Top 5 NPM Vulnerability Scanners

The world of software development has been rocked by JavaScript. With nearly every modern web app making extensive use of JavaScript on the front end. And with JavaScript’s popularity also on the backend with Node.js, it’s hardly surprising that new vulnerabilities are emerging daily, given the sheer volume of open source project dependencies being used by JavaScript developers. The culprit? It all comes down to the free-ware NPM packages installed within Node.js. 

What is NPM? 

NPM is the default package manager for the JavaScript programming language (Node.js). It consists of a command line client, also called NPM, and an online database of public and paid-for private packages called the NPM Registry. The NPM Registry is the world’s largest software registry, with more than 1.8 million active code packages. NPM makes it easy for developers to share and reuse JavaScript code via repositories, which in turn speeds the development process and simplifies the distribution of JavaScript software. 

Vulnerabilities in Node.js 

Unfortunately, because of its popularity, NPM has become a constant target of attacks including cryptomining, data stealing, botnets, and remote execution packages intended to gain full access into a host. Particularly common are security vulnerabilities such as Cross-site Scripting (XSS). 

If left undetected, these vulnerabilities in NPM packages can spread quickly within communities that use Node.js software. A recent report identified as many as 1,300 malicious packages on NPM within a period of just six months.

Developers risk distributing unsafe software to their users if they import vulnerable NPM packages into the programs they write, while end-users who don’t check NPM packages for risks may inadvertently install malicious packages onto their computers. In one particular incident, a compromised NPM package potentially infected millions of end users. Another case in point is this severe remote code execution flaw in an NPM package that is downloaded 12 million times per month.

Vulnerabilities create opportunities for exploits that could ruin both the user experience and the product itself. Checking applications for vulnerabilities as early as possible is one of the best practices for improving overall SDLC security. This is where vulnerability scanners come in.

How Scanners Can Help

As we’ve established, working with open-source tools like NPM comes with its risks. The more dependencies employed, the more room there is for vulnerabilities. In turn, the best practice developers can employ is to continuously verify NPM packages. But manually checking dependencies is both time-consuming and stressful. Enter automated vulnerability scanners.

NPM security scanning is the main line of defense against these kinds of vulnerabilities, and helps protect both developers and end-users from malware, insecure application code, and other threats that may exist within NPM packages. All layers of an NPM package, including dependencies, are parsed by NPM security scanners in a recursive manner. 

7 Things to Look for in a Good NPM Scanner

NPM security scanning can be done in two ways:

• Use npm-audit, NPM’s native auditing tool that creates a report of all known vulnerabilities found in a specific NPM package. When a package is vulnerable, npm-audit may try to resolve the issue with a patched, updated alternative.
• Use a commercial scanning tool, such as the vulnerability scanners listed below. Commercial scanning technologies can continually scan packages inside Artifactory repositories. This is in contrast to npm-audit, which is solely intended for generating one-off security audits on specific packages that users manually scan from the command line. As a result, with a commercial scanning tool, every time a new package is uploaded or an old package is modified, a security vulnerability check is performed automatically.

The main criteria to look for in a good NPM commercial scanner include:

1. Comprehensive coverage of the entire application structure 
2. Ability to integrate with other security tools
3. Low number of false positives
4. No hidden costs
5. Cutting-edge technology
6. Simple user interface
7. Timely and quality reports with key metrics

Top vulnerability scanners for Node.js

1. Snyk

Snyk is a developer-focused security solution that enables developers to secure code, dependencies, containers, and infrastructure as code. Snyk identifies and fixes vulnerabilities and license violations in open source dependencies in a seamless and proactive manner. 

For: Developers, DevOps, and security teams.

Pros:

• Freeware model for small businesses with a single project. 
• Helps in dependency management.
• SAST – Static Application Security Testing is excellent.
• Infra Code Scan (Terraform, Cloud Formation, Docker image scan) is highly rated.
• Easy-to-use dashboard and reliable CLI for SSH access.
• The automated repository analysis can be easily plugged into your PR (pull request) validator.

Cons:

• Primitive security analysis which can flag false positives. This can only be fixed with manual override or skipping the PR validation check. 
• The pricing structure can get extremely expensive for medium to large companies.
• It does not have a customizable dashboard for analytics.
• It has a sleek GUI, but customizing the policies can be improved.
• Auto Remediation can be improved.

“Helpful tool that integrates seamlessly and works as advertised. Snyk is easy to use, provides clear feedback, and integrates well into GitHub. Doesn’t always update its results the fastest,” says Ross T., an IT team lead in government administration, in his review.

Ashveen B., IT Director at an IT and service company, notes: “Has delivered value from the day I started using it. I hope you will enjoy it too. Concise reporting and the vulnerability scan is excellent regarding categorization of issues.”

2. SpectralOps

SpectralOps is a developer-focused cybersecurity solution that functions as a command-and-control plane for source code and other developer assets. Our solution scans code, settings, and other artifacts for security vulnerabilities and defends against them. 

Using the world’s first hybrid scanning engine, which combines powerful AI technology and over 2,000 detectors, we give developers the confidence to work at speed while protecting businesses from costly mistakes. For this, we’re seen as an “innovator in automated code security”.

Our mission is to help developers supercharge their CI/CD by automating secret protection steps. In addition to helping users find and classify their data silos, our solution monitors and detects API keys, tokens, passwords, security flaws, and other threats in real time.

For: Developers, DevOps, and security teams working for businesses of any size, across all industries.

Pros:

• Advanced notification and monitoring capabilities. 
• Easy integration.
• Covers a wider range of use cases than competitors.

