# ast-grep rules catalog

<!-- GENERATED by scripts/gen-rule-catalogs.mjs — do not edit by hand. Run `npm run docs:rule-catalogs` after changing rules. -->

pi-lens bundles **435 enabled** ast-grep rules (251 pi-lens-authored + 184 vendored from CodeRabbit) across **16 languages**, plus 16 disabled.

See [`docs/custom-rules.md`](custom-rules.md) to add your own. Rule sources: `rules/ast-grep-rules/rules/` (pi-lens), `rules/ast-grep-rules/coderabbit/rules/` (vendored).

## Enabled rules

### C (9)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `dont-call-system-c` | warning | CodeRabbit | Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as cal… |
| `file-access-before-action-c` | warning | CodeRabbit | A check is done with `access` and then the file is later used. There is no guarantee that the status of the file has not changed since the… |
| `file-stat-before-action-c` | warning | CodeRabbit | A check is done with `stat` and then the file is used. There is no guarantee that the status of the file has not changed since the call to… |
| `insecure-hash-c` | warning | CodeRabbit | This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stron… |
| `libxml2-audit-parser-c` | warning | CodeRabbit | The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the p… |
| `null-library-function-c` | warning | CodeRabbit | The `$SOURCE` function returns NULL on error and this line dereferences the return value without checking for NULL. |
| `sizeof-this-c` | warning | CodeRabbit | Do not use `sizeof(this)` to get the number of bytes of the object in memory. It returns the size of the pointer, not the size of the objec… |
| `small-key-size-c` | warning | CodeRabbit | $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is less than the recommended key size of 2048 bits. |
| `world-writable-file-c` | warning | CodeRabbit | This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the be… |

### C++ (15)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `dont-call-system-cpp` | warning | CodeRabbit | Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as cal… |
| `file-access-before-action-cpp` | warning | CodeRabbit | A check is done with `access` and then the file is later used. There is no guarantee that the status of the file has not changed since the… |
| `file-stat-before-action-cpp` | warning | CodeRabbit | A check is done with `stat` and then the file is used. There is no guarantee that the status of the file has not changed since the call to… |
| `fix-format-security-error-cpp` | warning | CodeRabbit | The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. |
| `insecure-hash-cpp` | warning | CodeRabbit | This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stron… |
| `libxml2-audit-parser-cpp` | warning | CodeRabbit | The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the p… |
| `missing-nul-cpp-string-memcpy-copy-cpp` | warning | CodeRabbit | The number of bytes copied from `$STR` does not include the NUL terminator. This can lead to an out-of-bounds read and information disclosu… |
| `null-library-function-cpp` | warning | CodeRabbit | The `$SOURCE` function returns NULL on error and this line dereferences the return value without checking for NULL. |
| `return-c-str-cpp` | warning | CodeRabbit | "`$FUNC` returns a pointer to the memory owned by `$STR`. This pointer is invalid after `$STR` goes out of scope, which can trigger a use a… |
| `sizeof-this-cpp` | warning | CodeRabbit | Do not use `sizeof(this)` to get the number of bytes of the object in memory. It returns the size of the pointer, not the size of the objec… |
| `small-key-size-cpp` | warning | CodeRabbit | $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is less than the recommended key size of 2048 bits. |
| `std-return-data-cpp` | warning | CodeRabbit | $FUNC` returns a pointer to the memory owned by `$VAR`. This pointer is invalid after `$VAR` goes out of scope, which can trigger a use aft… |
| `std-vector-invalidation-cpp` | warning | CodeRabbit | Modifying an `std::vector` while iterating over it could cause the container to reallocate, triggering memory corruption. |
| `string-view-temporary-string-cpp` | warning | CodeRabbit | This `std::string_view` is constructed from a temporary `std::string`. The `std::string` value is immeadiately destroyed after assignment a… |
| `world-writable-file-cpp` | warning | CodeRabbit | This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the be… |

### C# (11)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `httponly-false-csharp` | warning | CodeRabbit | "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid clie… |
| `insecure-binaryformatter-deserialization-csharp` | warning | CodeRabbit | The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as… |
| `jwt-decode-without-verify-csharp` | warning | CodeRabbit | Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unkn… |
| `jwt-hardcoded-secret-csharp` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `jwt-tokenvalidationparameters-no-expiry-validation-csharp` | warning | CodeRabbit | The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT toke… |
| `networkcredential-hardcoded-secret-csharp` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `npgsqlconnectionstringbuilder-hardcoded-secret-csharp` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `oracleconnectionstringbuilder-hardcoded-secret-csharp` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `sqlconnectionstringbuilder-hardcoded-secret-csharp` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `stacktrace-disclosure-csharp` | warning | CodeRabbit | Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a produc… |
| `use-ecb-mode-csharp` | warning | CodeRabbit | "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesG… |

### Go (23)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `avoid-bind-to-all-interfaces-go` | warning | CodeRabbit | "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all… |
| `defer-in-loop` | warning | pi-lens | defer is used inside a loop. This defers execution until after the entire function, not each iteration. |
| `go-defer-func-call-antipattern` | warning | pi-lens | defer with function-call args — arguments are evaluated immediately, not at defer time |
| `go-test-functions` | warning | pi-lens | Go test function detected — verify it follows the project's test naming convention |
| `gorilla-cookie-store-hardcoded-session-key-go` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `gorilla-csrf-hardcoded-auth-key-go` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `gorm-find-without-where` | warning | pi-lens | Unchecked .Find() without WHERE clause may load the entire table |
| `gorm-n-plus-one` | warning | pi-lens | N+1 query detected. GORM DB call inside loop causes performance issues. Batch queries with WHERE IN instead. |
| `grpc-client-insecure-connection-go` | warning | CodeRabbit | Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious a… |
| `jwt-go-none-algorithm-go` | warning | CodeRabbit | Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. Thi… |
| `loop-var-capture` | warning | pi-lens | Loop variable captured by goroutine; pass it as an argument or shadow it. |
| `missing-ssl-minversion-go` | warning | CodeRabbit | MinVersion` is missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1… |
| `mutex-unlock-mismatch` | warning | pi-lens | Lock called but no corresponding defer Unlock; ensure Lock/Unlock are paired |
| `nil-map-assignment` | warning | pi-lens | Uninitialized map declared with 'var' - cannot assign values without calling make() |
| `openai-empty-secret-go` | warning | CodeRabbit | The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is rec… |
| `openai-hardcoded-secret-go` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `ssl-v3-is-insecure-go` | warning | CodeRabbit | SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'. |
| `string-concat-in-loop` | warning | pi-lens | String concatenation in loops is inefficient; use strings.Builder instead |
| `tls-with-insecure-cipher-go` | warning | CodeRabbit | Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list o… |
| `unlock-in-loop` | warning | pi-lens | Calling Unlock inside loop without deferring; Lock/Unlock pairing may be broken |
| `unmarshal-tag-is-dash` | error | pi-lens | Struct field can be decoded with the `-` key because the JSON tag starts with a `-` but is followed by a comma. |
| `use-of-weak-rsa-key-go` | warning | CodeRabbit | RSA keys should be at least 2048 bits. |
| `waitgroup-done-scope` | warning | pi-lens | WaitGroup.Done() called outside goroutine; must be in same goroutine that called Add() |

### HTML (1)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `plaintext-http-link-html` | warning | CodeRabbit | "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible." |

### Java (36)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `cbc-padding-oracle-java` | warning | CodeRabbit | Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with… |
| `cookie-httponly-false-java` | — | CodeRabbit | A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scri… |
| `cookie-missing-httponly-java` | warning | CodeRabbit | A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scri… |
| `cookie-missing-samesite-java` | warning | CodeRabbit | The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the appl… |
| `cookie-missing-secure-flag-java` | warning | CodeRabbit | A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie ove… |
| `cookie-secure-flag-false-java` | warning | CodeRabbit | A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie ove… |
| `datanucleus-hardcoded-connection-password-java` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `des-is-deprecated-java` | warning | CodeRabbit | DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-wit… |
| `desede-is-deprecated-java` | warning | CodeRabbit | Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. |
| `documentbuilderfactory-disallow-doctype-decl-false-java` | warning | CodeRabbit | DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entit… |
| `documentbuilderfactory-external-general-entities-true-java` | warning | CodeRabbit | External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature "http:… |
| `documentbuilderfactory-external-parameter-entities-true-java` | warning | CodeRabbit | External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature "http:… |
| `drivermanager-hardcoded-secret-java` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `ecb-cipher-java` | warning | CodeRabbit | Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and re… |
| `hardcoded-connection-password-java` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `hardcoded-secret-in-credentials-java` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `java-jwt-hardcoded-secret-java` | warning | CodeRabbit | A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and use… |
| `jedis-jedisclientconfig-hardcoded-password-java` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `jedis-jedisfactory-hardcoded-password-java` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `missing-httponly-java` | warning | CodeRabbit | Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid clien… |
| `missing-secure-java` | warning | CodeRabbit | Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending t… |
| `no-null-cipher-java` | warning | CodeRabbit | NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Ci… |
| `passwordauthentication-hardcoded-password-java` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `rsa-no-padding-java` | warning | CodeRabbit | Using RSA without OAEP mode weakens the encryption. |
| `simple-command-injection-direct-input-java` | warning | CodeRabbit | "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An atta… |
| `system-setproperty-hardcoded-secret-java` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `unencrypted-socket-java` | info | CodeRabbit | "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffi… |
| `use-of-aes-ecb-java` | warning | CodeRabbit | Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instea… |
| `use-of-blowfish-java` | warning | CodeRabbit | 'Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered… |
| `use-of-default-aes-java` | warning | CodeRabbit | "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not… |
| `use-of-md5-digest-utils-java` | warning | CodeRabbit | 'Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic… |
| `use-of-md5-java` | warning | CodeRabbit | Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic s… |
| `use-of-rc2-java` | warning | CodeRabbit | Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure. |
| `use-of-rc4-java` | warning | CodeRabbit | 'Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a st… |
| `use-of-sha1-java` | warning | CodeRabbit | Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic… |
| `weak-ssl-context-java` | warning | CodeRabbit | 'An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use S… |

