Is Electronegativity still being updated?

No, it's deprecated and no longer actively maintained. The README states that an improved version called ElectroNG is available, which is recommended for ongoing projects.

How do I ignore specific checks in Electronegativity?

Use the `-x` CLI flag to exclude checks or add `eng-disable` comments in your code to disable checks for lines or files, as detailed in the 'Ignoring Lines or Files' section of the README.

Can Electronegativity scan packaged ASAR files?

Yes, it can parse ASAR archives directly for security analysis without decompiling, as shown in the CLI usage example with the `-i` flag for input.

Electronegativity vs ElectroNG: which should I use?

ElectroNG is the successor with active maintenance and major improvements. Electronegativity is suitable for legacy checks, but for modern projects, ElectroNG is better due to updates and enhanced features.

How to integrate Electronegativity into GitHub Actions?

Use the Electronegativity Action from the GitHub Marketplace to run scans in CI/CD pipelines. The README includes an example showing how it generates code scanning alerts automatically.

What causes memory errors in Electronegativity and how to fix them?

Large codebases can trigger 'JavaScript heap out of memory' errors. Increase Node.js heap size by running with `node --max-old-space-size=4096` before the command, as mentioned in the README's note.

Open-Awesome

electronegativity

Apache-2.0JavaScriptv1.10.0

A static analysis tool to identify security misconfigurations and anti-patterns in Electron applications.

GitHub

1.0k stars71 forks0 contributors

What is electronegativity?

Electronegativity is a static analysis security tool specifically built for Electron applications. It scans source code, configuration files, and packaged archives to identify security misconfigurations and anti-patterns that could lead to vulnerabilities. The tool helps developers and auditors ensure their Electron apps follow security best practices by automating checks based on established guidelines.

Target Audience

Electron application developers and security auditors who need to identify and fix security weaknesses in desktop applications built with the Electron framework.

Value Proposition

Developers choose Electronegativity because it provides targeted, automated security analysis for Electron's unique risk profile, integrates into development workflows, and is backed by extensive security research from Doyensec.

Overview

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications.

Use Cases

Best For

Auditing Electron applications for security misconfigurations before release
Integrating automated security checks into CI/CD pipelines for Electron projects
Identifying insecure patterns like disabled context isolation or dangerous Node.js integration
Checking for breaking changes and new vulnerabilities during Electron version upgrades
Educating developers about Electron security best practices through actionable findings
Performing static analysis on packaged ASAR archives without decompiling

Not Ideal For

Teams requiring actively maintained security tools with regular updates and bug fixes
Projects needing comprehensive SAST beyond static analysis, such as dynamic testing or runtime monitoring
Non-Electron applications, as the tool is specifically designed for the Electron framework

Pros & Cons

Pros

Electron-Specific Security Checks

Identifies misconfigurations like disabled context isolation and weak CSPs by leveraging AST and DOM parsing, as outlined in the Electron Security Checklist.

CI/CD Pipeline Integration

Can be automated via GitHub Actions to provide continuous security feedback in development pipelines, demonstrated in the README with code scanning alerts.

Customizable Scanning Options

Allows fine-tuning with CLI flags and inline `eng-disable` comments to include or exclude specific checks, offering flexibility for targeted audits.

Version Upgrade Analysis

Checks for breaking changes and vulnerabilities when upgrading Electron versions, aiding in secure migrations with the `-u` flag for version comparisons.

Cons

Deprecated and Unmaintained

The project is no longer actively maintained, with the authors promoting ElectroNG as an improved alternative, meaning no future updates or security patches.

Manual Review Still Required

Despite automation, a good understanding of Electron security is needed to interpret findings, as acknowledged in the README that some issues require manual investigation.

Performance and Memory Issues

Can encounter 'JavaScript heap out of memory' errors on large codebases, necessitating manual node memory adjustments like `--max-old-space-size=4096`, as noted in the usage section.

Frequently Asked Questions

Related Projects

rxdb

A fast, local first, reactive Database for JavaScript Applications https://rxdb.info/

Stars23,200

Forks1,167

Last commit11 hours ago

got

🌐 Human-friendly and powerful HTTP request library for Node.js

Stars14,902

Forks984

Last commit9 days ago

electron-builder

A complete solution to package and build a ready for distribution Electron app with “auto update” support out of the box

Stars14,552

Forks1,848

Last commit8 hours ago

NeDB

The JavaScript Database, for Node.js, nw.js, electron and the browser

Stars13,549

Forks1,019

Last commit1 year ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub