Static Analysis Rules

Join the Preview!

Code Analysis is in Preview.

Code Analysis is not available for the site.

Overview

Datadog Static Analysis provides out-of-the-box rules to help detect violations in your CI/CD pipelines in code reviews and identify bugs, security, and maintainability issues. For more information, see the Setup documentation.

Ruleset ID: csharp-best-practices Rules to enforce C# best practices.
avoid-call-gc-suppress-finalize
>
no-empty-finalizer
>
finalizer-no-exception
>
avoid-formattablestring
>
no-nested-ternary
>
avoid-notimplementedexception
>
sealed-class-protected-members
>
redundant-modifiers
>
no-sleep-in-tests
>
avoid-gc-collect
>
dispose-objects-once
>
comparison-nan
>
no-exception-special-methods
>
use-specific-exceptions
>
avoid-non-existing-operators
>
objects-ensure-use
>
exception-must-be-thrown
>
catch-nullreference
>
no-empty-default
>
tostring-not-return-null
>
use-assembly-load
>
Ruleset ID: csharp-code-style Rules to enforce C# code style.
short-class-name
>
short-method-name
>
class-naming-conventions
>
variable-naming-conventions
>
interface-first-letter
>
Ruleset ID: csharp-inclusive Rules to make your C# code more inclusive.
Ruleset ID: csharp-security Rules focused on finding security issues in your C# code.
Ruleset ID: github-actions Rules to check your GitHub Actions and detect unsafe patterns, such as permissions or version pinning.
Ruleset ID: go-best-practices Rules to make writing Go code faster and easier. From code style to preventing bugs, this ruleset helps developers writing performant, maintainable, and efficient Go code.
avoid-bare-return
>
time-parse-format
>
avoid-empty-critical-sections
>
valid-regular-expression
>
manual-string-trimming
>
negative-zero
>
redundant-nil-check
>
loop-regexp-match
>
superfluous-else
>
useless-bitwise-operation
>
bad-nil-guard
>
invalid-host-port-pair
>
merge-declaration-assignment
>
comparing-address-nil
>
comparison-true
>
defer-lock
>
redefine-builtin-id
>
redundant-negation
>
math-pow-expansion
>
inefficient-string-comparison
>
invalid-seek-value
>
do-not-compare-nan
>
omit-default-slice-index
>
redundant-type-var-declaration
>
compare-identical
>
unnecessary-blank-identifier
>
mod-one-always-zero
>
simplify-boolean-expression
>
simplify-pointer-operation
>
Ruleset ID: go-security Detect common security issues (such as SQL injection, XSS, or shell injection) in your Go codebase.
command-injection
>
unescape-template-data-js
>
grpc-client-insecure
>
grpc-server-insecure
>
avoid-rat-setstring
>
import-cgi
>
tls-skip-verify
>
http-request-secure
>
chmod-permissions
>
decompression-bomb
>
range-memory-aliasing
>
cookie-secure
>
session-secure
>
unsafe-reflection
>
Ruleset ID: java-best-practices Rules to enforce Java best practices.
avoid-calendar-creation
>
avoid-string-instantiation
>
avoid-reassigning-parameters
>
redundant-initializer
>
avoid-printstacktrace
>
default-label-not-last-in-switch
>
add-empty-string
>
return-internal-array
>
avoid-reassigning-catch-vars
>
while-loop-with-literal-boolean
>
preserve-stack-trace
>
replace-vector-with-list
>
array-is-stored-directly
>
replace-hashtable-with-map
>
missing-switch-statement-default
>
simplify-test-assertions-boolean
>
Ruleset ID: java-code-style Rules to enforce Java code style.
Ruleset ID: java-inclusive Rules for Java to avoid inappropriate wording in the code and comments.
Ruleset ID: java-security Rules focused on finding security issues in Java code.
keygenerator-avoid-des
>
ldap-injection
>
sql-string-tainted
>
avoid-null-cipher
>
sql-injection
>
json-unsafe-deserialization
>
spring-request-file-tainted
>
bad-hexa-concatenation
>
cookies-http-only
>
spring-csrf-disable
>
message-digest-custom
>
no-des-cipher
>
unvalidated-redirect
>
aes-ecb-insecure
>
cipher-padding-oracle
>
trust-boundaries
>
ignore-saml-comment
>
algorithm-no-hardcoded-secret
>
path-traversal-file-read
>
command-injection
>
object-deserialization
>
http-parameter-pollution
>
ldap-entry-poisoning
>
path-traversal
>
tainted-url-host
>
xss-protection
>
weak-message-digest-sha1
>
smtp-insecure-connection
>
spring-csrf-requestmapping
>
sql-injection-turbine
>
sql-injection-hibernate
>
potential-sql-injection
>
unencrypted-socket
>
Ruleset ID: javascript-best-practices Rules to enforce JavaScript best practices.
no-duplicate-case
>
no-dupe-class-members
>
no-unused-expressions
>
Ruleset ID: javascript-browser-security Rules focused on finding security issues in your JavaScript web applications.
event-check-origin
>
react-dangerously-inner-html
>
local-storage-sensitive-data
>
postmessage-permissive-origin
>
Ruleset ID: javascript-common-security Rules focused on finding security issues in your JavaScript code.
axios-avoid-insecure-http
>
xml-no-external-entities
>
unique-function-arguments
>
Ruleset ID: javascript-inclusive Rules for JavaScript to avoid inappropriate wording in the code and comments.
Ruleset ID: javascript-node-security Rules to identify potential security hotspots in Node. This may include false positives that require further triage.
Ruleset ID: kotlin-best-practices Rules to enforce Kotlin best practices.
Ruleset ID: kotlin-code-style Rules to enforce Kotlin code style.
function-name-min-length
>
angle-bracket-spacing
>
annotation-spacing
>
argument-list-wrapping
>
block-comment-formatting
>
no-consecutive-comments
>
no-consecutive-blank-lines
>
curly-bracket-spacing
>
double-colon-spacing
>
extension-function-spacing
>
function-return-type-spacing
>
function-type-modifier-spacing
>
nullable-type-spacing
>
unary-operator-spacing
>
enum-entry-naming
>
no-line-break-before-assignment
>
no-empty-lead-line-class
>
no-empty-lead-line-method
>
Ruleset ID: php-best-practices Rules to enforce PHP best practices, enhancing code style, preventing bugs, and promoting performant, maintainable, and efficient PHP code.
Ruleset ID: php-code-style Rules to enforce PHP code style.
Ruleset ID: php-security Rules focused on finding security issues in your PHP code.
laravel-path-traversal-storage
>
unsafe-entity-loader
>
laravel-avoid-path-injection
>
no-pseudo-random
>
symfony-csrf-disabled
>
curl-hostname-verification
>
laravel-cookie-not-encrypted
>
ldap-authenticate-connection
>
ldap-injection
>
laravel-native-sql-injection
>
laravel-raw-sql-injection
>
curl-certificate-verification
>
Ruleset ID: python-best-practices Best practices for Python to write efficient and bug-free code.
function-already-exists
>
assertraises-specific-exception
>
invalid-assert
>
avoid-string-concat
>
unreachable-code
>
function-variable-argument-name
>
self-assignment
>
no-base-exception
>
return-outside-function
>
any-type-disallow
>
no-bare-except
>
finally-no-break-continue-return
>
no-datetime-today
>
no-double-unary-operator
>
dataclass-special-methods
>
comparison-constant-left
>
ambiguous-function-name
>
ambiguous-variable-name
>
import-modules-twice
>
init-no-return-value
>
comment-fixme-todo-ownership
>
no-duplicate-base-class
>
type-check-isinstance
>
Ruleset ID: python-code-style Rules to enforce Python code style.
Ruleset ID: python-django Rules specifically for Django best practices and security.
model-charfield-max-length
>
os-system-from-request
>
subprocess-from-request
>
jsonresponse-no-content-type
>
no-unicode-on-models
>
open-filename-from-request
>
http-response-from-request
>
Ruleset ID: python-inclusive Rules for Python to avoid inappropriate wording in the code and comments.
Ruleset ID: python-pandas

A set of rules to check that pandas code is used appropriately.

  • Ensures import declarations follow coding guidelines.
  • Avoid deprecated code and methods.
  • Avoid inefficient code whenever possible.
Ruleset ID: python-security

Rules focused on finding security and vulnerability issues in your Python code, including those found in the OWASP10 and SANS25.

  • Use of bad encryption and hashing protocols
  • Lack of access control
  • Security misconfiguration
  • SQL injections
  • Hardcoded credentials
  • Shell injection
  • Unsafe deserialization
html-string-from-parameters
>
variable-sql-statement-injection
>
sql-server-security-credentials
>
insecure-hash-functions
>
asyncio-subprocess-create-shell
>
asyncio-subprocess-exec
>
request-verify
>
Ruleset ID: rails-best-practices Best practices to write Ruby on Rails code.
Ruleset ID: ruby-best-practices Rules to enforce Ruby best practices.
prevent-attr
>
no-class-var
>
no-optional-hash-params
>
string-interpolation
>
no-double-negation
>
no-begin-blocks
>
no-end-blocks
>
no-extend-data-define
>
method-definition-colon
>
no-else-with-unless
>
no-explicit-rb-to-require
>
top-level-methods
>
atomic-file-operations
>
case-vs-if-elsif
>
proc-over-procnew
>
no-nested-method
>
exception-class-message-separate
>
existence-check-shorthand
>
avoid-hash-constructor
>
condition-safe-alignment
>
hash-literal-as-last-array-item
>
Ruleset ID: ruby-inclusive Write inclusive Ruby code
Ruleset ID: ruby-security Rules focused on finding security issues in your Ruby code.
Ruleset ID: terraform-aws Rules to enforce Terraform best practices for AWS.
aws-sns-topic-encryption
>
iam-all-privileges
>
aws-msk-broker-no-encryption
>
aws-ecs-no-encryption
>
aws-elasticache-no-encryption
>
aws-kinesis-no-encryption
>
aws-lb-redirect-https
>
public-api-no-authorization
>
Ruleset ID: typescript-best-practices Rules to enforce TypeScript best practices.
no-duplicate-enum-values
>
no-extra-non-null-assertion
>
no-var-requires
>
no-explicit-any
>
no-unnecessary-type-constraint
>
no-unsafe-declaration-merging
>
no-unused-expressions
>
Ruleset ID: typescript-browser-security Rules focused on finding security issues in your TypeScript web applications.
event-check-origin
>
react-dangerously-inner-html
>
local-storage-sensitive-data
>
postmessage-permissive-origin
>
Ruleset ID: typescript-code-style Rules considered to be best practice for modern TypeScript codebases, but that do not impact program logic. These rules are generally opinionated about enforcing simpler code patterns.
no-array-constructor
>
no-duplicate-imports
>
no-confusing-non-null-assertion
>
ban-tslint-comment
>
Ruleset ID: typescript-common-security Rules focused on finding security issues in your TypeScript code.
axios-avoid-insecure-http
>
xml-no-external-entities
>
unique-function-arguments
>
Ruleset ID: typescript-inclusive Rules for TypeScript to avoid inappropriate wording in the code and comments.
Ruleset ID: typescript-node-security Rules to identify potential security hotspots in Node. This may include false positives that require further triage.

Further Reading

Additional helpful documentation, links, and articles: