What tools help find security vulnerabilities?

The short answer

The most common tools are: npm audit (checks dependencies for known vulnerabilities), linters like ESLint with security plugins, browser DevTools security tab, OWASP ZAP (automated security scanner), and Snyk or Dependabot (continuous dependency monitoring). The simplest thing you can do is run npm audit regularly.

Dependency scanning

npm audit — built into npm, checks your dependencies:

Copy
npm audit
npm audit fix  # automatically fix where possible

Snyk — more comprehensive dependency scanning with CI/CD integration.

Dependabot / Renovate — automatically opens PRs to update vulnerable dependencies.

Static analysis

ESLint security plugins:

• eslint-plugin-security — catches common security mistakes in Node.js
• eslint-plugin-no-unsanitized — catches dangerous DOM manipulation

These catch issues like eval() usage, innerHTML with user input, and unsafe regular expressions.

Browser tools

• DevTools Security tab — shows HTTPS status, certificate details, and mixed content warnings
• DevTools Network tab — check if sensitive data is sent over HTTP instead of HTTPS
• Lighthouse — audits security headers and HTTPS

Automated scanners

• OWASP ZAP — free, open-source web application security scanner
• Burp Suite — professional security testing tool
• Mozilla Observatory — scans your site's HTTP headers for security best practices

In practice

A good minimal setup:

1. Run npm audit as part of your CI/CD pipeline
2. Enable Dependabot on your GitHub repository
3. Add ESLint security plugins to your linting setup
4. Check security headers with Mozilla Observatory after deployment

Why interviewers ask this

This tests whether you think about security as part of your workflow, not just as an afterthought. Interviewers want to see if you use tools to catch vulnerabilities before they reach production.