Tool integration

ESLint Integration Guide

JavaScript/TypeScript linter with SARIF formatter

Get a Free API Key

Integrate ESLint with Vulnetix. Lint JavaScript and TypeScript code with the Microsoft SARIF formatter and upload results.

JavaScript / TypeScriptCLI toolSARIF

Install & scan

$ npx eslint --version
$ npx eslint -f @microsoft/eslint-formatter-sarif -o eslint.sarif .

Run ESLint in CI

Scan on every push and upload the results to Vulnetix:

- name: Install dependencies
  run: npm ci

- name: Run ESLint with SARIF
  run: npx eslint -f @microsoft/eslint-formatter-sarif -o eslint.sarif .

- name: Upload to Vulnetix
  run: vulnetix upload --file eslint.sarif

How Vulnetix compares — better together

Vulnetix does not replace ESLint. Keep running it. Vulnetix sits on top of ESLint — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

ESLint is strongest at its core category and also carries features in Secret Scanning — just like Vulnetix spans categories.

CapabilityVulnetixESLint
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation~ Single-file AST lint; security plugins flag eval/innerHTML/unsafe regex but no cross-file taint/data-flow analysis
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history~ Only via community plugins (e.g. no-secrets) detecting high-entropy strings; not a dedicated secrets scanner
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What ESLint does well

Where Vulnetix adds to it: ESLint is the JS/TS linting core; Vulnetix ingests its SARIF (via @microsoft/eslint-formatter-sarif) into a cross-scanner deduplicated queue, then layers EPSS/KEV exploit-intel prioritisation, reachability, versioned VEX, and Safe Harbour autofix that ESLint's per-file rules cannot provide. Vulnetix adds SCA, container, IaC, cloud, and malware coverage ESLint never attempts.

No migration, no rip-and-replace. ESLint keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise ESLint results in Vulnetix

Upload ESLint SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

ESLint documentation ↗  ·  Source repository ↗

Wire ESLint into your CI/CD pipeline →