TLTR: in the last two weeks we rewrote NodeJsScan and published it’s security analysis of over 700 projects hosted on GitHub.
Long story: Writing secure Node.JS is hard, almost no tools and little awareness. We felt the same pain while performing an increasing number of Code Reviews in Node and wanted to improve our internal process. That’s why we rewrote NodeJsScan to have better reporting and a JSON output. It’s not a substitute of manual review but it serves it’s use as an additional input for the audit and has customizable XML rules.
By testing it we ran a batch of more than 700 scans and released the output here: Security Audit of Node.JS projects (http://www.isgroup.it/node.security/). It has an high rate of false-positive so not for the pavid :)
–Francesco `ascii` ongaro