Configuration

Customize rnsec's scanning behavior with configuration files.

Configuration File

Create a .rnsec.jsonc or .rnsec.json file in your project root to customize scanning behavior.

.rnsec.jsonc
{
  "ignoredRules": [
    "ASYNCSTORAGE_SENSITIVE_KEY",
    "LOGGING_SENSITIVE_DATA"
  ],
  "npmVulnerabilityScanning": {
    "enabled": true,
    "dataSource": "npm-audit",
    "excludeDevDependencies": false
  }
}

Ignoring Rules

Suppress specific security rules by adding their IDs to the ignoredRules array.

Finding Rule IDs

To find the rule ID for a specific finding, check the ruleId field in the JSON output or HTML report.

NPM Vulnerability Scanner

rnsec includes comprehensive npm vulnerability scanning to detect vulnerable and deprecated packages in your dependencies.

Configuration Options

enabled- Enable/disable npm scanning (default: true)
dataSource- Use "npm-audit" (real-time) or "hardcoded" (offline) (default: "npm-audit")
excludeDevDependencies- Skip devDependencies (default: false)

Detection Capabilities

Vulnerable Packages (via npm audit)

lodash < 4.17.21 (CVE-2021-23337) - Command injection - HIGH
axios < 0.21.1 (CVE-2020-28168) - SSRF vulnerability - MEDIUM
node-fetch < 2.6.7 (CVE-2022-0235) - Information exposure - HIGH
Plus all vulnerabilities from npm's official database

Deprecated Packages

request → Replace with axios/node-fetch
node-uuid → Replace with uuid
colors → Replace with chalk (after sabotage incident)
faker → Replace with @faker-js/faker

NPM Badge in Reports

All npm-related findings are tagged with a red NPM badge in HTML reports for instant recognition and filtering.

Default File Patterns

rnsec automatically discovers and scans these file types:

Included Files

**/*.{js,jsx,ts,tsx}- JavaScript/TypeScript source files
**/*.json- Configuration files
**/*.xml- Android manifests
**/*.plist- iOS property lists
**/.env*- Environment files

Excluded Directories

×**/node_modules/**
×**/.git/**
×**/dist/**
×**/build/**
×**/*.min.js
×**/__tests__/**
×**/android/app/build/**
×**/ios/build/**

Technology Stack

@babel/parser

JavaScript/TypeScript AST parsing

@babel/traverse

AST traversal and analysis

fast-glob

Fast file discovery

commander

CLI framework

chalk

Terminal colors

ora

Loading spinners

Custom Exclusions

Need to exclude specific patterns? Use --path to scan specific directories, or report feature requests on GitHub.

Previous
CLI Reference
Next
API
© 2025 rnsec • Open source security
HomeDocumentationGitHub