# tree-sitter rules catalog

<!-- GENERATED by scripts/gen-rule-catalogs.mjs — do not edit by hand. Run `npm run docs:rule-catalogs` after changing rules. -->

pi-lens bundles **164 enabled** tree-sitter query rules across **14 languages**, plus 21 disabled.

Rule source: `rules/tree-sitter-queries/<language>/`.

## Enabled rules

### C (12)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `c-hardcoded-secrets` | error | security | hard-coded secret detected in {{VARNAME}} — move to environment variables or secure vault |
| `goto-into-block` | warning | maintainability | goto statements should not be used to jump into blocks |
| `goto-label-order` | warning | maintainability | goto should jump to labels declared later in the same function |
| `memset-sensitive-data` | error | security | memset should not be used to erase sensitive data — use explicit_bzero, SecureZeroMemory, or memset_s |
| `no-bit-fields` | error | maintainability | bit fields should not be used — layout is implementation-defined and non-portable |
| `no-octal-literals` | error | maintainability | octal literal detected — use decimal or hexadecimal instead |
| `no-pointer-arithmetic-array-access` | error | maintainability | use array bracket notation instead of pointer arithmetic for indexing |
| `no-redundant-pointer-ops` | error | maintainability | redundant pointer operator sequence — simplify by removing canceling operators |
| `no-reserved-identifiers` | error | maintainability | identifier {{NAME}} uses a reserved namespace — identifiers beginning with '_' + uppercase or '__' are reserved by the implementation |
| `no-stdlib-name-as-id` | error | maintainability | {{NAME}} is a well-known C standard library name and should not be used as an identifier |
| `non-case-label-in-switch` | error | maintainability | non-case label inside switch statement — move label outside or restructure |
| `noreturn-returns` | error | reliability | function declared with noreturn attribute contains a return statement |

### C++ (6)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `no-auto-ptr` | error | reliability | std::auto_ptr should not be used — use std::unique_ptr instead |
| `no-confused-move-forward` | error | reliability | std::move and std::forward should not be confused |
| `no-memset-sensitive-data` | error | security | memset should not be used to delete sensitive data — use SecureZeroMemory or explicit_bzero |
| `no-scoped-lock-without-args` | error | reliability | std::scoped_lock should be created with constructor arguments |
| `noexcept-functions` | error | reliability | Function should be declared noexcept |
| `unnecessary-bit-ops` | error | maintainability | Unnecessary bit operation - has no effect |

### C# (5)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `async-await-identifiers` | warning | maintainability | 'async' and 'await' should not be used as identifiers |
| `is-with-this` | warning | maintainability | 'is' should not be used with 'this' — use GetType() comparison instead |
| `no-dangerous-get-handle` | warning | reliability | SafeHandle.DangerousGetHandle should not be called — use DangerousAddRef/DangerousRelease |
| `no-operator-eq-reference` | warning | maintainability | operator== should not be overloaded on reference types |
| `no-thread-resume-suspend` | error | reliability | {{METHOD}} should not be used — deprecated and causes deadlocks |

### CSS (1)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `calc-spacing` | error | reliability | calc() operands should be correctly spaced |

### Go (17)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `go-bare-error` | warning | error-handling | Error returned without handling — check err value |
| `go-command-injection` | error | security | Potential command injection sink — avoid shell command composition with user input |
| `go-context-background-handler` | warning | correctness | context.Background() in handler — use the request context (r.Context()) to propagate cancellation |
| `go-defer-in-loop` | warning | resource-management | defer in loop can cause resource exhaustion — move outside loop or use function |
| `go-direct-panic` | warning | reliability | Direct panic() call can crash the process — return or propagate an error instead |
| `go-empty-if-err` | warning | error-handling | Empty error handler — handle err or return it |
| `go-goroutine-loop-capture` | warning | concurrency | Goroutine launched in loop with captured variables — pass loop values as parameters |
| `go-hardcoded-secrets` | warning | security | Hardcoded {{VARNAME}} — use environment variables or a secrets manager |
| `go-ignored-call-result` | warning | error-handling | Call result assigned to '_' — verify this discard is intentional |
| `go-insecure-random` | warning | security | Insecure randomness source detected — use crypto/rand for security-sensitive values |
| `go-log-fatal` | warning | reliability | log.Fatal/log.Panic terminates execution — prefer returning errors from core logic |
| `go-mutex-copy` | warning | concurrency | sync.Mutex copied by value — copy breaks the lock; use a pointer receiver or embed via pointer |
| `go-path-traversal` | warning | security | Potential path traversal sink — sanitize and constrain file paths |
| `go-shared-map-write-goroutine` | error | concurrency | Map write inside goroutine may race — guard with synchronization or ownership boundaries |
| `go-sql-injection` | error | security | Potential SQL injection sink — use parameterized queries |
| `go-time-sleep-test` | warning | correctness | time.Sleep in test — use synchronisation (channel, WaitGroup, Eventually) instead of arbitrary sleeps |
| `go-weak-hash` | error | security | Weak hash primitive detected (md5/sha1) — use sha256+ for security-sensitive contexts |

### Java (24)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `infinite-loop-java` | error | reliability | Loop appears to be infinite with no break condition |
| `infinite-recursion` | error | reliability | Method '{{NAME}}' appears to recurse without termination condition |
| `junit-call-super` | error | maintainability | JUnit test case should call super method |
| `main-should-not-throw` | warning | reliability | main() should not declare throws — handle exceptions internally |
| `mockito-initialized` | error | reliability | @Mock/@InjectMocks object should be initialized with MockitoAnnotations.openMocks() |
| `name-capitalization-conflict` | error | maintainability | '{{NAME}}' differs only by capitalization from existing field/method |
| `no-clone-override` | warning | reliability | clone() should not be overridden — use copy constructor instead |
| `no-double-checked-locking` | error | reliability | Double-checked locking should not be used |
| `no-exit-methods` | error | maintainability | {{METHOD}} should not be called — use exceptions for normal termination |
| `no-field-shadowing` | error | maintainability | Field '{{NAME}}' should not shadow parent class field |
| `no-future-keywords` | error | maintainability | '{{NAME}}' is a future keyword and should not be used as an identifier |
| `no-octal-values` | error | maintainability | Octal value '{{VALUE}}' should not be used - use explicit 0o prefix if intended |
| `no-threadgroup` | warning | reliability | ThreadGroup should not be used — it's obsolete and unsafe |
| `no-threads-in-constructors` | error | maintainability | Threads should not be started in constructors |
| `no-wait-notify-on-thread` | error | reliability | {{METHOD}}() should not be called on Thread instances |
| `prepared-statement-valid-indices` | error | reliability | PreparedStatement/ResultSet methods should use valid indices (1-based) |
| `resources-closed` | error | reliability | Resource '{{RESOURCE}}' should be closed in finally block |
| `short-circuit-logic` | error | maintainability | Use '{{OP}}' instead of '{{BAD_OP}}' for short-circuit evaluation |
| `spring-session-attributes-setcomplete` | error | reliability | @Controller with @SessionAttributes must call setComplete on SessionStatus |
| `springboot-default-package` | error | reliability | @SpringBootApplication and @ComponentScan should not be used in default package |
| `switch-fall-through` | error | maintainability | Switch case should end with an unconditional break statement |
| `switch-non-case-labels` | error | reliability | Non-case labels should not be used inside switch statements |
| `tests-include-assertions` | error | maintainability | Test method should include at least one assertion |
| `unnecessary-bit-ops-java` | error | maintainability | Unnecessary bit operation - has no effect |

### JavaScript (2)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `switch-case-termination-js` | error | reliability | Switch case should end with break, return, throw, or continue |
| `switch-non-case-labels-js` | error | reliability | switch statements should not contain non-case labels |

### Kotlin (1)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `prepared-statement-indices` | error | reliability | PreparedStatement/ResultSet methods should use valid indices (1-based) |

### PHP (2)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `no-exit-die` | warning | reliability | {{FUNC}}() should not be used — use exceptions for error handling |
| `this-in-static-context` | error | reliability | $this should not be used in a static method context |

