Home > DevSecOps

ESLint/Flake8/Pylint Security Rules

ESLint, Flake8, and Pylint provide static analysis for JavaScript and Python codebases, enforcing strong coding standards and detecting security issues early. These linters apply rule sets that catch insecure functions, unsafe patterns, bad validation logic, dangerous APIs, and weak coding practices. When configured with security plugins, they become powerful SAST components in DevSecOps pipelines.

Why Security Linters Matter

Security linters detect vulnerabilities during development before SAST or CI/CD tools run. They enforce secure patterns inside IDEs and pre-commit hooks. Linters prevent insecure code from ever leaving a developer’s machine. They catch subtle mistakes such as unsafe imports, insecure exception handling, unchecked user input, deprecated functions, improper sanitization, and more.

Security linters provide:

• Early detection of vulnerabilities
• Immediate developer feedback
• Enforced coding standards
• Reduction of security bugs before PR review
• Stronger code quality and clarity

Linters create a shift-left environment where security is enforced at the coding stage.

ESLint Security Rules (JavaScript/Node/React)

ESLint enforces security, correctness, and best practices in JavaScript-based projects. Security plugins add automated detection of dangerous JS patterns.

Core Security Plugin

Install:

npm install eslint eslint-plugin-security --save-dev

Enable plugin in .eslintrc.json:

{
  "plugins": ["security"],
  "extends": ["plugin:security/recommended"]
}

What ESLint Security Detects

Injection Risks

• eval usage
• new Function()
• unsafe regex
• template injection
• dangerous string concatenation in queries

Hardcoded Secrets

• Tokens in JS/TS code
• Hardcoded passwords
• Firebase keys

Untrusted Input

• Missing validation checks
• Unsafely building URLs
• Using user input in loops or conditions without checks

Insecure Node.js APIs

• fs operations without sanitizing paths
• child_process with dynamic input
• insecure HTTP clients

Weak Cryptography

• MD5
• SHA1
• Deprecated crypto functions

Dangerous Coding Practices

• Using insecure random values
• Missing error handling
• Using deprecated libraries

ESLint security makes JavaScript safer by default.

ESLint Security Best Practices

• Always enable security rules in all JS/TS projects
• Use Prettier for formatting separation
• Add custom rules for your organization
• Integrate ESLint into pre-commit hooks using Husky
• Run ESLint in CI to block insecure code

Flake8 Security (Python)

Flake8 enforces style, correctness, complexity, and security rules. Security scanning is added via plugins.

Install:

pip install flake8 flake8-bandit flake8-bugbear

Configure .flake8:

[flake8]
max-line-length = 120
select = B,BLK,BBT,S
exclude = venv,node_modules

What Flake8 Security Detects

Injection and Unsafe Execution

• subprocess with shell=True
• eval or exec
• os.system
• unsafe template rendering
• insecure SQL statement building

Hardcoded Secrets

• Password found in string
• Secret-like variable names
• Tokens appearing in code

Weak Cryptography

• MD5 usage
• SHA1 usage
• Weak RNG

File Handling Issues

• Unsanitized file paths
• Unsafe open calls
• Missing context managers

Insecure Deserialization

• pickle.loads
• yaml.load without SafeLoader

Error Handling Weaknesses

• bare except
• Exception swallowing
• Missing logging in failure paths

Dangerous Third-Party Usage

• unsafe urlopen
• deprecated libraries

Flake8-bandit strengthens Python’s security posture significantly.

Pylint Security (Python)

Pylint provides deeper static analysis and security detection through extensive rule sets.

Install:

pip install pylint pylint-django pylint-plugin-utils

And for security:

pip install pylint-bandit

Enable plugin in pylintrc:

load-plugins=pylint_bandit

What Pylint Security Detects

Input Validation Gaps

• Missing input checks
• Overly permissive function inputs

Dangerous Functions

• eval
• exec
• compile
• pickle
• subprocess shell calls

Weak Crypto

• hashlib.md5
• hashlib.sha1
• insecure cipher modes

Error Handling Flaws

• bare except
• ignoring exceptions
• raising generic exceptions

Authentication & Authorization Mistakes

• missing password hashing
• inconsistent access checks

Logic Bugs

• unused variables
• duplicate branches
• unreachable code

Path Traversal and File Risks

• unsanitized path joins
• unsafe file reads/writes

Pylint offers advanced insights into logic correctness and security.

Combining ESLint, Flake8, and Pylint in DevSecOps

Together these tools enforce standardized secure coding:

  1. ESLint for JavaScript-based frontend/backend

  2. Flake8 for Python style, quality, and security

  3. Pylint for deeper Python logic and security analysis

Use them across:

• IDE
• Pre-commit
• CI/CD
• PR reviews

This combination reduces human error and speeds secure development.

Full-Length Practical Section

Extensive practical exercises to master security linters in real projects.