### JavaScript (76)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `array-callback-return-js` | error | pi-lens | return statements must be enforced in callbacks of array methods |
| `consistent-existence-index-check-js` | warning | pi-lens | Use .includes() instead of .indexOf() for existence checks |
| `detect-angular-sce-disabled-javascript` | warning | CodeRabbit | $sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surfac… |
| `enforce-node-protocol-js` | warning | pi-lens | Use node: prefix for Node.js built-in module imports |
| `express-jwt-hardcoded-secret-javascript` | warning | CodeRabbit | A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and use… |
| `express-session-hardcoded-secret-javascript` | warning | CodeRabbit | A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and use… |
| `hardcoded-url-js` | warning | pi-lens | Hardcoded URL — use config or environment variable |
| `incomplete-string-escaping-js` | warning | pi-lens | Regex replace escapes with a backslash before escaping backslashes |
| `jwt-no-verify-js` | error | pi-lens | Unsafe JWT operation — verification is bypassed |
| `jwt-simple-noverify-javascript` | warning | CodeRabbit | "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unk… |
| `nested-ternary-js` | warning | pi-lens | Nested ternary expressions are hard to read — use if/else or switch |
| `no-absolute-path-import-js` | warning | pi-lens | Absolute import path is not portable — use a relative or aliased path |
| `no-accumulating-spread-js` | warning | pi-lens | Avoid accumulating array spread in loops/reduce (O(n^2)); use push/flatMap |
| `no-alert-js` | warning | pi-lens | Avoid alert() — use a proper notification system |
| `no-array-constructor-js` | warning | pi-lens | Use array literal [] instead of new Array() |
| `no-array-reverse-mutation-js` | warning | pi-lens | .reverse() mutates the array in place — use toReversed() or slice first |
| `no-async-promise-executor-js` | error | pi-lens | Promise executor functions should not be async. |
| `no-await-expression-member-js` | hint | pi-lens | Unnecessary parentheses around await — write await expr.prop directly |
| `no-await-in-promise-all-js` | error | pi-lens | Avoid await inside Promise.all — use Promise.all with an array of promises instead |
| `no-await-in-promise-methods-js` | warning | pi-lens | Do not await inside Promise.all/allSettled — pass the promises directly |
| `no-blank-target-js` | warning | pi-lens | Links with target="_blank" must include rel to prevent opener leaks |
| `no-case-declarations-js` | error | pi-lens | Unexpected lexical declaration in case block — wrap in braces to restrict scope |
| `no-compare-neg-zero-js` | error | pi-lens | Disallow comparing against -0 |
| `no-cond-assign-js` | error | pi-lens | Expected a conditional expression and instead saw an assignment. |
| `no-console-except-error-js` | warning | pi-lens | Avoid console.log/debug/warn in production code — use a logger or console.error inside catch only |
| `no-constant-condition-js` | error | pi-lens | Unexpected constant condition |
| `no-discarded-error-js` | error | pi-lens | new Error() result discarded — add 'throw' or assign to a variable |
| `no-dupe-keys-js` | error | pi-lens | Disallow duplicate keys in object literals |
| `no-extra-boolean-cast-js` | warning | pi-lens | Unnecessary double negation '!!' — the value is already coerced in this context |
| `no-flag-argument-js` | warning | pi-lens | Flag argument — a boolean parameter the function branches on. Split into two functions. |
| `no-global-eval-js` | error | pi-lens | Avoid dynamic code execution (eval/Function/string timers) |
| `no-implied-eval-js` | error | pi-lens | Avoid implied eval via setTimeout/setInterval with string arguments |
| `no-inner-html-js` | error | pi-lens | Avoid innerHTML/outerHTML — use textContent or a sanitizer to prevent XSS |
| `no-insecure-randomness-js` | error | pi-lens | Math.random() used for security-sensitive operations — use crypto.getRandomValues() instead |
| `no-instanceof-array-js` | warning | pi-lens | Use Array.isArray() instead of instanceof Array — fails across realm boundaries |
| `no-instanceof-builtins-js` | error | pi-lens | Do not use instanceof with primitive wrapper types — use typeof instead |
| `no-javascript-url-js` | error | pi-lens | Avoid javascript: URLs — they can execute arbitrary code |
| `no-nan-comparison-js` | error | pi-lens | x === NaN is always false — use Number.isNaN(x) |
| `no-negation-in-equality-check-js` | error | pi-lens | Negation before equality check — !a === b evaluates as (!a) === b, not !(a === b) |
| `no-new-symbol-js` | error | pi-lens | Symbol cannot be called as a constructor. |
| `no-new-wrappers-js` | error | pi-lens | Do not use 'new' with wrapper objects — use literal primitives instead |
| `no-open-redirect-js` | error | pi-lens | Potential open redirect vulnerability — validate redirect URLs |
| `no-prototype-builtins-js` | error | pi-lens | Use Object.hasOwn() or Object.prototype.hasOwnProperty.call() instead of calling methods directly on the object |
| `no-single-promise-in-promise-methods-js` | warning | pi-lens | Promise.all/race with a single promise is unnecessary — await it directly |
| `no-sql-in-code-js` | error | pi-lens | Raw SQL string in code — use query builder or ORM |
| `no-throw-string-js` | error | pi-lens | Throw Error objects, not strings |
| `no-typeof-undefined-js` | hint | pi-lens | Use === undefined instead of typeof x === 'undefined' |
| `no-unimplemented-stub-js` | warning | pi-lens | Unimplemented stub — function was scaffolded but never completed |
| `no-unnecessary-array-flat-depth-js` | hint | pi-lens | .flat(1) is the default depth — just use .flat() |
| `no-useless-length-check-js` | warning | pi-lens | Use .some() instead of .filter().length check — short-circuits at first match |
| `no-useless-promise-resolve-reject-js` | warning | pi-lens | Unnecessary Promise.resolve/reject wrapping — return the value directly |
| `no-useless-rest-spread-js` | warning | pi-lens | Redundant spread into same container type — remove the extra spread |
| `node-rsa-weak-key-javascript` | warning | CodeRabbit | Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits. |
| `node-sequelize-empty-password-argument-javascript` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `node-sequelize-hardcoded-secret-argument-javascript` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `prefer-array-find-js` | warning | pi-lens | Use .find() instead of .filter()[0] — stops at first match |
| `prefer-array-flat-map-js` | warning | pi-lens | Use .flatMap() instead of .map().flat() — single pass, more efficient |
| `prefer-array-some-js` | warning | pi-lens | Use .some() instead of .filter().length check — short-circuits at first match |
| `prefer-at-js` | hint | pi-lens | Use .at(-1) instead of [length-1] for last element access |
| `prefer-date-now-js` | hint | pi-lens | Use Date.now() instead of new Date().getTime() |
| `prefer-dom-node-append-js` | hint | pi-lens | Use .append() instead of .appendChild() — accepts multiple nodes and strings |
| `prefer-dom-node-text-content-js` | warning | pi-lens | Use .textContent instead of .innerText — innerText triggers a layout reflow |
| `prefer-keyboard-event-key-js` | warning | pi-lens | Use event.key instead of event.keyCode/.which — keyCode is deprecated |
| `prefer-math-min-max-js` | hint | pi-lens | Use Math.min()/Math.max() instead of ternary for min/max |
| `prefer-number-properties-js` | warning | pi-lens | Use Number.isNaN()/Number.isFinite() instead of global isNaN()/isFinite() |
| `prefer-prototype-methods-js` | warning | pi-lens | Use Object.hasOwn() instead of .hasOwnProperty() |
| `prefer-query-selector-js` | hint | pi-lens | Use document.querySelector() instead of getElementById/getElementsByClassName |
| `prefer-string-slice-js` | hint | pi-lens | Use .slice() instead of .substring()/.substr() |
| `prefer-string-starts-ends-with-js` | warning | pi-lens | Use .startsWith()/.endsWith() instead of indexOf for prefix/suffix checks |
| `prefer-string-trim-start-end-js` | hint | pi-lens | Use .trimStart()/.trimEnd() instead of .trimLeft()/.trimRight() |
| `prefer-structured-clone-js` | warning | pi-lens | Use structuredClone() instead of JSON.parse(JSON.stringify()) for deep cloning |
| `strict-equality-js` | warning | pi-lens | Use === instead of == |
| `strict-inequality-js` | warning | pi-lens | Use !== instead of != |
| `throw-new-error-js` | error | pi-lens | Use new Error() not Error() — explicit construction is clearer |
| `unchecked-throwing-call-js` | error | pi-lens | $CALL without try/catch — throws on invalid input |
| `weak-rsa-key-js` | error | pi-lens | Weak RSA key size — use at least 2048 bits |