### Python (40)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `aws-public-access-policy` | error | security | AWS policy grants public access — security-sensitive |
| `bare-except` | warning | reliability | Bare 'except:' clause — catches SystemExit, KeyboardInterrupt |
| `endpoint-204-with-body` | warning | reliability | Endpoint with status_code=204 should not return a value |
| `eval-exec` | warning | security | {{FUNC}}() detected — security risk, code injection vulnerability |
| `exit-signature-check` | error | reliability | __exit__ should accept type, value, and traceback arguments |
| `in-operator-unsupported` | warning | reliability | 'in' operator used on object that may not support containment |
| `is-vs-equals` | warning | reliability | Using 'is' with literal — use '==' for value comparison |
| `iter-return-iterator` | warning | reliability | __iter__ should return an iterator (object with __next__ method) |
| `mutable-default-arg` | warning | reliability | Mutable default argument — list/dict/set as default value |
| `no-super-torchscript` | error | reliability | super() calls should not be used in TorchScript methods |
| `notimplemented-boolean-context` | error | reliability | NotImplemented should not be used in boolean contexts |
| `open-invalid-mode` | error | reliability | open() called with invalid mode '{{MODE}}' |
| `python-assert-production` | warning | correctness | assert statement stripped by Python -O flag — use explicit checks with exceptions in production code |
| `python-command-injection` | error | security | Potential command injection sink — avoid shell execution with dynamic input |
| `python-cross-language-method` | warning | correctness | '{METHOD}' is not a Python method — likely a {LANG} idiom leaking in |
| `python-debugger` | warning | debugging | Debugger call '{{FUNC}}' — remove before committing |
| `python-empty-except` | warning | reliability | Except block only contains 'pass' — handle or re-raise the exception |
| `python-hallucinated-import` | warning | correctness | Hallucinated import — '{NAME}' does not exist in '{MODULE}' |
| `python-hardcoded-secrets` | warning | security | Hardcoded {{VARNAME}} — use environment variables or a secrets manager |
| `python-insecure-deserialization` | error | security | Potential insecure deserialization sink — avoid unsafe loaders |
| `python-insecure-random` | warning | security | Insecure randomness source detected — use secrets or os.urandom for security-sensitive values |
| `python-mutable-class-attr` | warning | reliability | Class attribute '{{VARNAME}}' is mutable — shared across all instances |
| `python-path-traversal` | warning | security | Potential path traversal sink — sanitize and constrain file paths |
| `python-raise-string` | warning | reliability | raise with string literal — Python 3 requires exception instances |
| `python-sleep-in-test` | warning | correctness | time.sleep() in test — use synchronisation primitives or polling helpers instead of fixed sleeps |
| `python-special-method-arity` | error | reliability | Special method {{NAME}} has wrong arity — Python protocol expects {{EXPECTED}} |
| `python-sql-injection` | error | security | Potential SQL injection sink — use parameterized queries |
| `python-ssrf` | warning | security | Potential SSRF sink — validate/allowlist outbound URLs |
| `python-subprocess-shell` | warning | security | subprocess called with shell=True — command injection risk if any argument is user-controlled |
| `python-thread-global-write` | warning | concurrency | Thread creation detected — ensure shared state mutations are synchronized |
| `python-unsafe-regex` | warning | security | re.{{FUNC}}() with dynamic pattern — ReDoS risk if pattern is user-controlled |
| `python-weak-hash` | error | security | Weak hash primitive detected (MD5/SHA1) — use SHA-256+ for security-sensitive contexts |
| `return-in-generator` | error | reliability | 'return' with a value should not be used in a generator function |
| `return-in-init` | error | reliability | __init__ should not return a value — it must always return None |
| `send-file-mimetype` | error | reliability | send_file should specify 'mimetype' or 'download_name' when used with file-like objects |
| `slots-assignment-mismatch` | warning | reliability | Attribute '{{name}}' assigned in class with __slots__ but not declared |
| `string-format-arity-mismatch` | error | reliability | String format has wrong number of arguments — RuntimeError at format time |
| `unreachable-except` | warning | reliability | Unreachable except clause — earlier except catches all |
| `wildcard-import` | warning | readability | Wildcard import — pollutes namespace, hard to track origin |
| `yield-return-outside-function` | error | reliability | {{STATEMENT}} used outside function — syntax error |

