You may have read the announcement today about the potential for supply chain attacks using characters within source files that are not visible to human code reviewers:
https://www.trojansource.codes/.
For some statically compiled languages, it may make sense to incorporate a check into the compiler instead of using an external script. However, for dynamic languages such as JavaScript, there are potential issues with that approach. These include:
- Finding out too late that there is usage of these characters. Dynamic languages may load a source file in the middle of their execution. At this point the application is already deployed and you don't necessarily want to block it from running and non-blocking warnings may not be noticed. It is more effective to scan all files that make up the application before it is run.
- The runtime overhead of the scan will be incurred unnecessarily every time the application is run. It is better to scan as part of your development/build/release processes as it will not add any additional runtime overhead once the application is deployed.
At this time, we do not plan to provide an option to scan at runtime. We recommend that external scripts/processes be used instead