Skip to main content

JavaScript and TypeScript

Vulkro does full source analysis for JavaScript and TypeScript, including the Node.js server frameworks and the client-side XSS / DOM-sink surface. Both languages are in the Free tier - no account upgrade needed for the deep analysis (an account and sign-in are still required to scan; see Accounts).

Project detection

Vulkro recognises the project from package.json and resolves installed versions from package-lock.json. TypeScript sources are analysed directly; no build step or type-check is required.

vulkro scan .
vulkro discover . # endpoint map only

Frameworks

Endpoint extraction understands:

  • Express
  • Fastify
  • NestJS
  • Next.js (App Router and Pages Router)
  • Koa
  • Hono
  • Hapi
  • Elysia
  • AdonisJS
  • tRPC

Cross-cutting surfaces also covered:

  • GraphQL (Apollo, graphql-yoga)
  • gRPC
  • WebSocket (ws, Socket.IO)
  • React and Angular client surfaces (for XSS and DOM-sink analysis)

Router composition is followed so recorded paths match what the server serves (for example Express Router mounts and Next.js route segments).

Access model

Each endpoint is tagged with an AuthTier (Anonymous / User / Admin / Service / Machine / Unknown), its scopes, and its tenant-scoping. The BOLA / IDOR and broken-authentication rules consult this metadata so findings already covered by a visible auth gate are suppressed. Java, Python, and Go share the same endpoint model, and all of them flow into the OWASP API Top 10 checks.

Taint analysis

Vulkro runs an interprocedural taint pass for JS/TS. It follows data from a request-bound source through function calls to a dangerous sink.

Sources include req.body, req.query, req.params, req.headers, the equivalents in Next.js route handlers, and route-handler parameters. Sinks include SQL query builders (knex.raw, sequelize.query, db.query, pool.query), child_process.exec, eval / Function(...), fetch(...) (SSRF), redirect(...) (open redirect), template-as-string XSS, and __proto__ writes (prototype pollution). Findings carry the source-to-sink hop chain (SARIF codeFlows).

Loop-carried taint is off by default; enable the worklist engine with VULKRO_TAINT_CFG=1 (JS/TS and Python only). See Taint analysis for the full source / sink / sanitiser model and its limits.

Dependencies

npm dependencies from package.json (resolved via package-lock.json) are matched against the local CVE bundle. JS/TS is also covered by the npm reachability annotation: CVE findings for a curated set of high-traffic packages are tagged [reachable] or [unreachable] by call-shape. See Dependencies and CVEs and Reachability.

The AI-generated-code surface (slopsquatted package names, RAG-index safety, CI/CD pipeline injection) applies to JS/TS. See New detectors.

Useful commands

vulkro scan .
vulkro discover . --format json
vulkro dataflow .
vulkro explain JS-TAINT-SQL-001