CodeAva
All examples
Code Audit

Code Audit Sample

user-controller.js (snippet)·March 2025Sample report

This sample report shows a CodeAva static analysis run on a 94-line Node.js controller. Two critical security issues were identified — a hardcoded live API key and an eval() call — alongside debug statements and TODO debt. Four checks passed, confirming no SQL injection or XSS patterns were present.

60

/ 100

Overall Score

2

Critical issues

3

Warnings

4

Passed checks

9

Total checks

Hardcoded API key detected

critical

A secret key was found assigned directly in source code. If this file is committed to a public or shared repository, the credential is immediately exposed.

Line 14: const API_KEY = "sk_live_4xR9mNqT2vKpL8jW"; Fix: Move to environment variable → process.env.STRIPE_API_KEY Never commit .env files containing real secrets.

eval() usage detected

critical

Dynamic code execution via eval() allows arbitrary JavaScript to run if user-controlled input reaches it. This is a critical security risk and almost always avoidable.

Line 38: const result = eval(userInput.formula); Fix: Use a safe math expression parser (e.g. math.js) or restrict input to a known-safe whitelist.

Debug statements (4 found)

warning

4 console.log() calls were found in the snippet. Debug output left in production can leak sensitive data and pollutes logs.

Line 22: console.log('user object:', user); Line 45: console.log('response:', apiResponse); Line 67: console.log('token:', authToken); Line 89: console.log('cart items:', cartData);

Unresolved TODO / FIXME comments (3 found)

warning

3 TODO or FIXME comments indicate unresolved technical debt. These represent known issues that were deferred and may introduce bugs if left unaddressed.

Line 31: // TODO: validate input before passing to query Line 56: // FIXME: this breaks on empty array Line 78: // TODO: remove fallback once auth is fixed

Lines exceeding 120 characters (7 found)

warning

7 lines are longer than 120 characters, reducing readability and making diffs harder to review in standard code review tools.

Recommended fixes

1Low effort

Remove the hardcoded API key immediately

Rotate the exposed key in your Stripe dashboard now, then move it to an environment variable. Treat all prior usages as compromised.

2Medium effort

Replace eval() with a safe alternative

Swap eval() for a sandboxed math expression parser like math.js, or validate and whitelist the allowed operations before evaluation.

3Low effort

Strip all console.log calls

Remove debug statements before merging to main. Consider adding an ESLint rule (no-console) to prevent them from shipping in future.

4Low effort

Resolve TODO comments or file issues

Review each TODO/FIXME, either fix the underlying issue now or create a tracked ticket so nothing gets forgotten.

Run this audit on your own project

This is a sample report. Get your own scored results by pasting a URL or code snippet.

Audit your code See all examples