Scanning AI-Generated JavaScript and TypeScript

BrassCoders runs a Babel-based JavaScript and TypeScript scanner on .js and .ts files automatically, catching secrets and security patterns alongside Python.

Copper Sun Brass Team · · 3 min read
securityoss-core

AI assistants write as much JavaScript and TypeScript as they write Python, and the same failure modes ride along: a hardcoded token in a config file, an unsafe pattern copied from a tutorial, an npm package that doesn’t exist. BrassCoders scans the JS/TS in your project automatically, using a real parser rather than a pile of regexes, in the same pass as the Python scan.

JS/TS Runs in the Same Scan

BrassCoders includes a JavaScript/TypeScript scanner that activates on its own when a scan finds .js, .ts, .jsx, or .tsx files, parsing them with a Node.js Babel parser and checking the AST for secrets and common security patterns. There’s no separate command and no separate config; the JS/TS findings land in the same .brass/ output as the Python ones, tagged by scanner.

That matters for the mixed repo, which is most repos now. A FastAPI backend with a React front end, a Python service with a TypeScript CDK stack — BrassCoders walks both languages in one run instead of leaving you to stitch a Python scanner and a JavaScript scanner together in CI.

Why a Babel Parse Beats a Regex

BrassCoders parses JavaScript and TypeScript into an abstract syntax tree with Babel rather than matching raw text, so a finding tracks the structure of the code instead of its formatting. A regex for a dangerous call breaks the moment someone renames a variable, reflows the lines, or wraps the call differently. An AST match doesn’t.

The parse also kills a whole class of false positives. A text search for a credential pattern fires inside comments and string literals that aren’t credentials; an AST-aware check knows whether it’s looking at a real assignment or a doc comment. BrassCoders uses the same structural approach across the stack — ast-grep and Semgrep cover the multi-language pattern layer, and the Babel scanner handles the JS/TS specifics.

What’s Covered, and the Honest Limit

BrassCoders’s JS/TS scanner covers secrets and common security patterns; it does not do full interprocedural taint analysis for TypeScript, and that’s a real boundary worth stating. The cross-file taint engine, Pyre/Pysa, is Python-only. A TypeScript bug whose tainted input crosses several files won’t be traced the way the Python equivalent is.

For TypeScript-heavy services that need deep taint coverage today, the honest recommendation is to pair BrassCoders with a TypeScript analyzer built for it, like CodeQL — BrassCoders for the unified secrets-and-patterns pass plus the AI-coder detectors, CodeQL for full TS dataflow. The reasoning behind why single-file context misses cross-file taint in any language is in the cross-file bugs research.

Run It

The JS/TS scanner runs automatically; you only need Node.js available for it:

pipx install brasscoders
brasscoders --offline scan

When the scan sees .js, .ts, .jsx, or .tsx files, the JavaScript/TypeScript layer activates and its findings appear in .brass/ alongside the Python results, each tagged with the scanner that produced it. For the full set of detectors in the pass, see what BrassCoders detects.

Frequently Asked Questions

Does BrassCoders scan JavaScript and TypeScript?

Yes. BrassCoders includes a JavaScript/TypeScript scanner that runs automatically when .js, .ts, .jsx, or .tsx files are present, using a Node.js Babel parser to analyze the AST. It covers secrets and common security patterns in JS/TS alongside the Python scan. Node.js 18+ is the only extra requirement.

Is JS/TS coverage as deep as Python?

No, and BrassCoders is upfront about it. Python is the primary focus, where the AI-coder performance and phantom-import rules apply. The JS/TS scanner covers secrets and common security patterns. Full interprocedural taint analysis for TypeScript is a known limitation — Pyre/Pysa is Python-only — so for deep TS taint, pair BrassCoders with a TypeScript analyzer like CodeQL.

Doesn't Semgrep already cover JavaScript?

It does, and BrassCoders bundles Semgrep's OSS ruleset for JS/TS too. The dedicated JS/TS scanner adds a Babel-AST layer on top, and the phantom-import check covers npm package names. Running both through one scan means you don't reconcile two JavaScript toolchains by hand.

What does the Babel parser buy over a regex?

AST-aware matching. A Babel parse understands the structure of the code, so a pattern survives identifier renames, reformatting, and whitespace changes that break a regex. The finding points at the real node — a call, an assignment — not a text match that might sit inside a comment or a string.

How do I scan a JS/TS project?

Run pipx install brasscoders, then brasscoders --offline scan from the project directory. The JS/TS scanner activates automatically when it sees .js/.ts/.jsx/.tsx files; findings land in .brass/ tagged by scanner. Install Node.js 18+ for the JS/TS layer.