### Ruby (15)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `ruby-command-injection` | warning | security | Potential command injection sink — avoid shell execution with untrusted input |
| `ruby-debugger` | warning | debugging | Debugger call '{{METHOD}}' — remove before committing |
| `ruby-dynamic-send` | warning | security | send() with dynamic method name — can invoke arbitrary methods including private ones |
| `ruby-empty-rescue` | warning | reliability | Empty rescue block — handle or re-raise the exception |
| `ruby-eval` | warning | security | eval() executes arbitrary code — security risk, avoid if possible |
| `ruby-hardcoded-secrets` | warning | security | Hardcoded {{VARNAME}} — use environment variables or a secrets manager |
| `ruby-insecure-deserialization` | warning | security | Potential insecure deserialization sink — avoid unsafe loaders |
| `ruby-insecure-random` | warning | security | Insecure randomness source detected — use SecureRandom for security-sensitive values |
| `ruby-open-struct` | warning | best-practices | OpenStruct is slow and makes debugging hard — use a plain class or Struct |
| `ruby-puts-statement` | warning | debugging | {{METHOD}} — remove debug output before committing |
| `ruby-rescue-exception` | warning | reliability | rescue Exception catches SystemExit and Interrupt — use StandardError |
| `ruby-sleep-in-test` | warning | correctness | sleep() in test — use synchronisation or polling helpers instead of fixed sleeps |
| `ruby-string-eval` | warning | security | eval/class_eval/instance_eval with string argument — arbitrary code execution risk |
| `ruby-unsafe-regex` | warning | security | Regexp.new with variable — ReDoS risk if pattern is user-controlled |
| `ruby-weak-hash` | error | security | Weak hash primitive detected (MD5/SHA1) — use SHA-256+ for security-sensitive contexts |

### Rust (6)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `rust-clone-in-loop` | info | performance | clone() in loop may hurt performance — consider borrowing or moving |
| `rust-expect` | warning | error-handling | expect() panics with a message — use ? or match for recoverable error handling |
| `rust-lock-held-across-await` | error | concurrency | Lock guard may be held across await — release lock before awaiting other work |
| `rust-todo-unimplemented` | warning | correctness | todo!() / unimplemented!() stub — function was scaffolded but never completed |
| `rust-unsafe-block` | warning | security | unsafe block — requires manual verification of memory safety invariants |
| `rust-unwrap` | warning | error-handling | unwrap() can panic — use ? or match for proper error handling |

### TSX (2)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `dangerously-set-inner-html` | error | security | dangerouslySetInnerHTML — XSS risk, sanitize user input |
| `no-nested-links` | error | correctness | Nested <a> tags are invalid HTML and cause unexpected behavior |

