SAST Support for React framework (JavaScript)
Problem to solve
Support React (JavaScript framework) as part of JavaScript SAST.
Intended users
Security Analyst, DevOps Engineer
Further details
This request came in via customer ticket (internal): https://gitlab.zendesk.com/agent/tickets/118486
Proposal
Initial Thoughts
Our documentation states that we support JavaScript through the use of ESLint Security Plugin.
However, it doesn't look like their ESLint setup includes any JSX rules, which would be needed for React.
Most likely it will need a similar setup to the ESlint React plugin.
Plan from Grooming
Add eslint-plugin-react to our eslint analyzer and restrict it to the following rules:
- react/no-unescaped-entities
- react/no-unsafe
- react/jsx-no-target-blank
- react/no-danger-with-children
- react/no-danger
Documentation
Update SAST documentation page to describe this as a scanner and use case we support now. Update documentation to indicate how to use the scanner and ensure that it is enabled.
What does success look like, and how can we measure that?
SAST works for React based projects.
What is the type of buyer?
Existing Gold/Ultimate tier