AI Assessment
VERDICT
Based on automated scanner findings, this repository shows significant code quality issues but manageable security exposure. The critical SQL injection finding in example code and multiple high-severity XSS/session configuration issues in examples require remediation before considering production-ready.
TOP RISKS
→ examples/route-map/index.js:51 was flagged for SQL injection via manual string construction from user input (critical severity).
→ examples/params/index.js:67, examples/resource/index.js:46, examples/route-map/index.js:37 were flagged for writing unsanitized user input directly to Response objects, creating XSS exposure (7 high-severity instances).
→ examples/auth/index.js:22, examples/cookie-sessions/index.js:13, examples/mvc/index.js:40 were flagged for session middleware with missing security attributes (httpOnly, secure, domain, path, expires across 5 instances each).
→ lib/response.js:125 was flagged for high cyclomatic complexity (CCN 22), indicating potential maintainability concerns.
WHAT TO FIX FIRST
Address examples/route-map/index.js:51 for the SQL injection vulnerability. This is the only critical finding and represents direct injection risk. Verify this against actual code to confirm whether parameterized queries are already in use (possible false positive).
SECONDARY FOCUS
The XSS issues in example files (examples/params/index.js:67, examples/resource/index.js:46, examples/route-map/index.js:37) should be fixed next. Session cookie configurations in examples/auth/index.js:22 need hardening.
NOTE: Most findings (4006 low-severity) relate to code style preferences (arrow functions, template literals, optional chaining). These do not impact production readiness but reflect modern JavaScript conventions. Verify critical findings against actual implementation before investing effort in low-severity refactoring.
Category Breakdown
Findings(4157 in 41 groups)
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries. | CWE: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | OWASP: A01:2017 - Injection, A03:2021 - Injection, A05:2025 - Injection
Affected files
Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. | CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | OWASP: A07:2017 - Cross-Site Scripting (XSS), A03:2021 - Injection, A05:2025 - Injection
Affected files
Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly. | CWE: CWE-522: Insufficiently Protected Credentials | OWASP: A02:2017 - Broken Authentication, A04:2021 - Insecure Design, A06:2025 - Insecure Design
Affected files
Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next. | CWE: CWE-522: Insufficiently Protected Credentials | OWASP: A02:2017 - Broken Authentication, A04:2021 - Insecure Design, A06:2025 - Insecure Design
Affected files
Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies. | CWE: CWE-522: Insufficiently Protected Credentials | OWASP: A02:2017 - Broken Authentication, A04:2021 - Insecure Design, A06:2025 - Insecure Design
Affected files
Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks. | CWE: CWE-522: Insufficiently Protected Credentials | OWASP: A02:2017 - Broken Authentication, A04:2021 - Insecure Design, A06:2025 - Insecure Design
Affected files
Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request. | CWE: CWE-522: Insufficiently Protected Credentials | OWASP: A02:2017 - Broken Authentication, A04:2021 - Insecure Design, A06:2025 - Insecure Design
Affected files
Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS. | CWE: CWE-522: Insufficiently Protected Credentials | OWASP: A02:2017 - Broken Authentication, A04:2021 - Insecure Design, A06:2025 - Insecure Design
Affected files
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). | CWE: CWE-798: Use of Hard-coded Credentials | OWASP: A07:2021 - Identification and Authentication Failures, A07:2025 - Authentication Failures
Affected files
Biome rule: lint/correctness/noInnerDeclarations
Affected files
and 21 more files...
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmmt5z6c2000jkt04upfp0gib)