ast/timing-unsafe-credential-compare
Timing attack: credential compared with == / === instead of constant-time compare
What it detects
A `===` or `==` comparison was used against an identifier or property named like a credential (password / token / secret / signature / hmac / apiKey / csrf / etc). JavaScript string equality short-circuits on the first differing character — an attacker measuring response time can deduce the secret one byte at a time. Use `crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b))` (after equal-length check) or a library helper like `@noble/hashes/utils.equalBytes`.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.