Static Analysis Rules

Docs > Code Analysis > Static Analysis Rules

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Try the Beta!

Code Analysis is in public beta.

Overview

Datadog Static Analysis provides out-of-the-box rules to help detect violations in your CI/CD pipelines in code reviews and identify bugs, security, and maintainability issues. For more information, see the Setup documentation.

Ruleset ID: csharp-best-practices Rules to enforce C# best practices.

Avoid calling GC.SuppressFinalize()

avoid-call-gc-suppress-finalize

Avoid empty catch sections

no-empty-catch

Avoid empty finalizer

no-empty-finalizer

Avoid exceptions in finalizers

finalizer-no-exception

Avoid FormattableString

avoid-formattablestring

Avoid keywords as variables names

variable-names

Avoid nested operators

no-nested-ternary

Avoid NotImplementedException

avoid-notimplementedexception

Avoid protected members in sealed class

sealed-class-protected-members

Avoid redundant modifiers

redundant-modifiers

Avoid StartsWith or EndsWith with one character

strings-with-one-char

Avoid Thread.sleep in tests

no-sleep-in-tests

Avoid using a public contructor for an abstract class

public-abstract-constructors

Avoid using GC.Collect

avoid-gc-collect

Avoid using goto statements

avoid-goto-use

Checks for always-true expressions on collections and arrays

unnecessary-length-count-check

Classes with Dispose() should implement IDisposable

disposable-interface

Detects improper usage of void return in an async method

async-task-not-void

Dispose objects at most once

dispose-objects-once

Do not assign a variable to itself

no-self-assign

Do not compare with NaN

comparison-nan

Do not throw exceptions in special methods

no-exception-special-methods

Do not throw generic exceptions

use-specific-exceptions

Do not use operators that do not exists

avoid-non-existing-operators

Do not use Optional on ref or out. parameters

optional-ref-out

Do not use the same operator twice

no-double-operators

Enforce Guid parameter initialization

use-proper-new-guid

Enforces an int operand on bitwise and shift operations

bitwise-right-operand-int

Enforces that base is object when using base.Equals

base-equals

Ensure code coverage exclusions are justified

coverage-justification

Ensure objects are used

objects-ensure-use

Ensures that a ThreadStatic field is not initialized

do-not-initialize-threadstatic

Ensures ThreadStatic fields are marked static

ignored-threadstatic

Exceptions must be thrown

exception-must-be-thrown

Exceptions should be made public

exceptions-public

IndexOf function should check the first character

indexof-checks

Prevent catching NullReference

catch-nullreference

Prevent empty default cases

no-empty-default

Prevents the return of an IDisposable from a using statement

using-idisposable-return

Prevents using `==` and `!=` operators on floats and doubles

float-equality

Suggest using string's indexer property over toCharArray()

redundant-tochararray

Test method name should follow conventions

test-method-names

ToString() should never return `null`

tostring-not-return-null

Use Assembly.Load

use-assembly-load

Use Contains for simple equality

contains-not-any

Use Contains to check if a string contains something

indexof-contains

Warns on class private constructors that are dead code

class-no-private-constructors

Ruleset ID: csharp-code-style Rules to enforce C# code style.

Avoid prefix boolean returning method with `get`

boolean-get-method-name

Avoid short class names

short-class-name

Avoid short method names

short-method-name

Avoid short variable names

short-variable

Follow class naming conventions

class-naming-conventions

Follow variable naming conventions

variable-naming-conventions

Interface names should start with I

interface-first-letter

Ruleset ID: csharp-inclusive Rules to make your C# code more inclusive.

Check class definition language

class-definition

Check function definition language

method-definition

Check variable assignment language

variable-assignment

Ensure comment wording is inclusive

comments

Ruleset ID: csharp-security Rules focused on finding security issues in your C# code.

Avoid predictable IV

predictable-iv

Avoid pseudo-random numbers

no-pseudo-random

Avoid temporary hardcoded files

no-hardcoded-tempfile

Avoid unsafe blocks

avoid-unsafe

Avoid unsafe CORS headers

unsafe-cors

Avoid unsafe temporary file creation

unsafe-temp-file

Avoid using protocols without SSL

avoid-unencrypted-protocols

Avoid weak hash algorithms

weak-hash-algorithms

Do not bypass certificates validation

check-server-ssl-sertificates

Do not use a predictable salt

no-predictable-salt

Do not use weak ciphers

weak-cipher

Do not use weak SSL protocols

weak-ssl-protocols

Ensure cookies have the secure flag

cookie-http-only

Ensure cookies have the secure flag

cookie-secure-flag

Filter large requests

request-length

JWT must always be verified

jwt-verify

Prevent LDAP injection

ldap-injection

Prevent shell injection

shell-injection

Prevent SQL queries built from strings

sql-injection

Prevent XXE attack from XML parser

avoid-xml-xxe

Request validation should not be disabled

disable-request-validation

Use standard crypto algorithms

use-standard-crypto

Ruleset ID: docker-best-practices Best practices for using Docker.

