Skip to main content
Version: 4.0.0-preview

Security

The Security view is a local, always-on security analyst for your application. It combines two complementary lenses so you catch vulnerabilities during development, not in production.

ExpressoTS Studio Security dashboard with letter grade, severity bar, and Dependencies tab
Local only

Studio never sends your package.json, lockfile, code, or traffic anywhere. All analysis happens on your machine.

Why it matters

Most teams run npm audit once a sprint and ignore the results because the list is noisy and mostly transitive. Studio solves that with reachability scoring: it cross-references advisories against your actual imports, DI graph, and recorded traffic so you know which vulnerabilities your code actually reaches.

Header controls

The Security header gives you everything you need to stay current without leaving the view:

ControlWhat it does
Grade bannerSingle letter score (A to F) with a plain-language summary of why you got that grade.
Severity barCounts of CRITICAL / HIGH / MEDIUM / LOW / INFO findings across both tabs.
Auto-rescanToggle automatic re-scan when the lockfile changes on disk.
ExportDownload a Markdown report of the current findings.
RescanTrigger a fresh npm audit + posture pass on demand.

Expand How this grade is calculated to see the weighting breakdown Studio used for the current score:

ExpressoTS Studio Security grade breakdown with Rescan and Auto-rescan controls

Dependencies (supply-chain)

Switch to the Dependencies tab for CVE / GHSA / OSV advisories from npm audit, enriched with OSV.dev metadata.

When you open the Security view (or whenever the lockfile changes), the agent:

  1. Runs npm audit --json in a background child process (never on the request thread).
  2. Cross-references results against OSV.dev for richer metadata and non-npm advisories.
  3. Parses your lockfile into a dependency graph to build root-cause chains that show which direct dependency dragged in the vulnerable transitive package.
  4. Scores each finding for reachability:
ReachabilityMeaning
confirmedA recorded exchange hit a route whose source transitively imports the vulnerable package.
likelyA route imports the package, but no recorded exchange has hit that route yet.
unreachableThe package is in the lockfile but no source file in src/ imports it (e.g. dev-only transitive).
unknownRecording is disabled or the source scan timed out.

Each advisory shows severity, package and version, GHSA/CVE/OSV links, the root-cause chain, and a copy-pasteable fix command.

One-click fixes

Findings that share an upgrade target are grouped into FixGroups. Click Apply fix and Studio runs the command, streams live terminal output, and automatically re-scans when it finishes, with no manual npm audit cycle needed.

Runtime posture (OWASP API Top 10)

The Runtime Posture tab scores your recorded HTTP traffic, routes, logs, and DI graph against the OWASP API Security Top 10:

ExpressoTS Studio Runtime Posture tab with OWASP API Top 10 heatmap and auth coverage widget
  • OWASP heatmap: one tile per API1–API10 category, coloured by finding count. Click a tile to filter the list below.
  • Auth coverage widget: how many routes were hit without an Authorization header or session cookie during recording.
  • Finding cards: each posture issue links to its evidence (recorded exchange, route list, log line, or source file).

Checks include:

  • BOLA: routes with :id params that respond without an auth guard.
  • Broken Authentication: sensitive routes hit without an Authorization header.
  • Excessive Data Exposure: response bodies leaking password, apiKey, token fields.
  • Unrestricted Resource Use: routes responding > 2 s with no TimeoutInterceptor.
  • Server-Side Misconfig: CORS *, missing helmet, and similar middleware gaps.
  • Injection: error logs containing raw SQL or shell exception patterns.
  • Improper Inventory: source-scanned routes that never appear in recordings (zombie routes).
Heuristics, not guarantees

Posture findings are heuristic. They are a valuable development-time second opinion, not a replacement for a formal security review.

Aggregate score

Both pillars feed a single letter grade (A to F) on the Status dashboard and in the Security header. unreachable supply-chain findings count at ⅕ weight, so a clean codebase with only dev-only transitive advisories still scores an A. Low-severity posture findings (such as unauthenticated dev routes) may appear while you still hold an A grade if no medium-or-higher issues exist.

Generate traffic with the API Client or your test suite so posture checks have recorded exchanges to analyse.