md — Benchmarks and optimization guide
• CI_CD.md — CI/CD integration examples
• TROUBLESHOOTING.md — Common issues and fixes
• FAQ.md — Frequently asked questions
• EXAMPLES.md — Vulnerable vs. secure code examples
• CONTRIBUTING.md — How to contribute
• CHANGELOG.md — Version history
• SECURITY.md — Security policy

License

CC BY-NC 4.0 © tavotsu