Always pin versions in apt-get install

apt-pin-version

Always pin versions with pip

pip-pin-versions

Always tag the version of an image

tag-image-version

Always use -y with apt-get install

apt-get-yes

Always use -y with dnf install

dnf-use-y

Always use -y with yum install

yum-use-y

Always use -y with zypper install

zypper-use-y

Avoid commands not made for containers

avoid-commands-not-relevant

Avoid fetching data from HTTP endpoint

avoid-http

Do not expose sensitive ports

expose-admin-ports

Do not give wide permissions on files

avoid-chmod-777

Do not use cache when installing packages

pip-no-cache

Do not use multiple CMD

multiple-cmd

Do not use multiple ENTRYPOINT

multiple-entrypoint

Do not use multiple HEALTHCHECK

multiple-healthcheck

Expose a valid UNIX port number

expose-valid-port

FROM aliases must be unique

alias-must-be-unique

Last user should not be root

no-root-user

The maintainer entry is deprecated

maintainer-deprecated

Use absolute workdir

absolute-workdir

Ruleset ID: go-best-practices Rules to make writing Go code faster and easier. From code style to preventing bugs, this ruleset helps developers writing performant, maintainable, and efficient Go code.

Avoid bare returns

avoid-bare-return

Avoid calling the GC directly

avoid-call-to-gc

Avoid custom time format

time-parse-format

Avoid empty critical sections

avoid-empty-critical-sections

Avoid invalid regular expression

valid-regular-expression

Avoid manual string trimming

manual-string-trimming

Avoid negative zero

negative-zero

Avoid redundant nil check

redundant-nil-check

Avoid regexp.Match in a loop

loop-regexp-match

Avoid select statement with one case

single-case-select

Avoid superfluous else

superfluous-else

Avoid useless bit operations

useless-bitwise-operation

Bad nil guard

bad-nil-guard

Call the context cancellation function

context-cancelable

Check to prevent a length less than 0

check-len

Common invalid host-port pairs

invalid-host-port-pair

Declare and assign variables in one statement

merge-declaration-assignment

Do not check address to nil

comparing-address-nil

Do not compare to true

comparison-true

Do not copy a slice in a for loop

replace-loop-copy

Do not defer Lock

defer-lock

Do not modify function parameter

modify-parameter

Do not redefine built-in ID

redefine-builtin-id

Do not use append for assignment

equivalent-append

Do not use bytes.SplitN or bytes.SplitAfterN with limit < 0

bytes-splitn

Do not use Printf with Sprintf

printf-sprintf

Do not use redundant negation

redundant-negation

Do not use strings.Split[After]N with negative limit

strings-splitn

Don't put time units in Duration variables

duration-variable-names

Dot imports should be avoided

avoid-dot-imports

Errors should be named errFoo or ErrFoo

err-prefixed-with-err

Expand math.Pow calls

math-pow-expanstion

fmt.Sprintf("%s", var) should not be used if var is a string

simplify-sprintf-with-string

Functions prefixed by get should return something

get-return

Functions returning boolean should not use prefix get

boolean-get-function-name

Inefficient string comparison

inefficient-string-comparison

Invalid seek value

invalid-seek-value

Invalid signal being trapped

signal-trapped

No need to check for nil before a loop

avoid-nil-check-loop

No value is equal to NaN

do-not-compare-nan

Omit default slices

omit-default-slice-index

Omit redundant type declaration

redundant-type-var-declaration

os.FileMode value appears it should be in octal

non-octal-os-filemode

Prevent empty default case for select without condition

for-select-default-empty

Prevent identical comparison

compare-identical

Prevent self-assignment of variables

self-assignment

Prevent using escapes in regular expression

regexp-raw-string

Put contants and values on the left

avoid-yoda-conditions

Regexp FindAll with n=0 returns nothing

regexp-zero-results

Remove unnecessary blank identifiers

unnecessary-blank-identifier

Replace errors.New(fmt.Sprintf()) with fmt.Errorf()

use-errorf-when-possible

Replace var % 1 by 0

mod-one-always-zero

Replace w.Write([]byte(fmt.Sprintf())) with fmt.Fprintf()

use-fprintf-when-possible

Simplify boolean expression

simplify-boolean-expression

Simplify make and avoid 0 as second argument

simplify-make

Simplify pointer operation

simplify-pointer-operation

Sleep is in nanoseconds by default; verify short sleep

verify-short-sleep

strings.Replace with 0 does not do anything

strings-replace-zero

The Context should be the first argument in a function

context-first-argument

The default case of a switch should be first or last

switch-default-first-or-last

Use append to concatenate slices

concatenate-slices

Use bytes.Equal instead of bytes.Compare

bytes-compare-equal

Use bytes.ReplaceAll instead of bytes.Replace

bytes-replaceall

Use fmt.Errorf instead of new errors with Sprintf

errors-new-errorf

Use Since() instead of Now().Sub()

time-now-sub

Use strings.Contains instead of strings.Index with -1

strings-index-contains

Use strings.ReplaceAll instead of strings.Replace

strings-replaceall

Verify that duplicate imports are necessary

duplicate-imports

Ruleset ID: go-inclusive Check Go code for wording issues.

Use inclusive language in comments

comments

Use inclusive language in function declarations

function-declaration

Use inclusive language in type declarations

types

Use inclusive language in variable names

variables

Ruleset ID: go-security Detect common security issues (such as SQL injection, XSS, or shell injection) in your Go codebase.

Avoid command injection

command-injection

Avoid formatted string in templates

unescape-template-data-js

Avoid hardcoded temporary file

tempfile-creation

Avoid HTTP functions without timeouts

http-support-timeout

Avoid insecure GRPC connection

grpc-client-insecure

Avoid insecure GRPC server

grpc-server-insecure

Avoid leaking data to a logger

error-leakage

Avoid manually built SQL queries

sql-format-string

Avoid SetString() from big.Rat

avoid-rat-setstring

Binding to 0.0.0.0 opens up the application to all traffic

do-not-bind-all-interfaces

Calling hmac.New with unchanging hash.New

hmac-needs-new

CGI is outdated

import-cgi

DES and Triple DES are now insecure

import-des

Do not build SQL queries with string concatenations

sql-string-concatenation

Do not bypass HTML escaping with ResponseWriter

responsewriter-no-fprintf

Do not create a directory with write permissions for all

mkdir-permissions

Do not create a file with too much permissions

write-file-permissions

Do not ignore SSH host validation

ssh-ignore-keys

Do not use insecure ciphers

tls-cipher

Do not use tainted URL

taint-url

Do not use telnet without encryption

telnet-request

Ensure JWT use a secure algorithm

jwt-algorithm

Ensure MinVersion is defined for TLS client

ssl-min-version

Ensure TLS verification

tls-skip-verify

Ensure we use https://

http-request-secure

File permissions

chmod-permissions

Math/rand random number generation is insecure

math-rand-insecure

Odd hash.Sum call flow

hashsum

Prevent decompression bomb

decompression-bomb

Prevent Memory Aliasing

range-memory-aliasing

Prevent XSS injection by setting HttpOnly to false

cookie-http-only

Prevent XSS injection by setting HttpOnly to false

session-http-only

RC4 encryption is now insecure

import-rc4

RSA keys should have a minimum of 2,048 bits

minimum-rsa-key-length

Scan for using bytes.Equal() to compare HMACs

hmac-bytes

Session must be secure

cookie-secure

Session must be secure

session-secure

SSLv3 is not secure and should be avoided

ssl-v3-insecure

The md5 hashing algorithm is insecure

import-md5

The SHA-1 algorithm family is no longer secure

import-sha1

Unsafe reflection

unsafe-reflection

Ruleset ID: java-best-practices Rules to enforce Java best practices.

Avoid Calendar class use

avoid-calendar-creation

Avoid creating FileStream directly

avoid-filestream

Avoid declaring a field type as MessageDigest

avoid-message-digest-field

Avoid instantiating strings

avoid-string-instantiation

Avoid reassigning parameters

avoid-reassigning-parameters

Avoid redundant initialization

redundant-initializer

Avoid switch with very few branches

switch-few-branches

Avoid using printStackTrace()

avoid-printstacktrace

Avoid using specific implementation types

loose-coupling

Default label should be last in a switch

default-label-not-last-in-switch

Do not add an empty string

add-empty-string

Do not append char as strings

sb-append-char

Do not return internal array

return-internal-array

Do not use a string with only one character

indexof-char

Do not use StringBuffer or StringBuilder as a class field

string-buffer-field

Don't reassign a catch variable

avoid-reassigning-catch-vars

Loops can be simplified or removed

while-loop-with-literal-boolean

Preserve the thrown stack trace

preserve-stack-trace

Replace Vector with List

replace-vector-with-list

Separate lines for each field declaration

one-declaration-per-line

Should clone array

array-is-stored-directly

Should use Map instead of Hashtable

replace-hashtable-with-map

Switch statements should have a default case

missing-switch-statement-default

Test assertions for booleans can be simplified

simplify-test-assertions-boolean

Test assertions using equals comparison can be simplified

simplify-test-assertions-equals

Test assertions using null comparison can be simplified

simplify-test-assertions-null

Test assertions using operator comparison can be simplified

simplify-test-assertions-ops

The literals should be first in String comparisons

literals-first-in-comparison

Too many control variables in for loop

forloop-variable-count

Use asList to create a list from array

arrays-aslist

Use StringBuffer to concatenate strings

use-stringbuffer

Ruleset ID: java-code-style Rules to enforce Java code style.

Avoid negation in your ternary operation

confusing-ternary

Avoid prefix boolean returning method with `get`

boolean-get-method-name

Avoid unnecessary object extend

extends-object

Avoid useless final type in interface method

final-param-in-abstract-method

Avoid using dollar signs in variable names

avoid-dollar-signs

Avoid using Java native code

avoid-using-native-code

Avoid using protected field in final class

avoid-protected-in-final-class

Consider calling super in constructor

call-super-in-constructor

Enforce a naming convention for any type of class

class-naming-conventions

Enforce generic naming standards

generics-naming

Enforce using control statement brackets

control-statement-braces

Enforce using the LocalHome suffix for Session EJB

local-home-naming-convention

Package names should not contain uppercase characters

package-case

Simplify for loops for while loops

for-loop-should-be-while-loop

Ruleset ID: java-inclusive Rules for Java to avoid inappropriate wording in the code and comments.

Check class definition language

class-definition

Check function definition language

function-definition

Check variable assignment language

variable-assignment

Ruleset ID: java-security Rules focused on finding security issues in Java code.

Avoid DES keys

keygenerator-avoid-des

Avoid LDAP injections

ldap-injection

Avoid manual SQL queries

sql-string-tainted

Avoid NullCipher

avoid-null-cipher

Avoid overly permissive CORS

permissive-cors

Avoid SQL injection

sql-injection

Avoid unsafe deserialization

json-unsafe-deserialization

Avoid user-generated class names for reflection

unsafe-reflection

Avoid user-input file

spring-request-file-tainted

Bad hexadecimal concatenation

bad-hexa-concatenation

Blowfish should use a large key

blowfish-short-key

Cookies HTTP only

cookies-http-only

Cookies should not have a long expiration

cookies-persistence

DefaultHttpClient with default constructor is not secure

default-http-client-def-cons

Detect an XPath input from an HTTP request

tainted-xpath

Do not disable CSRF

spring-csrf-disable

Do not give write access to others

files-permissions

Do not use a pseudo-random number to generate a secret

no-pseudo-random-secret

Do not use custom digest

message-digest-custom

Do not use DES

no-des-cipher

Do not use unvalidated request

unvalidated-redirect

Do not use weak SSL context

ssl-context

ECB mode is insecure

aes-ecb-insecure

ECB mode is insecure

cipher-padding-oracle

Enforce trust boundaries

trust-boundaries

Ensure cookies have the secure flag

cookies-secure-flag

HostnameVerifier should check certificates

hostname-verifier-true

Ignore SAML comments

ignore-saml-comment

MD2, MD4, and MD5 are weak hash functions

weak-message-digest-md5

No hardcoded secret with algorithm methods

algorithm-no-hardcoded-secret

Potential code injection when using GroovyShell

groovyshell-code-injection

Potential code injection when using Spring Expression

spring-expression-injection

Potential path traversal from request

path-traversal-file-read

Prefer SecureRandom over Random

avoid-random

Prevent command injection

command-injection

Prevent deserialization

object-deserialization

Prevent HTTP parameter pollution

http-parameter-pollution

Prevent LDAP Entry Poisoning

ldap-entry-poisoning

Prevent path traversal

path-traversal

Prevent SSRF

tainted-url-host

Prevent XSS attacks

xss-protection

RSA should use a long key

rsa-short-key

RSA with no padding is insecure

no-rsa-no-padding

Secret should not be hardcoded in code

hardcoded-crypto-key

SHA-1 is a weak hash function

weak-message-digest-sha1

SMTP server identify must be enforced

smtp-insecure-connection

Spring CSRF unrestricted RequestMapping

spring-csrf-requestmapping

SQL injection in BasePeer

sql-injection-turbine

SQL injection in Hibernate

sql-injection-hibernate

SQL injection in SqlUtil.execQuery

potential-sql-injection

Use a randomly-generated IV

random-iv

Use of socket on HTTP port

unencrypted-socket

XML parsing vulnerable to XEE

xml-parsing-xee

XML parsing vulnerable to XXE for SAX Parsers

xml-parsing-xxe-saxparser

XML parsing vulnerable to XXE for TransformerFactory

xml-parsing-xxe-transformer

XML parsing vulnerable to XXE for XML Reader

xml-parsing-xxe-xmlreader

XML parsing vulnerable to XXE for XPath

xml-parsing-xxe-xpath

Ruleset ID: javascript-best-practices Rules to enforce JavaScript best practices.

Avoid assignment operators in conditional expressions

no-cond-assign

Avoid direct comparison with NaN

use-isnan

Avoid duplicate case labels

no-duplicate-case

Avoid duplicate class members

no-dupe-class-members

Avoid duplicate keys in object literals

no-dupe-keys

Avoid empty block statements

no-empty

Avoid empty character classes in regular expressions

no-empty-character-class

Avoid empty destructuring patterns

no-empty-pattern

Avoid leaving console debug statements

no-console

Avoid lexical declarations in case clauses

no-case-declarations

Avoid negating the left operand of relational operators

no-unsafe-negation

Avoid new statements with the Symbol object

no-new-symbol

Avoid reassigning exceptions in catch clauses

no-ex-assign

Avoid the use of alert, confirm, and prompt

no-alert

Avoid the use of arguments.caller or arguments.callee

no-caller

Avoid the use of the __iterator__ property

no-iterator

Avoid the use of the __proto__ property

no-proto

Avoid using delete on variables directly

no-delete-var

Avoid using JavaScript in URLs

no-script-url

Avoid using octal literals to prevent unexpected behavior

no-octal

Avoid variable or function declaration in nested blocks

no-inner-declarations

Check for loop is moving in the right direction

for-direction

Compare typeof expressions against valid strings

valid-typeof

Direct comparison with -0 detected

no-compare-neg-zero

Disallow reassigning const variables

no-const-assign

Disallow reassigning function declarations

no-func-assign

Disallow the use of debugger

no-debugger

Disallow unreachable code

no-unreachable

Function parameters redeclared

no-dupe-args

Invoking a constructor must use parentheses

new-parens

Prevent assigning to imported bindings

no-import-assign

Prevent the use methods similar to eval()

no-implied-eval

Promise executor cannot be an async function

no-async-promise-executor

Require yield in generator functions

require-yield

The with statement can lead to ambiguous code

no-with

Ruleset ID: javascript-browser-security Rules focused on finding security issues in your JavaScript web applications.

Avoid manual sanitization of inputs

manual-sanitization

Check origin of events

event-check-origin

Do not inject unsanitized HTML

react-dangerously-inner-html

Do not modify innerHTML or outerHTML

inner-outer-html

Do not store sensitive data to local storage

local-storage-sensitive-data

Do not use variable for regular expressions

regexp-non-literal

Specify origin in postMessage

postmessage-permissive-origin

Websockets must use SSL connections

insecure-websocket

Ruleset ID: javascript-code-style Rules to enforce JavaScript code style.

Assignment name should use camelCase

assignment-name

Avoid Array constructors

no-array-constructor

Avoid assignment operators in return statements

no-return-assign

Avoid comparisons where both sides are exactly the same

no-self-compare

Avoid duplicate module imports

no-duplicate-imports

Avoid equal signs at the beginning of regular expressions

no-div-regex

Avoid if statements as the only statement in else blocks

no-lonely-if

Avoid leading or trailing decimal points in numbers

no-floating-decimal

Avoid new operators outside of assignments or comparisons

no-new

Avoid new operators with the Function object

no-new-func

Avoid Object constructors

no-new-object

Avoid the use of chained assignment expressions

no-multi-assign

Class name should be `PascalCase`

class-name

Consistent use of the radix argument using parseInt

radix

Enforce a maximum number of parameters in a function

max-params

Enforce named function expressions

func-names

Enforce the use of === and !==

eqeqeq

Function name should use camelCase or PascalCase

function-naming

Function names must match the name of the assignation.

func-name-matching

Method name should use camelCase

method-name

Parameter name should use camelCase

parameter-name

Require let or const instead of var

no-var

Ruleset ID: javascript-common-security Rules focused on finding security issues in your JavaScript code.

Avoid insecure HTTP requests with Axios

axios-avoid-insecure-http

Do not use external XML entities

xml-no-external-entities

Function argument names should be unique

unique-function-arguments

Ruleset ID: javascript-express Rules specifically for Express.js best practices and security.

Avoid allowing access to unintended directories or files

path-traversal

Avoid rendering resource based on unsanitized user input

external-resource

Avoid sending unsanitized user input in response

xss-vulnerability

Avoid setting insecure cookie settings

insecure-cookie

Avoid using a hard-coded secret

hardcoded-secret

Avoid using an insecure Access-Control-Allow-Origin header

insecure-allow-origin

Avoid using unsanitized user input with sendFile

external-filename-upload

Enforce overriding default config

default-session-config

Ensure an isRevoked method is used for tokens

jwt-not-revoked

Express application should use Helmet

missing-helmet

Limit exposure to sensitive directories and files

access-restriction

Server fingerprinting misconfiguration

reduce-server-fingerprinting

Use `https` protocol over `http`

https-protocol-missing

Ruleset ID: javascript-inclusive Rules for JavaScript to avoid inappropriate wording in the code and comments.

Check comments for wording issues

comments

Check declaration names for wording issues

declarations

Check identifier names for wording issues

identifiers

Check parameter names for wording issues

formal-parameters

Ruleset ID: javascript-node-security Rules to identify potential security hotspots in Node. This may include false positives that require further triage.

Avoid `eval` with expressions

detect-eval-with-expression

Avoid Buffer(argument) with non-literal values

detect-new-buffer

Avoid calls to 'buffer' with 'noAssert' flag set

detect-buffer-noassert

Avoid command injection

command-injection

Avoid DES and 3DES

avoid-des

Avoid hardcoded HMAC keys

hardcoded-hmac-key

Avoid instances of 'child_process' and non-literal 'exec()'

detect-child-process

Avoid logging sensitive data

log-sensitive-data

Avoid RC4

avoid-crypto-rc4

Avoid require with non-literal values

detect-non-literal-require

Avoid SHA1 security protocol

avoid-crypto-sha1

Avoid SQL injection

sql-injection

Avoid SQL injections

variable-sql-statement-injection

Avoid variables in 'fs' calls filename argument

detect-non-literal-fs-filename

Avoid weak hash algorithm from CryptoJS

crypto-avoid-weak-hash

Detects hardcoded JWT tokens within the codebase.

detected-jwt-token

Detects non-literal values in regular expressions

detect-non-literal-regexp

Do not give 777 permissions to a file

chmod-permissions

Do not put sensitive data in objects

jwt-sensitive-data

Do not use hardcoded secret for OAuth2 providers

oauth2-hardcoded-secret

Do not use hardcoded secret with a JWT

jwt-hardcoded-secret

Do not use weak hash functions

insecure-hash

Insecure Usage of a Static Secret in JWT Signing

insecure-jwt-secret-usage

Use default encryption from the JWT library

jwt-weak-encryption

Use strong security mechanisms with argon2

argon2

Ruleset ID: jsx-react This plugin exports a recommended configuration that enforces React good practices.

Avoid comments from being inserted as text nodes

jsx-no-comment-textnodes

Avoid deprecated methods

no-deprecated

Avoid duplicate properties in JSX

jsx-no-duplicate-props

Avoid passing children as props

no-children-prop

Avoid usage of the return value of ReactDOM.render

no-render-return-value

Avoid using children with dangerouslySetInnerHTML

no-danger-with-children

Avoid using string references

no-string-refs

Enforce class for returning value in render function

require-render-return

Ensures unique key prop

jsx-no-duplicate-key

Prevent missing key props in iterators/collection literals

jsx-key

Prevent target='_blank' security risks

jsx-no-target-blank

Ruleset ID: python-best-practices Best practices for Python to write efficient and bug-free code.