### Kotlin (5)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `des-is-deprecated-kotlin` | warning | CodeRabbit | DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-wit… |
| `desede-is-deprecated-kotlin` | warning | CodeRabbit | Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. |
| `jwt-hardcode-kotlin` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `rsa-no-padding-kotlin` | warning | CodeRabbit | Using RSA without OAEP mode weakens the encryption. |
| `system-setproperty-hardcoded-secret-kotlin` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |

### PHP (2)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `openssl-cbc-static-iv-php` | warning | CodeRabbit | Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data. |
| `search-active-debug-php` | warning | CodeRabbit | Debug logging is explicitly enabled. This can potentially disclose sensitive information and should never be active on production systems. |

### Python (96)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `avoid_app_run_with_bad_host-python` | warning | CodeRabbit | Running flask app with host 0.0.0.0 could expose the server publicly. |
| `avoid-mktemp-python` | warning | CodeRabbit | The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filenam… |
| `debug-enabled-python` | warning | CodeRabbit | Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, cons… |
| `hashids-with-django-secret-python` | warning | CodeRabbit | The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to con… |
| `hashids-with-flask-secret-python` | warning | CodeRabbit | The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to cons… |
| `insecure-cipher-algorithm-rc4-python` | warning | CodeRabbit | Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use… |
| `jwt-python-hardcoded-secret-python` | warning | CodeRabbit | Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definition… |
| `no-assert-tuple` | error | pi-lens | Assert should not be called on a tuple literal |
| `no-aws-access-key-literal` | error | pi-lens | AWS access keys should not be hardcoded — use IAM roles, environment variables, or AWS Secrets Manager |
| `no-aws-apigateway-no-auth` | error | pi-lens | AWS API Gateway should require authentication |
| `no-aws-s3-public-access` | error | pi-lens | S3 buckets should not grant access to all users or authenticated users |
| `no-bare-except` | error | pi-lens | Avoid bare 'except' — catch specific exceptions instead |
| `no-boolean-in-except` | error | pi-lens | Boolean expressions should not be used in except statements |
| `no-comparison-to-none` | error | pi-lens | Use 'is None' instead of '== None' for None comparison |
| `no-comparison-to-true-false` | warning | pi-lens | Unnecessary equality checks should not be made against True/False |
| `no-compile-call` | error | pi-lens | compile() called with dynamic input — arbitrary code execution risk |
| `no-db-string-literal-password` | error | pi-lens | Database connection should use a secure (non-empty) password |
| `no-dunder-exit-wrong-arity` | error | pi-lens | __exit__ should accept type, value, and traceback arguments |
| `no-duplicate-kwarg` | error | pi-lens | Function arguments should be passed only once |
| `no-ellipsis-body` | warning | pi-lens | Bare ellipsis body — function was scaffolded but never completed |
| `no-except-non-exception` | error | pi-lens | Caught Exceptions must derive from BaseException |
| `no-fastapi-router-prefix-outside-init` | warning | pi-lens | Router prefixes should be defined during APIRouter initialization |
| `no-flask-preprocess-request-ignored` | warning | pi-lens | Flask preprocess_request() return values should be handled |
| `no-flask-secret-key-literal` | error | pi-lens | Flask secret keys should not be hardcoded — use environment variables or a secrets manager |
| `no-flask-sendfile-without-mimetype` | warning | pi-lens | Flask send_file should specify mimetype or download_name |
| `no-hardcoded-password` | warning | pi-lens | Passwords should not be hardcoded — use environment variables or a secrets manager |
| `no-html-autoescape-off` | error | pi-lens | HTML autoescape mechanism should not be globally disabled |
| `no-http-headers-bracket-access` | warning | pi-lens | HTTP headers should be accessed via .get() to avoid KeyError |
| `no-identity-operator-on-literals` | error | pi-lens | Identity operators should not be used with literal values |
| `no-init-return` | error | pi-lens | __init__ should not return a value |
| `no-jinja2-autoescape-off` | error | pi-lens | Jinja2 Environment should not disable autoescape |
| `no-marshal-load` | error | pi-lens | marshal.load() — deserializing arbitrary Python bytecode, RCE risk |
| `no-mutable-contextvar-default` | error | pi-lens | Mutable default ContextVar() or dict.fromkeys() should not be used |
| `no-mutable-default` | error | pi-lens | Mutable default argument detected — use None and initialize inside function |
| `no-notimplemented-in-bool` | error | pi-lens | NotImplemented should not be used in boolean contexts |
| `no-numpy-nan-equality` | error | pi-lens | Equality checks should not be made against numpy.nan |
| `no-only-defined-names-in-dunder-all` | warning | pi-lens | Only defined names should be listed in __all__ |
| `no-python-sql-string-concat` | error | pi-lens | SQL query built via string concat — use parameterized queries |
| `no-raise-not-implemented` | warning | pi-lens | NotImplementedError stub — function was scaffolded but never completed |
| `no-raise-stopiteration-in-generator` | error | pi-lens | StopIteration should not be raised inside generators |
| `no-requests-verify-false` | warning | pi-lens | requests call has verify=False — TLS certificate verification disabled |
| `no-requests-without-timeout` | error | pi-lens | HTTP requests should specify a timeout |
| `no-return-value-in-generator` | error | pi-lens | 'return' with a value should not be used in a generator function |
| `no-secret-in-env-var-name` | warning | pi-lens | Secrets should not be hard-coded — use environment variables or a secrets manager |
| `no-server-bind-wildcard` | error | pi-lens | Web servers should not bind to all network interfaces |
| `no-singledispatch-on-method` | warning | pi-lens | @singledispatch should not be confused with @singledispatchmethod |
| `no-star-imports` | warning | pi-lens | Avoid wildcard imports — import specific names instead |
| `no-template-string-concat` | error | pi-lens | Template strings and str should not be concatenated directly |
| `no-testclient-text-without-content` | warning | pi-lens | TestClient requests should use content= for bytes/text |
| `no-uvicorn-non-import-string` | error | pi-lens | uvicorn.run should pass an import string when reload/debug/workers is set |
| `no-xxe-vulnerable-xml-parser` | error | pi-lens | XML parsers should not be vulnerable to XXE attacks |
| `no-yield-from-non-iterable` | warning | pi-lens | Iterable unpacking, for-in loops and yield from should use an Iterable object |
| `no-yield-return-outside-function` | error | pi-lens | 'yield' and 'return' should not be used outside functions |
| `only-strings-in-dunder-all` | error | pi-lens | Only strings should be listed in __all__ |
| `openai-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-cassandra-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-cassandra-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-couchbase-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-couchbase-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-elasticsearch-hardcoded-bearer-auth-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-ldap3-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-ldap3-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-mariadb-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-mariadb-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-mysql-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-mysql-hardcoded-secret-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-mysqlclient-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-mysqlclient-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-neo4j-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-neo4j-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-peewee-mysql-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-peewee-mysql-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-peewee-pg-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-peewee-pg-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-pg8000-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-pg8000-hardcoded-secret-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-psycopg2-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-psycopg2-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-pyjwt-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-pymongo-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-pymongo-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-pymssql-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-pymssql-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-pymysql-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-pymysql-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-redis-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-redis-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-requests-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-requests-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-requests-oauth-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-tormysql-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-tormysql-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-urllib3-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `python-webrepl-empty-password-python` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `python-webrepl-hardcoded-secret-python` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `unchecked-throwing-call-python` | error | pi-lens | Call without try/except — throws on invalid input or missing file |

### Ruby (19)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `force-ssl-false-ruby` | warning | CodeRabbit | Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencr… |
| `hardcoded-http-auth-in-controller-ruby` | warning | CodeRabbit | Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose thi… |
| `hardcoded-secret-rsa-passphrase-ruby` | warning | CodeRabbit | Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-cod… |
| `insufficient-rsa-key-size-ruby` | warning | CodeRabbit | The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher. |
| `ruby-aws-sdk-hardcoded-secret-ruby` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `ruby-cassandra-empty-password-ruby` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `ruby-cassandra-hardcoded-secret-ruby` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `ruby-detect-path-traversal` | warning | pi-lens | Potential path traversal sink — verify path arguments are sanitized |
| `ruby-excon-hardcoded-secret-ruby` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `ruby-faraday-hardcoded-secret-ruby` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `ruby-mongo-empty-password-ruby` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `ruby-mongo-hardcoded-secret-ruby` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `ruby-mysql2-empty-password-ruby` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `ruby-mysql2-hardcoded-secret-ruby` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `ruby-octokit-hardcoded-secret-ruby` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `ruby-pg-empty-password-ruby` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `ruby-pg-hardcoded-secret-ruby` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `ruby-redis-empty-password-ruby` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `ruby-redis-hardcoded-secret-ruby` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |

### Rust (11)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `avoid-duplicate-export` | warning | pi-lens | Same item re-exported twice under different paths (e.g. `pub mod foo; pub use foo::Foo;` exposes `Foo` AND `foo::Foo`) |
| `empty-password-rust` | warning | CodeRabbit | The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is rec… |
| `hardcoded-password-rust` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `postgres-empty-password-rust` | warning | CodeRabbit | The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is rec… |
| `redundant-unsafe-function` | error | pi-lens | Unsafe function without unsafe block inside |
| `reqwest-accept-invalid-rust` | warning | CodeRabbit | Dangerously accepting invalid TLS |
| `rust-2024-let-chain-candidate` | info | pi-lens | nested if conditions can be collapsed into a Rust 2024 let-chain |
| `secrets-reqwest-hardcoded-auth-rust` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `ssl-verify-none-rust` | warning | CodeRabbit | SSL verification disabled, this allows for MitM attacks |
| `tokio-postgres-empty-password-rust` | warning | CodeRabbit | The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is rec… |
| `tokio-postgres-hardcoded-password-rust` | warning | CodeRabbit | The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is rec… |