Practical 1: Set Up ESLint Security in a Node.js Project

Initialize project:

npm init -y
npm install eslint eslint-plugin-security --save-dev

Create .eslintrc.json:

{
  "extends": ["plugin:security/recommended"]
}

Run:

npx eslint .

Review flagged insecure patterns.

Practical 2: Detect Unsafe Eval in JavaScript

Add insecure code:

function run(input) {
    return eval(input);
}

Scan with ESLint.
Fix by removing eval usage.

Practical 3: Add ESLint to Pre-Commit Using Husky

Install:

npm install husky --save-dev
npx husky install

Add hook:

npx husky add .husky/pre-commit "npx eslint ."

Commit insecure code and observe failure.

Practical 4: Configure Flake8 With Security Plugins

Install:

pip install flake8 flake8-bandit flake8-bugbear

Add .flake8:

select = B,BF,BT,I,S

Run:

flake8 .

Investigate flagged issues.

Practical 5: Flag Unsafe Python Code With Flake8-Bandit

Example:

os.system("rm -rf " + user_input)

Flake8 should detect command injection risk.
Refactor using subprocess array arguments.

Practical 6: Use Flake8 to Prevent Hardcoded Secrets

Add:

password = "admin123"

Run Flake8.
Remove hardcoded secrets and switch to environment variables.

Practical 7: Set Up Pylint With Security Plugins

pip install pylint pylint-bandit

Add:

load-plugins=pylint_bandit

Run:

pylint app/

Check security messages.

Practical 8: Detect Insecure Deserialization With Pylint

Add:

import pickle
data = pickle.loads(user_input)

Pylint flags unsafe usage.
Replace with safe serializers.

Practical 9: Integrate Linters Into CI/CD

GitHub Actions example:

- name: Run ESLint
  run: npx eslint .

- name: Run Flake8
  run: flake8 .

- name: Run Pylint
  run: pylint src/

Fail pipeline on high severity issues.

Practical 10: Add Pre-Commit Hooks for Python

Install:

pip install pre-commit

Create .pre-commit-config.yaml:

repos:
  - repo: https://github.com/PyCQA/flake8
    rev: 6.1.0
    hooks:
      - id: flake8
  - repo: https://github.com/PyCQA/pylint
    rev: v3.0.0
    hooks:
      - id: pylint

Run:

pre-commit install

Test with insecure code.

Practical 11: Build Custom ESLint Security Rule

Create rule:

module.exports = {
  create(context) {
    return {
      CallExpression(node) {
        if (node.callee.name === "dangerousAction") {
          context.report(node, "dangerousAction() is not allowed");
        }
      }
    }
  }
}

Add to config and test detection.

Practical 12: Create Custom Flake8 Security Plugin

Create plugin structure:

flake8_secure/
  __init__.py
  checker.py

Add rule detecting:

• file paths containing ../
• insecure open calls

Register plugin in setup.cfg.

Practical 13: Use Pylint to Detect Missing Validation

Add logic:

def create_user(data):
    save_to_db(data)

Pylint with custom rules flags absence of validation.
Add checks for types, structure, and boundaries.

Practical 14: Detect Insecure Randomness

Add code:

import random
otp = random.randint(1000, 9999)

Flake8-Bandit or Pylint warns about insecure randomness.
Fix using cryptographically secure generators.

Practical 15: Secure Frontend Input Handling With ESLint

Add unsafe code:

const url = "/api/user?id=" + location.search;

ESLint flags injection potential.
Fix using URLSearchParams.

Practical 16: Run All Linters as a Combined Security Stage

Create script:

npm run lint && flake8 && pylint app/

Add to CI as blocking stage.

Practical 17: Train Developers Using Linter Findings

Export top recurring issues from:

• ESLint
• Flake8
• Pylint

Create training document under /secure-dev/linter-training/.

Practical 18: Periodically Audit Linter Rules

Review:

• Allowed patterns
• Disabled rules
• False positive rates

Adjust configurations to be stricter over time.

Practical 19: Build Linter Rule Baseline

Create baseline for:

• ESLint rules
• Flake8 rules
• Pylint rules

Store under /security/linter-baseline/.

Practical 20: Design a Complete Linter Architecture

Diagram includes:

• Developer IDE integration
• Pre-commit hooks
• Local linting
• CI/CD linting stages
• Custom rule sets
• Security standards
• PR enforcement
• Alerts

Use architecture for onboarding and governance.

Intel Dump

• ESLint, Flake8, and Pylint enforce secure coding patterns during development
• ESLint detects JS risks such as eval, unsafe regex, injection, bad crypto, and insecure Node APIs
• Flake8-bandit strengthens Python projects by detecting injections, weak crypto, unsafe file handling, and hardcoded secrets
• Pylint offers deeper analysis for logic flaws, unsafe patterns, missing validation, and insecure functions
• Integrating these linters into IDE, pre-commit, CI/CD, and PR reviews provides early security enforcement
• Extensive practicals include installation, configuration, secret detection, injection detection, custom rules, CI integration, developer training, and full linter architecture

HOME LEARN COMMUNITY DASHBOARD