A uni-app plugin that performs security scans on uni-app projects during the build process with advanced semantic analysis and enterprise-grade reporting
npm install uni-plugin-vue-securityA uni-app plugin that performs security scans on uni-app projects during the build process with advanced semantic analysis and enterprise-grade reporting.
- Advanced Semantic Analysis: AST-based code analysis for enhanced accuracy
- Reduces false positives through code context understanding
- Supports JavaScript, TypeScript, JSX, and TSX syntax
- Detects dangerous function calls with user input tracking
- Identifies unsafe property access patterns
- Provides confidence level assessment (High/Medium/Low)
- Intelligent merging with regex-based detection
- uni-app-Specific Security Checks: Comprehensive security analysis for uni-app features
- uni-app API Security: Checks for safe usage of uni.request, uni.uploadFile, etc.
- Navigation Security: Validates uni-app navigation API usage and parameter handling
- Storage Security: Inspects uni-app storage API usage
- Config Security: Reviews uni-app config files for security issues
- Enhanced Dependency Security: Comprehensive dependency vulnerability scanning
- Integrated npm audit for real-time vulnerability detection
- Built-in vulnerability database for common packages
- Outdated dependency detection
- License compliance checking
- Vulnerability caching for performance optimization
- Support for transitive dependency analysis
- Advanced Reporting: Enterprise-grade reporting capabilities
- Trend analysis with historical data comparison
- Compliance reports (OWASP, GDPR, HIPAA, PCI-DSS, SOX)
- Vulnerability distribution analysis
- CWE and OWASP Top 10 mapping
- Fix complexity assessment
- Priority-based recommendations
- Interactive HTML reports with visual dashboards
- Build Process Integration: Seamlessly integrates with uni-app's build process
- Runs security scans during development and production builds
- Configurable scan timing (pre-build, post-build, or both)
- Build failure options based on security issue severity
- Developer Experience: Designed for a smooth developer workflow
- Clear and concise security issue reports
- Integration with uni-app CLI output
- Configurable reporting levels
- Ignore patterns for false positives
``bashUsing npm
npm install --save-dev uni-plugin-vue-security
š§ Configuration
$3
Add the plugin to your
or uni.config.js file:`javascript
// vue.config.js
module.exports = {
// ... other uni-app config
configureWebpack: {
plugins: [
// ... other plugins
]
},
// uni-app plugin configuration
uni: {
plugins: [
'uni-plugin-vue-security'
]
}
};
`$3
javascript
// vue.config.js
module.exports = {
// ... other uni-app config
uni: {
plugins: [
['uni-plugin-vue-security', {
// Basic options
enabled: true,
failOnError: false, // Whether to fail the build on security issues
reportLevel: 'warning', // 'error', 'warning', or 'info'
outputFile: './security-report.json', // Optional output file for security report
exclude: [], // Patterns to exclude from scanning
// Advanced features
enableSemanticAnalysis: true, // Enable AST-based semantic analysis
enableDependencyScanning: true, // Enable dependency vulnerability scanning
enableAdvancedReport: false, // Enable advanced reporting with trends and compliance
reportHistoryPath: '.uni-security-reports', // Path for report history
complianceStandards: ['OWASP', 'GDPR', 'HIPAA', 'PCI-DSS', 'SOX'], // Compliance standards to check
// uni-app-specific options
enableUniAppSpecificRules: true, // Enable uni-app-specific security rules
uniApiSecurity: true, // Enable uni-app API security checks
uniNavigationSecurity: true, // Enable uni-app navigation security checks
uniStorageSecurity: true, // Enable uni-app storage security checks
uniConfigSecurity: true // Enable uni-app config security checks
}]
]
}
};
`šÆ Usage
$3
When running
or other dev commands, the plugin will automatically scan your codebase and report any security issues:`bash
npm run dev:mp-weixin
`$3
When running
or other build commands, the plugin will scan your codebase before the build process:`bash
npm run build:mp-weixin
`$3
The plugin generates a security report that includes:
- Summary of scanned files and found vulnerabilities
- Detailed list of security issues with severity levels
- Code snippets showing the vulnerable code
- Recommendations for fixing each issue
- Dependency vulnerability information (if enabled)
- Compliance status (if advanced reporting is enabled)
š”ļø Security Rules
The plugin includes the following security rules specifically for uni-app:
$3
- Detects insecure usage of uni.request
- Checks for unsafe uni.uploadFile usage
- Identifies insecure uni.downloadFile usage
- Verifies safe usage of uni storage APIs$3
- Detects unsafe uni.navigateTo usage
- Checks for insecure uni.redirectTo usage
- Identifies unsafe uni.switchTab usage
- Verifies safe parameter passing in navigation$3
- Detects insecure usage of uni.setStorage
- Checks for unsafe storage key names
- Identifies potential sensitive data exposure in storage$3
- Detects hardcoded secrets in uni-app config files
- Checks for insecure configuration settings
- Identifies potential security misconfigurationsš Configuration Options
| Option | Type | Default | Description |
|--------|------|---------|-------------|
|
| boolean | true | Whether to enable the plugin |
| failOnError | boolean | false | Whether to fail the build on security issues |
| reportLevel | string | 'warning' | Minimum severity level to report ('error', 'warning', or 'info') |
| outputFile | string | null | Optional output file for security report |
| exclude | array | [] | Patterns to exclude from scanning |
| enableSemanticAnalysis | boolean | true | Enable AST-based semantic analysis |
| enableDependencyScanning | boolean | true | Enable dependency vulnerability scanning |
| enableAdvancedReport | boolean | false | Enable advanced reporting with trends and compliance |
| reportHistoryPath | string | '.uni-security-reports' | Path for report history |
| complianceStandards | array | ['OWASP', 'GDPR', 'HIPAA', 'PCI-DSS', 'SOX'] | Compliance standards to check |
| enableUniAppSpecificRules | boolean | true | Enable uni-app-specific security rules |
| uniApiSecurity | boolean | true | Enable uni-app API security checks |
| uniNavigationSecurity | boolean | true | Enable uni-app navigation security checks |
| uniStorageSecurity | boolean | true | Enable uni-app storage security checks |
| uniConfigSecurity | boolean | true | Enable uni-app config security checks |š Integration with Other Tools
$3
The plugin can be integrated with CI/CD pipelines to automatically scan for security issues during builds:
`yaml
GitHub Actions example
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install dependencies
run: npm ci
- name: Run security scan
run: npm run build:mp-weixin
`$3
For better developer experience, consider using the Vue Security Scanner VS Code extension alongside this plugin.
š Project Structure
uni-app-project/
āāā src/
ā āāā pages/
ā ā āāā index/
ā ā āāā index.vue
ā āāā components/
ā āāā static/
ā āāā App.vue
ā āāā main.js
āāā pages.json
āāā manifest.json
āāā package.json
āāā .uni-security-reports/ # Generated security reports
š Getting Started
1. Install the plugin:
bash
npm install --save-dev uni-plugin-vue-security
`2. Configure the plugin in your uni-app config:
javascript
// vue.config.js
module.exports = {
uni: {
plugins: [
'uni-plugin-vue-security'
]
}
};
`3. Run your uni-app project:
bash
npm run dev:mp-weixin
``4. Check the security report in your console output or specified output file.
Contributions are welcome! Please feel free to submit a Pull Request.
MIT