Static Analysis Rules

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!
Join the Preview!

Code Analysis is in Preview.

Code Analysis is not available for the site.

Overview

Datadog Static Analysis provides out-of-the-box rules to help detect violations in your CI/CD pipelines in code reviews and identify bugs, security, and maintainability issues. For more information, see the Setup documentation.

Ruleset ID: csharp-best-practices Rules to enforce C# best practices.
avoid-call-gc-suppress-finalize
>
no-empty-finalizer
>
finalizer-no-exception
>
avoid-formattablestring
>
no-nested-ternary
>
avoid-notimplementedexception
>
sealed-class-protected-members
>
redundant-modifiers
>
no-sleep-in-tests
>
avoid-gc-collect
>
dispose-objects-once
>
comparison-nan
>
no-exception-special-methods
>
use-specific-exceptions
>
avoid-non-existing-operators
>
objects-ensure-use
>
exception-must-be-thrown
>
catch-nullreference
>
no-empty-default
>
tostring-not-return-null
>
use-assembly-load
>
Ruleset ID: csharp-code-style Rules to enforce C# code style.
short-class-name
>
short-method-name
>
class-naming-conventions
>
variable-naming-conventions
>
interface-first-letter
>
Ruleset ID: csharp-inclusive Rules to make your C# code more inclusive.
Ruleset ID: csharp-security Rules focused on finding security issues in your C# code.
Ruleset ID: github-actions Rules to check your GitHub Actions and detect unsafe patterns, such as permissions or version pinning.
Ruleset ID: go-best-practices Rules to make writing Go code faster and easier. From code style to preventing bugs, this ruleset helps developers writing performant, maintainable, and efficient Go code.
avoid-bare-return
>
time-parse-format
>
avoid-empty-critical-sections
>
valid-regular-expression
>
manual-string-trimming
>
negative-zero
>
redundant-nil-check
>
loop-regexp-match
>
superfluous-else
>
useless-bitwise-operation
>
bad-nil-guard
>
invalid-host-port-pair
>
merge-declaration-assignment
>
comparing-address-nil
>
comparison-true
>
defer-lock
>
redefine-builtin-id
>
redundant-negation
>
math-pow-expansion
>
inefficient-string-comparison
>
invalid-seek-value
>
do-not-compare-nan
>
omit-default-slice-index
>
redundant-type-var-declaration
>
compare-identical
>
unnecessary-blank-identifier
>
mod-one-always-zero
>
simplify-boolean-expression
>
simplify-pointer-operation
>
Ruleset ID: go-security Detect common security issues (such as SQL injection, XSS, or shell injection) in your Go codebase.
command-injection
>
unescape-template-data-js
>
grpc-client-insecure
>
grpc-server-insecure
>
avoid-rat-setstring
>
import-cgi
>
tls-skip-verify
>
http-request-secure
>
chmod-permissions
>
decompression-bomb
>
range-memory-aliasing
>
cookie-secure
>
session-secure
>
unsafe-reflection
>
Ruleset ID: java-best-practices Rules to enforce Java best practices.
avoid-calendar-creation
>
avoid-string-instantiation
>
avoid-reassigning-parameters
>
redundant-initializer
>
avoid-printstacktrace
>
default-label-not-last-in-switch
>
add-empty-string
>
return-internal-array
>
avoid-reassigning-catch-vars
>
while-loop-with-literal-boolean
>
preserve-stack-trace
>
replace-vector-with-list
>
array-is-stored-directly
>
replace-hashtable-with-map
>
missing-switch-statement-default
>
simplify-test-assertions-boolean
>
Ruleset ID: java-code-style Rules to enforce Java code style.
Ruleset ID: java-inclusive Rules for Java to avoid inappropriate wording in the code and comments.
Ruleset ID: java-security Rules focused on finding security issues in Java code.
keygenerator-avoid-des
>
ldap-injection
>
avoid-null-cipher
>
sql-injection
>
json-unsafe-deserialization
>
spring-request-file-tainted
>
bad-hexa-concatenation
>
cookies-http-only
>
spring-csrf-disable
>
message-digest-custom
>
no-des-cipher
>
unvalidated-redirect
>
aes-ecb-insecure
>
cipher-padding-oracle
>
trust-boundaries
>
ignore-saml-comment
>
algorithm-no-hardcoded-secret
>
path-traversal-file-read
>
command-injection
>
object-deserialization
>
http-parameter-pollution
>
ldap-entry-poisoning
>
path-traversal
>
tainted-url-host
>
xss-protection
>
weak-message-digest-sha1
>
smtp-insecure-connection
>
spring-csrf-requestmapping
>
sql-injection-turbine
>
sql-injection-hibernate
>
potential-sql-injection
>
unencrypted-socket
>
Ruleset ID: javascript-best-practices Rules to enforce JavaScript best practices.
no-duplicate-case
>
no-dupe-class-members
>
no-unused-expressions
>
Ruleset ID: javascript-browser-security Rules focused on finding security issues in your JavaScript web applications.
event-check-origin
>
react-dangerously-inner-html
>
local-storage-sensitive-data
>
postmessage-permissive-origin
>
Ruleset ID: javascript-common-security Rules focused on finding security issues in your JavaScript code.
axios-avoid-insecure-http
>
xml-no-external-entities
>
unique-function-arguments
>
Ruleset ID: javascript-inclusive Rules for JavaScript to avoid inappropriate wording in the code and comments.
Ruleset ID: javascript-node-security Rules to identify potential security hotspots in Node. This may include false positives that require further triage.
Ruleset ID: kotlin-best-practices Rules to enforce Kotlin best practices.
Ruleset ID: kotlin-code-style Rules to enforce Kotlin code style.
function-name-min-length
>
angle-bracket-spacing
>
annotation-spacing
>
argument-list-wrapping
>
block-comment-formatting
>
no-consecutive-comments
>
no-consecutive-blank-lines
>
curly-bracket-spacing
>
double-colon-spacing
>
extension-function-spacing
>
function-return-type-spacing
>
function-type-modifier-spacing
>
nullable-type-spacing
>
unary-operator-spacing
>
enum-entry-naming
>
no-line-break-before-assignment
>
no-empty-lead-line-class
>
no-empty-lead-line-method
>
Ruleset ID: php-best-practices Rules to enforce PHP best practices, enhancing code style, preventing bugs, and promoting performant, maintainable, and efficient PHP code.
Ruleset ID: php-code-style Rules to enforce PHP code style.
Ruleset ID: php-security Rules focused on finding security issues in your PHP code.
laravel-path-traversal-storage
>
unsafe-entity-loader
>
laravel-avoid-path-injection
>
no-pseudo-random
>
symfony-csrf-disabled
>
curl-hostname-verification
>
laravel-cookie-not-encrypted
>
ldap-authenticate-connection
>
ldap-injection
>
laravel-native-sql-injection
>
laravel-raw-sql-injection
>
curl-certificate-verification
>
Ruleset ID: python-best-practices Best practices for Python to write efficient and bug-free code.
function-already-exists
>
assertraises-specific-exception
>
invalid-assert
>
avoid-string-concat
>
unreachable-code
>
function-variable-argument-name
>
self-assignment
>
no-base-exception
>
return-outside-function
>
any-type-disallow
>
no-bare-except
>
finally-no-break-continue-return
>
no-datetime-today
>
no-double-unary-operator
>
dataclass-special-methods
>
comparison-constant-left
>
ambiguous-function-name
>
ambiguous-variable-name
>
import-modules-twice
>
init-no-return-value
>
comment-fixme-todo-ownership
>
no-duplicate-base-class
>
type-check-isinstance
>
Ruleset ID: python-code-style Rules to enforce Python code style.
Ruleset ID: python-django Rules specifically for Django best practices and security.
model-charfield-max-length
>
os-system-from-request
>
subprocess-from-request
>
jsonresponse-no-content-type
>
no-unicode-on-models
>
open-filename-from-request
>
http-response-from-request
>
Ruleset ID: python-inclusive Rules for Python to avoid inappropriate wording in the code and comments.
Ruleset ID: python-pandas