__bytes__ method should returns bytes, not string

return-bytes-not-string

__slots__ should not be a single string

slots-no-single-string

a function must be defined only once

function-already-exists

a method has the same name than an attribute

method-hidden

assertRaises must check for a specific exception

assertraises-specific-exception

assigning to os.environ does not clear the environment

os-environ-no-assign

Avoid duplicate keys in dictionaries

avoid-duplicate-keys

Avoid invalid assert

invalid-assert

avoid string concatenation

avoid-string-concat

avoid unreachable code

unreachable-code

check equal is used on consistent basic types

equal-basic-types

Class methods should use self as first argument

class-methods-use-self

Do not assign to function arguments

function-variable-argument-name

do not assign to itself

self-assignment

do not compare to True in a condition

no-if-true

do not define an open flag for reading

open-add-flag

do not have arguments with the same name

argument-same-name

Do not have too many nested blocks

nested-blocks

Do not ignore Exception with a pass statement

no-silent-exception

do not modify a dictionary while iterating on it

collection-while-iterating

do not raise base exception

no-base-exception

Do not raise NotImplemented - it does not exists

raising-not-implemented

do not return outside a function

return-outside-function

Do not use a raise statement without a specific exception

no-bare-raise

do not use Any type

any-type-disallow

do not use bare except

no-bare-except

do not use break or continue in finally block

finally-no-break-continue-return

do not use datetime.today()

no-datetime-today

do not use double negation

no-double-not

do not use exit()

no-exit

Do not use for i in range(len(<array>))

no-range-loop-with-len

do not use format string with logging functions

logging-no-format

do not use hasattr to check if a value is callable

use-callable-not-hasattr

do not use operations =+ and =-

no-equal-unary

do not use operator -- and ++

no-double-unary-operator

do not use self as parameter for static methods

static-method-no-self

do not use special method on data class

dataclass-special-methods

do not use too many nested if conditions

too-many-nested-if

do not use too many nested loops and conditions

too-many-while

ensure classes have an __init__ method

init-method-required

ensure exception inherit a base exception

exception-inherit

ensure special methods have the correct arguments

special-methods-arguments

ensure that both __exit__ and __enter__ are defined

ctx-manager-enter-exit-defined

getter/setter must have 1 or 2 arguments respectively

get-set-arguments

if conditions must have different code blocks

condition-similar-block

If using generic exception, it should be last

generic-exception-last

in comparisons, variables must be left

comparison-constant-left

make sure class names are readable

ambiguous-class-name

make sure function names are readable

ambiguous-function-name

make sure variable names are readable

ambiguous-variable-name

module imported twice

import-modules-twice

No return in an __init__ function

init-no-return-value

only one module to import per import statement

import-single-module

strip() argument should not have duplicate characters

invalid-strip-call

TODO and FIXME comments must have ownership

comment-fixme-todo-ownership

use a base class only once

no-duplicate-base-class

use isinstance instead of type

type-check-isinstance

use super() to call the parent constructor

init-call-parent

when an if condition returns an value, else is not necessary

if-return-no-else

Ruleset ID: python-code-style Rules to enforce Python code style.

class name should be CamelCase

class-name

classes must be less than 900 lines

max-class-lines

function name and parameters should use snake_case

function-naming

Functions must be less than 200 lines

max-function-lines

Ruleset ID: python-django Rules specifically for Django best practices and security.

always specify max_length for a Charfield

model-charfield-max-length

Command coming from incoming request

os-system-from-request

Command coming from incoming request

subprocess-from-request

do not specify content-type for JsonResponse

jsonresponse-no-content-type

do not use __unicode__

no-unicode-on-models

do not use NullBooleanField

no-null-boolean

Filename coming from the request

open-filename-from-request

Lack of sanitization of user data

http-response-from-request

use convenience imports whenever possible

use-convenience-imports

use help_text to document model columns

model-help-text

use JsonResponse instead of HttpResponse to send JSON data

http-response-with-json-dumps

Ruleset ID: python-flask Rules specifically for Flask best practices and security.

