I Benchmarked 17 ESLint Security Plugins. Only One Found Every Vulnerability.

I ran 40 real-world vulnerable patterns through every major ESLint security plugin — from eslint-plugin-security to SonarJS to Microsoft SDL. The detection gaps are alarming.

lunedì 25 maggio 2026 New tab

1,543 words~7 min read

Skip to: Full Results | Category Breakdown | The Leaderboard | Methodology

TL;DR

I built a benchmark suite with 40 vulnerable code patterns across 14 CWE categories and 38 verified-safe patterns. Then I ran 17 ESLint plugins against them — every major security, quality, and framework plugin in the ecosystem.

One plugin achieved a perfect score. Most others detected under 50% of patterns.

Rank

I Benchmarked 17 ESLint Security Plugins. Only One Found Every Vulnerability.

I Benchmarked 17 ESLint Security Plugins. Only One Found Every Vulnerability.

Other newsrooms on this story

Related reading

The False Positive Tax: a 1:1 TP:FP analysis of eslint-plugin-security

9 in 10 Docker Compose files skip the basic security flags

Master XSS the Practical Way: Introducing xss-labs

Verified or Not? Ep. 2 — Snyk's Own Test App Scanned With 9 Engines

WordPress security: the 10-minute monthly checklist that catches real problems

I built a security scanner, never shipped it, and finally finished the job

Related reading

The False Positive Tax: a 1:1 TP:FP analysis of eslint-plugin-security

9 in 10 Docker Compose files skip the basic security flags

Master XSS the Practical Way: Introducing xss-labs

Verified or Not? Ep. 2 — Snyk's Own Test App Scanned With 9 Engines

WordPress security: the 10-minute monthly checklist that catches real problems

I built a security scanner, never shipped it, and finally finished the job

Other newsrooms on this story