BaseSec is a Static Application Security Testing (SAST) CLI tool for Node.js backends. It scans JavaScript and TypeScript code for security vulnerabilities using AST analysis and taint tracking.
Express, NestJS, Mongoose, TypeORM, Fastify, Koa, and Prisma. Auto-detection is enabled by default.
No. BaseSec is read-only. It parses and analyzes your code but never writes to source files.
On a typical codebase (~50 files), BaseSec scans in under 2 seconds. With caching enabled, rescans take ~400ms. With workers + cache, large codebases scan in ~130ms. See PERFORMANCE.md.
- < 50 files: No, worker startup overhead (~200ms) exceeds benefit
- 50-200 files: Auto-scaling handles this
- > 200 files: Explicitly set
--workers <cores>for best throughput
Yes:
basesec scan ./src --no-taintThis disables data-flow tracking. Rules that rely on taint analysis will produce fewer findings (only direct pattern matches).
Yes. BaseSec supports .basesecrc.ts, .basesecrc.mjs, .basesecrc.cjs, and .basesecrc.json.
Yes. Load custom rule files via the rules array in .basesecrc:
export default {
rules: ['./custom-rules/my-rule.mjs'],
};Use --ignore (repeatable) or the ignore config array:
basesec scan ./src -i "**/*.test.ts" -i "generated/**"Non-terminal formats (JSON, SARIF, HTML, Markdown) auto-save to ~/.basesec/scan-<timestamp>.<format> by default. Use -o <path> to specify a custom location:
# Auto-save to ~/.basesec/scan-2026-06-03T12-00-00.sarif
basesec scan ./src --format sarif
# Save to custom path
basesec scan ./src -f sarif -o ./results.sarifNo. Run BaseSec multiple times:
basesec scan ./src -f json -o report.json
basesec scan ./src -f html -o report.htmlYes. BaseSec generates SARIF 2.1.0 compatible output. Use github/codeql-action/upload-sarif to upload.
42 rules across 10 categories, plus AI-001 for AI-enhanced detection.
Not directly via CLI. Use rulesConfig in .basesecrc:
export default {
rulesConfig: {
'XSS-001': { enabled: false },
},
};Or run only specific rules:
basesec scan ./src -r SQLI-001,SQLI-002Taint analysis tracks data flow from untrusted sources (user input) to dangerous sinks (database queries, command execution). BaseSec marks variables as "tainted" when they originate from req.query, req.body, req.params, etc., and propagates taint through assignments, concatenation, and template literals.
No. BaseSec is fully functional without AI. All 42 security rules work offline with no external dependencies. AI enhancement is entirely opt-in.
When enabled, AI can:
- Provide detailed explanations for findings
- Detect suspicious taint flows that may bypass existing rules (AI-001)
- Add AI config to
.basesecrc:export default { ai: { enabled: true, provider: 'ollama', // or 'openai' model: 'llama3.2', }, };
- Run with
--aiflag:basesec scan ./src --ai
Ollama (local, recommended):
- Privacy-preserving: data never leaves your machine
- Requires
ollama serverunning locally - Free and open source
OpenAI:
- Requires
OPENAI_API_KEYenvironment variable - Data is sent to OpenAI's servers — see responsibility notice below
You are. BaseSec does not store, log, or retain any code sent to AI providers. However:
- When using OpenAI (or any cloud-based LLM), your code snippets are transmitted to the provider's servers
- Review the provider's privacy policy before use
- For maximum privacy, use Ollama (local) — no data leaves your machine
- BaseSec is not responsible for the privacy practices or data handling of third-party AI providers
Yes:
basesec scan ./src --ai --ai-dry-runYes, if you want builds to fail on any finding:
basesec scan ./src --strictCombine with --severity high to only fail on serious issues.
Yes. CI environments are ephemeral — caching provides no benefit and may cause stale results.
pnpm test
pnpm test:coverageSee CONTRIBUTING.md.
TypeScript Compiler API (ts.createSourceFile). Not ts-morph.