• Flexible modular platform (appropriate for any business, from small teams to large enterprises).

• Developer-centric.
• High-speed scanning. 
• Robust customer support team.
• Eliminates public blindspots by continuously uncovering and monitoring supply chain gaps and proprietary code assets across multiple data sources.
• Easy to set up and use.
• Highly-rated daily scan of all repositories.
• Integrates easily into ADO, allowing users to track down unknown exposures.

Cons: 

• Sporadic slow-performing UI.
• User needs to navigate to the source instead of seeing a snippet of the offending code inside the portal. 
• Could offer more customization.
• Hard to find the trial link on the website.

Alex B., head of security at Amperity, writes, “You can definitely tell Spectral was built by developers for developers, and more importantly, you can see the value of using it immediately.”

Elad K., team leader at SimilarWeb, adds that “Spectral reduces costs by shifting left our security efforts while observing more than 300 repos and enabling us a safe, open-source transformation.”

3. Checkmarx

Checkmarx is a highly accurate and adaptable static code analysis tool. It enables companies to automatically scan uncompiled/unbuilt code and detect hundreds of security flaws in the most common coding languages. Checkmarx integrates DevOps with automated software security tools and offers: static and interactive application security testing, software composition analysis infrastructure, code security testing, and application security and training development.

For: Developers, DevOps, and security teams in SMBs as well as large enterprises. 

Pros: 

• Some users mention “zero complexity” to configure a new project.
• Supports a large number of languages.
• Makes it easy to find code vulnerabilities and explains why the code is vulnerable, helping to future-proof code. 
• Scanning and reporting can be done from within the developers’ screens. 

Cons: 

• Reports can often include false positives and duplications.
• Installation can be difficult. 
• Difficult to integrate with CI.
• Per-user cost of subscription is high, which makes it difficult for small organizations to own it completely. 
• Some users mention that the reporting can be slow and messy. 

One reviewer, an IT in banking enterprise, writes of the solution: “Sometimes reports generated by the CheckMarx scan contain a lot of false positive issues even though code is designed in a way that ensures security. This decreases the readability of the reports.”

Another reviewer, Hatim B. a, IT Architect & Project manager, notes that “The tool is also rich in terms of indicators and charts. It provides a dashboard that makes it easy to track application risk level scores over time and provides management with comprehensive reports.”

4. Tenable

Tenable.io is a comprehensive risk-based vulnerability management (RBVM) platform. Hosted in the cloud and powered by Nessus technology, it offers extensive vulnerability coverage as well as the ability to predict which security issues should be addressed first. It can scan across your entire attack surface, including cloud, operational technology, and container environments. Tenable does not use network scanners and agents. Its frictionless assessment employs cloud-native tools to provide near-real-time visibility into your AWS exposures.

For: Developers, DevOps, and security teams.

Pros:

• Provides predictable and repeatable scanning.
• Allows for PCI attestation scanning.
• Offers a broad range of capabilities that may be configured to meet scanning needs.
• Ease of deployment/setup with assets.
• Explanations of vulnerabilities and how they’re detected.

Cons: 

• Must switch between interfaces to access certain functionalities.
• Scan speeds/resource utilization at times is slow.
• Executive-level reporting could do with some improvements.
• Automated reports aren’t customizable. 
• Some of the reports contain too many unnecessary details.

“We used the reports to regularly assess if we were closing down identified misconfigurations or unused services and to act on any vulnerabilities found. We also found it useful to identify out-of-date software on our server deployments,” writes Jase W., product director at a financial services software company

Another reviewer in government administration notes: “Tenable.io is a growing platform. Initially, we found several bugs. The Tenable team has gotten better at addressing them, but you can still occasionally find issues on the platform.”

5. Sonatype

Sonatype Nexus Platform is a software composition analysis tool that scans for components to build a repository, then checks for security and licensing to assure compliance. Sonatype automates open source governance to decrease risk and speed up software development.

Modules available include:

• Nexus Container assists DevSecOps teams in identifying, monitoring, and repairing container vulnerabilities throughout the container lifecycle.
• Nexus Lifecycle works with GitHub, GitLab, and Atlassian Bitbucket to create pull requests for components that break open source policies automatically.
• Nexus Firewall keeps vulnerable components out of the SDLC.
• Nexus Repository (OSS or Pro editions) artifact repository.

For: Software developers, application security professionals, and DevSecOps experts.

Pros:

• Stores and shares artifacts like Java libraries and docker images.
• Finds vulnerabilities and malicious code in the builds using lifecycle.
• Integrates well with Gitlab CI/CD.
• Manages different versions of Java artifacts.
• Works as a package manager for JavaScript-based apps.
• User management can be integrated with active directory.

Cons: 

• The user interface is complex and not intuitive for first-time users.
• The administration and configuration are complex.
• UI can be improved and error messages can be made clearer.
• Repository mirroring between Nexus and Artifactory doesn’t always work.
• Some plug-ins (specifically Maven) create issues.

Gil B., a DevOps engineer in electrical manufacturing, notes, “It’s fairly easy to install, pricy from the enterprise version, and supports all packages types.”

“Good documentation and plugins available to support almost every language. Older versions don’t have as much support as newer ones and it takes a while to upgrade,” says an IT in a financial services enterprise.

Aim for comprehensive security, from code to cloud

It’s hard to ignore the risk of security vulnerabilities and their severe consequences now that open source Node.js apps are becoming increasingly prevalent in the enterprise landscape. Are you a developer struggling to keep security vulnerabilities in check? Subscribe to get the latest from our team as we share more free recommendations to help you secure your systems from code to cloud.