Integrate ESLint with Vulnetix. Lint JavaScript and TypeScript code with the Microsoft SARIF formatter and upload results.
Install & scan
$ npx eslint --version $ npx eslint -f @microsoft/eslint-formatter-sarif -o eslint.sarif .
Run ESLint in CI
Scan on every push and upload the results to Vulnetix:
- name: Install dependencies run: npm ci - name: Run ESLint with SARIF run: npx eslint -f @microsoft/eslint-formatter-sarif -o eslint.sarif . - name: Upload to Vulnetix run: vulnetix upload --file eslint.sarif
How Vulnetix compares — better together
Vulnetix does not replace ESLint. Keep running it. Vulnetix sits on top of ESLint — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
ESLint is strongest at its core category and also carries features in Secret Scanning — just like Vulnetix spans categories.
| Capability | Vulnetix | ESLint |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ~ Single-file AST lint; security plugins flag eval/innerHTML/unsafe regex but no cross-file taint/data-flow analysis |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ~ Only via community plugins (e.g. no-secrets) detecting high-entropy strings; not a dedicated secrets scanner |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What ESLint does well
- De facto standard linter for JavaScript/TypeScript with an enormous plugin ecosystem and deep editor/IDE and CI integration
- Highly configurable custom-rule engine (AST-based) that teams extend to enforce their own code-quality and safety patterns
- Security plugins (eslint-plugin-security, eslint-plugin-no-unsanitized, @microsoft/eslint-plugin-sdl) catch anti-patterns like eval(), innerHTML/dangerouslySetInnerHTML, and unsafe regex
- Ubiquitous, free, and fast — runs on every save and every commit, making it a natural first-line guardrail
Where Vulnetix adds to it: ESLint is the JS/TS linting core; Vulnetix ingests its SARIF (via @microsoft/eslint-formatter-sarif) into a cross-scanner deduplicated queue, then layers EPSS/KEV exploit-intel prioritisation, reachability, versioned VEX, and Safe Harbour autofix that ESLint's per-file rules cannot provide. Vulnetix adds SCA, container, IaC, cloud, and malware coverage ESLint never attempts.
No migration, no rip-and-replace. ESLint keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise ESLint results in Vulnetix
Upload ESLint SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.