code/js-jwt-none-algorithm

JWT verified with 'none' algorithm

criticalCode regexjwtCWE-347 ↗js

What it detects

Allowing the 'none' algorithm lets any caller forge tokens. Pin a specific algorithm list like ['HS256'] or ['RS256'].

How it runs

Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.