### Scala (2)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `jwt-scala-hardcode-scala` | warning | CodeRabbit | Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definition… |
| `scala-jwt-hardcoded-secret-scala` | warning | CodeRabbit | Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definition… |

### Swift (5)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `aes-hardcoded-secret-swift` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `blowfish-hardcoded-secret-swift` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `chacha20-hardcoded-secret-swift` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `insecure-biometrics-swift` | info | CodeRabbit | The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. Thi… |
| `rabbit-hardcoded-secret-swift` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |

### TSX (7)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `inline-styles` | hint | pi-lens | Inline styles — use CSS modules or styled components |
| `jsx-boolean-short-circuit` | error | pi-lens | React JSX && pitfall — potentially renders 0 or NaN |
| `no-nested-links` | error | pi-lens | Nested <a> tags are invalid HTML and cause unexpected behavior |
| `no-string-ref` | warning | pi-lens | String refs are deprecated — use useRef callback or forwardRef instead |
| `no-unnecessary-state-initializer` | hint | pi-lens | Unnecessary useState initializer — useState with undefined uses the initial value automatically |
| `redundant-usestate-type` | info | pi-lens | `useState<TYPE>(...)` where TYPE is a primitive redundant — TS can infer it from the initial value |
| `unnecessary-react-hook` | warning | pi-lens | Function with a `use*` name does not call any other React hook — rename to a plain function |