A set of rules to check that pandas code is used appropriately.

  • Ensures import declarations follow coding guidelines.
  • Avoid deprecated code and methods.
  • Avoid inefficient code whenever possible.
Ruleset ID: python-security

Rules focused on finding security and vulnerability issues in your Python code, including those found in the OWASP10 and SANS25.

  • Use of bad encryption and hashing protocols
  • Lack of access control
  • Security misconfiguration
  • SQL injections
  • Hardcoded credentials
  • Shell injection
  • Unsafe deserialization
html-string-from-parameters
>
variable-sql-statement-injection
>
sql-server-security-credentials
>
insecure-hash-functions
>
asyncio-subprocess-create-shell
>
asyncio-subprocess-exec
>
request-verify
>
Ruleset ID: rails-best-practices Best practices to write Ruby on Rails code.
Ruleset ID: ruby-best-practices Rules to enforce Ruby best practices.
prevent-attr
>
no-class-var
>
no-optional-hash-params
>
string-interpolation
>
no-double-negation
>
no-begin-blocks
>
no-end-blocks
>
no-extend-data-define
>
method-definition-colon
>
no-else-with-unless
>
no-explicit-rb-to-require
>
top-level-methods
>
atomic-file-operations
>
case-vs-if-elsif
>
proc-over-procnew
>
no-nested-method
>
exception-class-message-separate
>
existence-check-shorthand
>
avoid-hash-constructor
>
condition-safe-alignment
>
hash-literal-as-last-array-item
>
Ruleset ID: ruby-inclusive Write inclusive Ruby code
Ruleset ID: ruby-security Rules focused on finding security issues in your Ruby code.
Ruleset ID: terraform-aws Rules to enforce Terraform best practices for AWS.
Ruleset ID: typescript-best-practices Rules to enforce TypeScript best practices.
no-duplicate-enum-values
>
no-extra-non-null-assertion
>
no-var-requires
>
no-explicit-any
>
no-unnecessary-type-constraint
>
no-unsafe-declaration-merging
>
no-unused-expressions
>
Ruleset ID: typescript-browser-security Rules focused on finding security issues in your TypeScript web applications.
event-check-origin
>
react-dangerously-inner-html
>
local-storage-sensitive-data
>
postmessage-permissive-origin
>
Ruleset ID: typescript-code-style Rules considered to be best practice for modern TypeScript codebases, but that do not impact program logic. These rules are generally opinionated about enforcing simpler code patterns.
no-array-constructor
>
no-duplicate-imports
>
no-confusing-non-null-assertion
>
ban-tslint-comment
>
Ruleset ID: typescript-common-security Rules focused on finding security issues in your TypeScript code.
axios-avoid-insecure-http
>
xml-no-external-entities
>
unique-function-arguments
>
Ruleset ID: typescript-inclusive Rules for TypeScript to avoid inappropriate wording in the code and comments.
Ruleset ID: typescript-node-security Rules to identify potential security hotspots in Node. This may include false positives that require further triage.

Further Reading

Más enlaces, artículos y documentación útiles: