code/js-command-injection

Command Injection: shell exec with user-controlled argument

criticalCode regexcommand-injectionCWE-78 ↗js

What it detects

child_process.exec/execSync/spawn runs a shell command that includes untrusted input. Use execFile with an argv array instead.

How it runs

Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.