### TypeScript (117)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `array-callback-return` | error | pi-lens | return statements must be enforced in callbacks of array methods |
| `consistent-existence-index-check` | warning | pi-lens | Use .includes() instead of .indexOf() for existence checks |
| `detect-angular-sce-disabled-typescript` | warning | CodeRabbit | $sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surfac… |
| `enforce-node-protocol` | warning | pi-lens | Use node: prefix for Node.js built-in module imports |
| `express-session-hardcoded-secret-typescript` | warning | CodeRabbit | A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and use… |
| `find-import-file-without-extension` | warning | pi-lens | ESM import / dynamic import of a relative path without a file extension |
| `hardcoded-url` | warning | pi-lens | Hardcoded URL — use config or environment variable |
| `incomplete-string-escaping` | warning | pi-lens | Regex replace escapes with a backslash before escaping backslashes |
| `jwt-no-verify` | error | pi-lens | Unsafe JWT operation — verification is bypassed |
| `jwt-simple-noverify-typescript` | warning | CodeRabbit | "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unk… |
| `large-class` | hint | pi-lens | Large class detected — consider splitting responsibilities |
| `long-parameter-list` | hint | pi-lens | Function has many parameters — consider using an options object |
| `missing-component-decorator` | warning | pi-lens | Angular lifecycle method (ngOnInit/ngOnDestroy) on a class without an @Component() decorator |
| `nested-ternary` | warning | pi-lens | Nested ternary expressions are hard to read — use if/else or switch |
| `no-absolute-path-import` | warning | pi-lens | Absolute import path is not portable — use a relative or aliased path |
| `no-alert` | warning | pi-lens | Avoid alert() — use a proper notification system |
| `no-any-type` | hint | pi-lens | Explicit 'any' type — use proper typing |
| `no-array-constructor` | warning | pi-lens | Use array literal [] instead of new Array() |
| `no-array-reverse-mutation` | warning | pi-lens | .reverse() mutates the array in place — use toReversed() or slice first |
| `no-as-any` | warning | pi-lens | Type assertion to 'any' — use proper typing |
| `no-async-promise-executor` | error | pi-lens | Promise executor functions should not be async. |
| `no-await-expression-member` | hint | pi-lens | Unnecessary parentheses around await — write await expr.prop directly |
| `no-await-in-promise-all` | error | pi-lens | Avoid await inside Promise.all — use Promise.all with an array of promises instead |
| `no-await-in-promise-methods` | warning | pi-lens | Do not await inside Promise.all/allSettled — pass the promises directly |
| `no-case-declarations` | error | pi-lens | Unexpected lexical declaration in case block — wrap in braces to restrict scope |
| `no-compare-neg-zero` | error | pi-lens | Disallow comparing against -0 |
| `no-cond-assign` | error | pi-lens | Expected a conditional expression and instead saw an assignment. |
| `no-console-except-error` | warning | pi-lens | Avoid console.log/debug/warn in production code — use a logger or console.error inside catch only |
| `no-constant-condition` | error | pi-lens | Unexpected constant condition |
| `no-demeter-message-chain` | warning | pi-lens | Message chain (Law of Demeter) — navigating 3+ deep through accessors couples the caller to the whole path. |
| `no-discarded-error` | error | pi-lens | new Error() result discarded — add 'throw' or assign to a variable |
| `no-dupe-class-members` | error | pi-lens | Duplicate class member '$NAME'. |
| `no-dupe-keys` | error | pi-lens | Disallow duplicate keys in object literals |
| `no-extra-boolean-cast` | warning | pi-lens | Unnecessary double negation '!!' — the value is already coerced in this context |
| `no-flag-argument` | warning | pi-lens | Flag argument — a boolean parameter the function branches on. Split into two functions. |
| `no-implied-eval` | error | pi-lens | Avoid implied eval via setTimeout/setInterval with string arguments |
| `no-inner-html` | error | pi-lens | Avoid innerHTML/outerHTML — use textContent or a sanitizer to prevent XSS |
| `no-insecure-randomness` | error | pi-lens | Math.random() used for security-sensitive operations — use crypto.getRandomValues() instead |
| `no-instanceof-array` | warning | pi-lens | Use Array.isArray() instead of instanceof Array — fails across realm boundaries |
| `no-instanceof-builtins` | error | pi-lens | Do not use instanceof with primitive wrapper types — use typeof instead |
| `no-javascript-url` | error | pi-lens | Avoid javascript: URLs — they can execute arbitrary code |
| `no-mutable-export` | warning | pi-lens | Exported 'let'/'var' is mutable — importers observe it change, creating hidden shared state; export 'const' |
| `no-nan-comparison` | error | pi-lens | x === NaN is always false — use Number.isNaN(x) |
| `no-negation-in-equality-check` | error | pi-lens | Negation before equality check — !a === b evaluates as (!a) === b, not !(a === b) |
| `no-new-symbol` | error | pi-lens | Symbol cannot be called as a constructor. |
| `no-new-wrappers` | error | pi-lens | Do not use 'new' with wrapper objects — use literal primitives instead |
| `no-non-null-assertion` | warning | pi-lens | Non-null assertion '!' used — prefer explicit null checks or optional chaining |
| `no-octal-literal` | warning | pi-lens | Legacy octal literal — a leading-zero number is parsed as octal in sloppy mode and throws in strict mode; use the 0o prefix |
| `no-open-redirect` | error | pi-lens | Potential open redirect vulnerability — validate redirect URLs |
| `no-prototype-builtins` | error | pi-lens | Use Object.hasOwn() or Object.prototype.hasOwnProperty.call() instead of calling methods directly on the object |
| `no-prototype-builtins-native` | hint | pi-lens | Use Object.hasOwn() instead of hasOwnProperty() — ES2022 standard |
| `no-relative-cross-package-import` | info | pi-lens | Avoid relative imports across package boundaries (../../). Use absolute imports (@app/..., @components/...) for better agent reasoning abou… |
| `no-return-await` | warning | pi-lens | Unnecessary 'await' in return statement — use direct return instead |
| `no-single-promise-in-promise-methods` | warning | pi-lens | Promise.all/race with a single promise is unnecessary — await it directly |
| `no-sort-without-comparator` | warning | pi-lens | .sort()/.toSorted() without a compare function sorts by string order — numbers sort wrong (e.g. [10,9,1] becomes [1,10,9]) |
| `no-sql-in-code` | error | pi-lens | Raw SQL string in code — use query builder or ORM |
| `no-throw-string` | error | pi-lens | Throw Error objects, not strings |
| `no-typeof-undefined` | hint | pi-lens | Use === undefined instead of typeof x === 'undefined' |
