node-env-security-gate
Security checks should not be gated behind NODE_ENV conditions
Applies to: JavaScript, TypeScript
Why this matters
Wrapping security checks in `if (NODE_ENV === 'production')` means they are skipped in development, staging, and test environments. Attackers can exploit staging/preview deployments where NODE_ENV isn't 'production', and developers never test the security code path locally. Security checks should always run.
Catch it before it ships
pip install stablestack # or: npx stablestackstablestack # scans your project, SEC012 includedstablestack explain SEC012False positive in your codebase? Suppress a single line with # noqa: SEC012
More Security checks
hardcoded-secret
Hardcoded secrets in code can be leaked and are hard to rotate
SEC002sql-injection
SQL queries built with string concatenation are vulnerable to injection
SEC003eval-usage
eval() executes arbitrary code and is a security risk
SEC004insecure-random
Non-cryptographic random is predictable and insecure for tokens/passwords
SEC005inner-html-xss
Direct innerHTML assignment can lead to XSS vulnerabilities
SEC006webhook-security-bypass
Webhook signature verification should never be skipped
SEC007oauth-state-validation
OAuth callback missing state parameter validation
SEC008plaintext-secrets
Sensitive tokens stored without encryption in database schema