A Taro plugin that performs security scans on Taro projects during the build process with advanced semantic analysis and enterprise-grade reporting
npm install taro-plugin-vue-securityA Taro plugin that performs security scans on Taro projects during the build process with advanced semantic analysis and enterprise-grade reporting.
- Advanced Semantic Analysis: AST-based code analysis for enhanced accuracy
- Reduces false positives through code context understanding
- Supports JavaScript, TypeScript, JSX, and TSX syntax
- Detects dangerous function calls with user input tracking
- Identifies unsafe property access patterns
- Provides confidence level assessment (High/Medium/Low)
- Intelligent merging with regex-based detection
- Taro-Specific Security Checks: Comprehensive security analysis for Taro features
- Taro API Security: Checks for safe usage of Taro.request, Taro.uploadFile, etc.
- Navigation Security: Validates Taro navigation API usage and parameter handling
- Form Security: Inspects form handling and selector query usage
- Config Security: Reviews Taro config files for security issues
- Enhanced Dependency Security: Comprehensive dependency vulnerability scanning
- Integrated npm audit for real-time vulnerability detection
- Built-in vulnerability database for common packages
- Outdated dependency detection
- License compliance checking
- Vulnerability caching for performance optimization
- Support for transitive dependency analysis
- Advanced Reporting: Enterprise-grade reporting capabilities
- Trend analysis with historical data comparison
- Compliance reports (OWASP, GDPR, HIPAA, PCI-DSS, SOX)
- Vulnerability distribution analysis
- CWE and OWASP Top 10 mapping
- Fix complexity assessment
- Priority-based recommendations
- Interactive HTML reports with visual dashboards
- Build Process Integration: Seamlessly integrates with Taro's build process
- Runs security scans during development and production builds
- Configurable scan timing (pre-build, post-build, or both)
- Build failure options based on security issue severity
- Developer Experience: Designed for a smooth developer workflow
- Clear and concise security issue reports
- Integration with Taro CLI output
- Configurable reporting levels
- Ignore patterns for false positives
``bashUsing npm
npm install --save-dev taro-plugin-vue-security
š§ Configuration
$3
Add the plugin to your
or config/dev.js file:`javascript
// config/index.js
const config = {
// ... other Taro config
plugins: [
// ... other plugins
'taro-plugin-vue-security'
]
};module.exports = config;
`$3
javascript
// config/index.js
const config = {
// ... other Taro config
plugins: [
// ... other plugins
['taro-plugin-vue-security', {
// Basic options
enabled: true,
failOnError: false, // Whether to fail the build on security issues
reportLevel: 'warning', // 'error', 'warning', or 'info'
outputFile: './security-report.json', // Optional output file for security report
exclude: [], // Patterns to exclude from scanning
// Advanced features
enableSemanticAnalysis: true, // Enable AST-based semantic analysis
enableDependencyScanning: true, // Enable dependency vulnerability scanning
enableAdvancedReport: false, // Enable advanced reporting with trends and compliance
reportHistoryPath: '.taro-security-reports', // Path for report history
complianceStandards: ['OWASP', 'GDPR', 'HIPAA', 'PCI-DSS', 'SOX'], // Compliance standards to check
// Taro-specific options
enableTaroSpecificRules: true, // Enable Taro-specific security rules
taroApiSecurity: true, // Enable Taro API security checks
taroNavigationSecurity: true, // Enable Taro navigation security checks
taroFormSecurity: true, // Enable Taro form security checks
taroConfigSecurity: true // Enable Taro config security checks
}]
]
};module.exports = config;
`šÆ Usage
$3
When running
, the plugin will automatically scan your codebase and report any security issues:`bash
taro dev
`$3
When running
, the plugin will scan your codebase before the build process:`bash
taro build --type weapp
`$3
The plugin generates a security report that includes:
- Summary of scanned files and found vulnerabilities
- Detailed list of security issues with severity levels
- Code snippets showing the vulnerable code
- Recommendations for fixing each issue
- Dependency vulnerability information (if enabled)
- Compliance status (if advanced reporting is enabled)
š”ļø Security Rules
The plugin includes the following security rules specifically for Taro:
$3
- Detects insecure usage of Taro.request
- Checks for unsafe Taro.uploadFile usage
- Identifies insecure Taro.downloadFile usage
- Verifies safe usage of Taro storage APIs$3
- Detects unsafe Taro.navigateTo usage
- Checks for insecure Taro.redirectTo usage
- Identifies unsafe Taro.switchTab usage
- Verifies safe parameter passing in navigation$3
- Detects insecure Taro.createSelectorQuery usage
- Checks for unsafe form submission handling
- Identifies potential DOM manipulation vulnerabilities$3
- Detects hardcoded secrets in Taro config files
- Checks for insecure configuration settings
- Identifies potential security misconfigurationsš Configuration Options
| Option | Type | Default | Description |
|--------|------|---------|-------------|
|
| boolean | true | Whether to enable the plugin |
| failOnError | boolean | false | Whether to fail the build on security issues |
| reportLevel | string | 'warning' | Minimum severity level to report ('error', 'warning', or 'info') |
| outputFile | string | null | Optional output file for security report |
| exclude | array | [] | Patterns to exclude from scanning |
| enableSemanticAnalysis | boolean | true | Enable AST-based semantic analysis |
| enableDependencyScanning | boolean | true | Enable dependency vulnerability scanning |
| enableAdvancedReport | boolean | false | Enable advanced reporting with trends and compliance |
| reportHistoryPath | string | '.taro-security-reports' | Path for report history |
| complianceStandards | array | ['OWASP', 'GDPR', 'HIPAA', 'PCI-DSS', 'SOX'] | Compliance standards to check |
| enableTaroSpecificRules | boolean | true | Enable Taro-specific security rules |
| taroApiSecurity | boolean | true | Enable Taro API security checks |
| taroNavigationSecurity | boolean | true | Enable Taro navigation security checks |
| taroFormSecurity | boolean | true | Enable Taro form security checks |
| taroConfigSecurity | boolean | true | Enable Taro config security checks |š Integration with Other Tools
$3
The plugin can be integrated with CI/CD pipelines to automatically scan for security issues during builds:
`yaml
GitHub Actions example
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install dependencies
run: npm ci
- name: Run security scan
run: taro build --type weapp
`$3
For better developer experience, consider using the Vue Security Scanner VS Code extension alongside this plugin.
š Project Structure
taro-project/
āāā config/
ā āāā index.js # Taro config with plugin setup
ā āāā dev.js # Development config
āāā src/
ā āāā pages/
ā ā āāā index/
ā ā āāā index.tsx # Page component
ā ā āāā index.config.ts # Page config
ā āāā app.tsx # App entry
āāā package.json
āāā .taro-security-reports/ # Generated security reports
š Getting Started
1. Install the plugin:
bash
npm install --save-dev taro-plugin-vue-security
`2. Configure the plugin in your Taro config:
javascript
// config/index.js
const config = {
plugins: [
'taro-plugin-vue-security'
]
};
`3. Run your Taro project:
bash
taro dev
``4. Check the security report in your console output or specified output file.
Contributions are welcome! Please feel free to submit a Pull Request.
MIT