| `no-unimplemented-stub` | warning | pi-lens | Unimplemented stub — function was scaffolded but never completed |
| `no-unnecessary-array-flat-depth` | hint | pi-lens | .flat(1) is the default depth — just use .flat() |
| `no-useless-length-check` | warning | pi-lens | Use .some() instead of .filter().length check — short-circuits at first match |
| `no-useless-promise-resolve-reject` | warning | pi-lens | Unnecessary Promise.resolve/reject wrapping — return the value directly |
| `no-useless-rest-spread` | warning | pi-lens | Redundant spread into same container type — remove the extra spread |
| `node-rsa-weak-key-typescript` | warning | CodeRabbit | Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits. |
| `node-sequelize-empty-password-argument-typescript` | warning | CodeRabbit | The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or externa… |
| `node-sequelize-hardcoded-secret-argument-typescript` | warning | CodeRabbit | A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive da… |
| `prefer-array-find` | warning | pi-lens | Use .find() instead of .filter()[0] — stops at first match |
| `prefer-array-flat-map` | warning | pi-lens | Use .flatMap() instead of .map().flat() — single pass, more efficient |
| `prefer-array-some` | warning | pi-lens | Use .some() instead of .filter().length check — short-circuits at first match |
| `prefer-at` | hint | pi-lens | Use .at(-1) instead of [length-1] for last element access |
| `prefer-date-now` | hint | pi-lens | Use Date.now() instead of new Date().getTime() |
| `prefer-dom-node-append` | hint | pi-lens | Use .append() instead of .appendChild() — accepts multiple nodes and strings |
| `prefer-dom-node-text-content` | warning | pi-lens | Use .textContent instead of .innerText — innerText triggers a layout reflow |
| `prefer-keyboard-event-key` | warning | pi-lens | Use event.key instead of event.keyCode/.which — keyCode is deprecated |
| `prefer-math-min-max` | hint | pi-lens | Use Math.min()/Math.max() instead of ternary for min/max |
| `prefer-number-properties` | warning | pi-lens | Use Number.isNaN()/Number.isFinite() instead of global isNaN()/isFinite() |
| `prefer-optional-chain` | hint | pi-lens | Use optional chaining '?.' instead of logical AND for null checks |
| `prefer-prototype-methods` | warning | pi-lens | Use Object.hasOwn() instead of .hasOwnProperty() |
| `prefer-query-selector` | hint | pi-lens | Use document.querySelector() instead of getElementById/getElementsByClassName |
| `prefer-string-slice` | hint | pi-lens | Use .slice() instead of .substring()/.substr() |
| `prefer-string-starts-ends-with` | warning | pi-lens | Use .startsWith()/.endsWith() instead of indexOf for prefix/suffix checks |
| `prefer-string-trim-start-end` | hint | pi-lens | Use .trimStart()/.trimEnd() instead of .trimLeft()/.trimRight() |
| `prefer-structured-clone` | warning | pi-lens | Use structuredClone() instead of JSON.parse(JSON.stringify()) for deep cloning |
| `redos-nested-quantifier` | warning | pi-lens | Nested unbounded quantifier in regex — risks catastrophic backtracking (ReDoS) |
| `redundant-state` | warning | pi-lens | Redundant state — '$NAME' is only used to return it, inline the value |
| `require-await` | warning | pi-lens | Async function has no 'await' expression — consider removing 'async' keyword |
| `strict-equality` | warning | pi-lens | Use === instead of == |
| `strict-inequality` | warning | pi-lens | Use !== instead of != |
| `switch-without-default` | warning | pi-lens | switch has no default clause — values matching no case are silently ignored; add a default (even one that throws) |
| `throw-new-error` | error | pi-lens | Use new Error() not Error() — explicit construction is clearer |
| `ts-array-concat-spread` | warning | pi-lens | arr.concat([...items]) - use arr.push(...items) or [...arr, ...items] |
| `ts-array-every-some` | warning | pi-lens | arr.map(x => x.prop).every(Boolean) - use arr.every(x => !!x.prop) |
| `ts-boolean-return-if-else` | warning | pi-lens | if/else returning true/false - simplify to return the condition directly |
| `ts-defensive-null-guard` | warning | pi-lens | if (x === null \|\| x === undefined) return null - overly defensive early guard |
| `ts-delete-property` | warning | pi-lens | delete obj.prop - consider setting to undefined or restructuring instead |
| `ts-double-negation` | warning | pi-lens | !!value to coerce boolean - use Boolean(value) or truthiness directly |
| `ts-function-constructor` | warning | pi-lens | new Function() - avoid dynamic code evaluation |
| `ts-in-operator-loop` | warning | pi-lens | for (const key in obj) - use Object.keys/entries/values for safer iteration |
| `ts-isnan-check` | warning | pi-lens | x !== x to check NaN - use Number.isNaN(x) |
| `ts-json-stringify-parse` | warning | pi-lens | JSON.parse(JSON.stringify(x)) is noisy; use structuredClone or copy properly |
| `ts-manual-array-contains` | warning | pi-lens | arr.indexOf(x) comparison - use arr.includes(x) for existence check |
| `ts-nullish-coalescing-opportunity` | warning | pi-lens | x !== null && x !== undefined ? x : default - use x ?? default |
| `ts-object-hasown-check` | warning | pi-lens | obj.hasOwnProperty(key) - use Object.hasOwn(obj, key) or Object.prototype.hasOwnProperty.call |
| `ts-optional-chaining-default` | warning | pi-lens | obj && obj.prop ? obj.prop : default - use obj?.prop ?? default |
| `ts-parseint-no-radix` | warning | pi-lens | parseInt(x) without radix - use parseInt(x, 10) |
| `ts-pointless-bool-cast` | warning | pi-lens | Wrapping a condition in Boolean() is redundant ceremony |
| `ts-redundant-filter-map` | warning | pi-lens | arr.filter(x => x).map(...) - use flatMap or a single pass |
| `ts-slice-copy` | warning | pi-lens | arr.slice() to copy - use [...arr] spread |
| `ts-string-split-index` | warning | pi-lens | split(sep)[n] with a magic index - use destructuring or named variables |
| `ts-unnecessary-array-concat` | warning | pi-lens | concat([item]) with a single-element array - use push(item) or spread [...arr, item] |
| `ts-unnecessary-array-from` | warning | pi-lens | Array.from(iterable) in for-of - iterate the iterable directly |
| `ts-unnecessary-bind` | warning | pi-lens | fn.bind(this) in arrow function context - arrow functions capture this lexically |
| `ts-unnecessary-else-return` | warning | pi-lens | else after return - the else block is redundant |
| `ts-void-zero` | warning | pi-lens | void 0 for undefined - use undefined directly |
| `ts-while-index-length` | warning | pi-lens | while loop with index < length - consider for-of or array methods |
| `unchecked-throwing-call` | error | pi-lens | $CALL without try/catch — throws on invalid input |
| `weak-rsa-key` | error | pi-lens | Weak RSA key size — use at least 2048 bits |

