JavaScript Static Code Analysis: A Developer's Guide

Why JavaScript Needs Static Analysis

JavaScript's dynamic nature — weak typing, prototype-based inheritance, implicit coercions, and multiple module systems — creates a large surface area for bugs that are not caught until runtime. Static analysis compensates for the lack of a compiler by examining code structure, detecting anti-patterns, and enforcing consistency without executing the code.

JavaScript also runs in security-sensitive contexts (browsers, servers, mobile apps) where code vulnerabilities can lead to XSS, prototype pollution, and remote code execution. Static security analysis is essential for any production JavaScript codebase.

Key JavaScript Static Analysis Tools

ESLint

The dominant JavaScript linter. Highly configurable with an extensive plugin ecosystem. ESLint checks syntax errors, code style, and semantic issues through a pluggable rule system. Almost every JavaScript project uses ESLint.

ESLint Security Plugins

Security-specific ESLint rule sets extend core ESLint with security analysis:

• eslint-plugin-security — detects common injection risks, eval usage, prototype pollution
• eslint-plugin-no-unsanitized — catches unsanitized HTML insertion (innerHTML, document.write)
• eslint-plugin-node — Node.js-specific security rules

Prettier

A code formatter (not an analyzer) that enforces consistent style. Often paired with ESLint: Prettier handles formatting, ESLint handles code quality and security. Using both eliminates formatting debates from code review.

JSHint / JSDoc

Older tools, largely superseded by ESLint. JSHint is still used in some legacy codebases. JSDoc provides type checking based on JSDoc comments — a middle ground between plain JavaScript and full TypeScript.

Semgrep

A language-agnostic static analysis tool with strong JavaScript support. Uses pattern-matching rules to detect security vulnerabilities, coding anti-patterns, and custom policy violations. Particularly useful for detecting application-specific vulnerability patterns.

Common Issues Detected

• Use of eval() and Function() constructor — potential code injection
• Prototype pollution via Object.assign() or spread on user input
• Unsanitized innerHTML assignment — XSS risk
• Hardcoded API keys, tokens, and passwords in source
• Unchecked return values and unhandled Promise rejections
• Equality comparisons with == instead of ===
• var declarations and hoisting issues
• Unused variables and imports
• Missing error handling in async functions
• Regular expression denial of service (ReDoS) patterns

Running Static Analysis

Standard JavaScript static analysis workflow:

1. Install ESLint: npm install --save-dev eslint
2. Create configuration: npx eslint --init
3. Add security plugins: npm install --save-dev eslint-plugin-security
4. Extend configuration: add "plugin:security/recommended" to extends
5. Run analysis: npx eslint src/ --ext .js,.jsx
6. Integrate into CI: fail on any error-level finding

Common configuration presets: eslint:recommended (basic), airbnb (comprehensive), standard (community standard). Start with eslint:recommended and add rules incrementally.

ESLint Flat Config (v9+)

ESLint v9 introduced a new flat config format (eslint.config.js), replacing the legacy .eslintrc format. New projects should use flat config; it provides better composition and clearer precedence. Existing projects using .eslintrc can migrate gradually.

Connection to Autonomous Code Governance

JavaScript's dynamic nature makes autonomous remediation both more valuable and more challenging. ESLint's --fix flag auto-resolves many style and simple quality issues. For security findings (XSS risks, prototype pollution, eval usage), Hydra generates convention-matched fixes that address the root cause — not just flag the symptom — and verifies them with targeted security tests before opening a PR.