### TypeScript (31)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `console-statement` | warning | debugging | {{METHOD}} — remove debug statements before committing |
| `debugger-statement` | error | debugging | Debugger statement — remove before committing |
| `deep-nesting` | warning | complexity | Deep nesting (3+ levels) — consider early returns or extract functions |
| `deep-promise-chain` | warning | complexity | Promise chain {{M1}} → {{M2}} → {{M3}} → {{M4}} — consider async/await |
| `default-not-last` | error | maintainability | default clause should be the last case |
| `duplicate-function-arg` | error | reliability | Duplicate parameter name '{{NAME}}' |
| `empty-switch-case` | error | reliability | Switch case should not be empty |
| `infinite-loop` | error | reliability | Loop appears to be infinite with no termination condition |
| `mixed-async-styles` | warning | style | Mixed async/await + promise chains — use consistent async style |
| `no-console-in-tests` | warning | testing | console.{{METHOD}} in test block — use proper assertions or logging |
| `no-equality-in-for-condition` | warning | bug | for-loop uses ==/!= for termination — prefer </<=/>/>= so stepping past the bound still exits |
| `no-eval` | error | security | eval() detected — security risk, never use eval |
| `no-jump-in-finally` | warning | bug | return/break/continue/throw in finally overrides the try/catch result and silently swallows exceptions |
| `self-assignment` | error | reliability | '{{VAR}}' is assigned to itself |
| `sql-injection` | error | security | SQL injection risk — use parameterized queries, never interpolate into SQL |
| `switch-case-termination` | error | reliability | Switch case should end with break, return, throw, or continue |
| `switch-non-case-labels-ts` | error | reliability | switch statements should not contain non-case labels |
| `ts-command-injection` | error | security | Potential command injection sink — avoid child_process command execution with untrusted input |
| `ts-detached-async-call` | warning | concurrency | Detached async call — ensure this Promise is awaited or explicitly handled |
| `ts-dynamic-require` | error | security | Dynamic require() — non-literal argument allows loading arbitrary modules |
| `ts-hallucinated-react-import` | error | correctness | '{NAME}' is a Next.js API, not from 'react' — import from 'next/{CORRECT}' instead |
| `ts-incomplete-assertion` | error | testing | Incomplete assertion — expect() chain is not called |
| `ts-insecure-random` | warning | security | Insecure randomness source detected — use crypto.getRandomValues or secure RNG APIs |
| `ts-nosql-injection` | error | security | NoSQL injection — $where executes JavaScript server-side and must never be used with user input |
| `ts-open-redirect` | error | security | Open redirect — unvalidated URL in redirect/location lets attackers send users to malicious sites |
| `ts-react-antipatterns` | warning | correctness | React anti-pattern: setState inside a loop causes multiple re-renders — batch with a single state update |
| `ts-ssrf` | error | security | Potential SSRF sink — validate and allowlist outbound URLs |
| `ts-weak-hash` | error | security | Weak hash primitive selected (md5/sha1) — use sha256+ for security-sensitive contexts |
| `ts-xss-dom-sink` | error | security | XSS risk — dynamic value written to innerHTML/outerHTML or document.write() |
| `unsafe-regex` | error | security | Dynamic regex from user input — can cause ReDoS (Regular Expression Denial of Service) |
| `variable-shadowing` | warning | maintainability | Variable '{{NAME}}' shadows a parameter — use a distinct name |

## Disabled rules

### ABAP (1)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `delete-where` | error | reliability | DELETE FROM statement should have a WHERE clause |

### C (1)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `case-range-multiple-values` | warning | maintainability | Case range should cover multiple values |

### COBOL (2)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `alter-statement` | warning | maintainability | ALTER should not be used - causes spaghetti code |
| `lock-table-cobol` | error | maintainability | LOCK TABLE should not be used |

### PL/SQL (9)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `delete-update-where` | error | reliability | {{STATEMENT}} statement should contain a WHERE clause |
| `end-loop-semicolon` | error | reliability | END LOOP should be followed by a semicolon |
| `fetch-bulk-collect-limit` | error | reliability | FETCH ... BULK COLLECT INTO should not be used without a LIMIT clause |
| `forallsave-exceptions` | error | reliability | FORALL statement should use the SAVE EXCEPTIONS clause |
| `lock-table` | error | maintainability | LOCK TABLE should not be used |
| `nchar-nvarchar2-bytes` | error | reliability | NCHAR/NVARCHAR2 size should be in characters, not bytes |
| `no-synchronize` | error | reliability | SYNCHRONIZE should not be used |
| `not-null-initialization` | error | reliability | NOT NULL variable should be initialized |
| `raise-application-error-codes` | error | reliability | RAISE_APPLICATION_ERROR should only be used with error codes from -20000 to -20999 |

### Python (1)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `python-print-statement` | warning | debugging | print() — remove debug output before committing |

### TypeScript (7)

| Rule | Severity | Category | Description |
|---|---|---|---|
| `await-in-loop` | warning | performance | Await in loop — sequential execution is slow, use Promise.all() |
| `constructor-super` | error | correctness | Constructor of derived class must call super() before accessing 'this' |
| `empty-catch` | error | reliability | Empty catch block — properly handle or log the error |
| `hardcoded-secrets` | error | security | Hardcoded secret in variable assignment — use environment variables |
| `long-parameter-list` | warning | complexity | Function has {{PARAM_COUNT}} parameters — use object pattern |
| `nested-ternary` | warning | readability | Nested ternary — use if/else or early returns for clarity |
| `ts-path-traversal` | error | security | Potential path traversal sink — avoid filesystem I/O with untrusted input |