## Disabled rules

Shipped but not dispatched (in `rules-disabled/`); enable by moving into `rules/`.

### Go (2)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `gorm-unbounded-preload` | warning | pi-lens | Unbounded GORM Preload detected. Consider adding a limit using Preload with a scoping function. |
| `shadow-err-variable` | warning | pi-lens | Error variable 'err' shadowed in inner scope; original error reference is lost |

### JavaScript (5)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `constructor-super-js` | error | pi-lens | super() must be called in derived class constructors. |
| `no-hardcoded-secrets-js` | error | pi-lens | Hardcoded secret detected — use process.env instead |
| `no-this-in-static-js` | error | pi-lens | Unexpected this in a static method — static methods have no instance context |
| `prefer-string-raw-js` | hint | pi-lens | Use String.raw for string literals with many backslashes |
| `unchecked-sync-fs-js` | warning | pi-lens | Unchecked sync fs call — throws on missing file or permission error |

### Python (1)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `no-method-field-name-collision` | warning | pi-lens | Methods and field names should not differ only by capitalization |

### TypeScript (8)

| Rule | Severity | Source | Description |
|---|---|---|---|
| `constructor-super` | error | pi-lens | super() must be called in derived class constructors. |
| `no-hardcoded-secrets` | error | pi-lens | Hardcoded secret detected — use process.env instead |
| `no-param-reassign` | warning | pi-lens | Do not reassign function parameters — create a new variable instead |
| `no-process-env` | warning | pi-lens | Avoid direct process.env access for secrets — use config service |
| `no-shadow` | warning | pi-lens | Variable '$NAME' shadows a variable from an outer scope |
| `no-this-in-static` | error | pi-lens | Unexpected this in a static method — static methods have no instance context |
| `prefer-string-raw` | hint | pi-lens | Use String.raw for string literals with many backslashes |
| `unchecked-sync-fs` | warning | pi-lens | Unchecked sync fs call — throws on missing file or permission error |