Do not use template created with strings

no-render-template-string

Do not use text() as it leads to SQL injection

disable-sqlalchemy-text

Make sure cookies are safe and secure

secure-cookie

use jsonify instead of json.dumps for JSON output

use-jsonify

Use of unsanitized data to create processes

os-system-unsanitized-data

Use of unsanitized data to issue SQL queries

sqlalchemy-injection

Use of unsanitized data to make API calls

html-format-from-user-input

Use of unsanitized data to make API calls

ssrf-requests

Use of unsanitized data to open API

urlopen-unsanitized-data

Use of unsanitized data to open file

open-file-unsanitized-data

Your application should not listen on all interfaces

listen-all-interfaces

Ruleset ID: python-inclusive Rules for Python to avoid inappropriate wording in the code and comments.

check comments for wording issues

comments

check function names for wording issues

function-definition

check variable names for wording issues

variable-name

Ruleset ID: python-pandas

A set of rules to check that pandas code is used appropriately.

Ensures import declarations follow coding guidelines.
Avoid deprecated code and methods.
Avoid inefficient code whenever possible.

Avoid using inplace=True

avoid-inplace

Import pandas according to coding guidelines

import-as-pd

prefer iloc or loc rather than ix

loc-not-ix

prefer notna to notnull

notna-instead-of-notnull

prefer read_csv to read_table

use-read-csv-not-read-table

Use arithmetic operator instead of a function

arith-operator-not-functions

Use isna instead of isnull

isna-instead-of-isnull

Use operators to compare values, not functions

comp-operator-not-function

Use pivot_table instead of pivot or unstack

pivot-table

Ruleset ID: python-security

Rules focused on finding security and vulnerability issues in your Python code, including those found in the OWASP10 and SANS25.

Use of bad encryption and hashing protocols
Lack of access control
Security misconfiguration
SQL injections
Hardcoded credentials
Shell injection
Unsafe deserialization

Auto escape should be set to true

jinja-autoescape

avoid deserializing untrusted YAML

yaml-load

Avoid HTML built in strings

html-string-from-parameters

Avoid SQL injections

variable-sql-statement-injection

avoid unsafe function to (de)serialize data

deserialize-untrusted-data

Call of a spawn process without sanitization

os-spawn

Command execution without sanitization

os-system

Do not hardcode temp file or directory

hardcoded-tmp-file

do not let all users write permissions

file-write-others

Do not make http calls without encryption

requests-http

do not pass hardcoded credentials

sql-server-security-credentials

Do not use empty array as default parameter

no-empty-array-as-parameter

Do not use insecure encryption protocols

insecure-ssl-protocols

Do not use insecure functions

insecure-hash-functions

Do not use insecure YAML deserialization

ruamel-unsafe-yaml

Ensure JWT signatures are verified

insecure-jwt

Make sure temporary files are secure

mktemp

no timeout was given on call to external resource

requests-timeout

shell argument leads to unnecessary privileges

subprocess-shell-true

should not bypass certificate verification

ssl-unverified-context

Unsafe execution of shell commands

asyncio-subprocess-create-shell

Unsafe execution of shell commands

asyncio-subprocess-exec

use env vars over hardcoded values

aws-boto-credentials

use of eval can be insecure

no-eval

use secrets package over random package

avoid-random

verify should be True

request-verify

Ruleset ID: rails-best-practices Best practices to write Ruby on Rails code.

Prefer using hash syntax for enums

enums

Prefer using HTTP status code symbols

http-status-code-symbols

Prefer using render plain

plain-text-rendering

Prefer using self over read attribute

read-attribute

Prefer using self over write attribute

write-attribute

Use find_each to iterate over a collection of AR objects

find-each

Ruleset ID: ruby-best-practices Rules to enforce Ruby best practices.

Use `Array()` to ensure your variable is an array

array-coercion

Avoid `DateTime` unless for historical purposes

no-datetime

Avoid array and hash constructor when empty

literal-hash-array

Avoid attr

prevent-attr

Avoid class variables

no-class-var

Avoid explicit use of the case equality operator

no-case-equality

Avoid hash optional paramters

no-optional-hash-params

Avoid slow string concatenation

concat-strings

Avoid standard constants

global-stdout

Avoid string concatenation

string-interpolation

Avoid unnecessary disjunctive assignments in constructor

disjunctive-assign-in-const

Avoid unnecessary uses of `!!`

no-double-negation

Avoid using 'rescue' as a modifier

no-rescue-modifier

Avoid using BEGIN blocks

no-begin-blocks

Avoid using END blocks

no-end-blocks

Avoid using the character literal syntax

no-character-literals

Do not extend Data.define

no-extend-data-define

Do not rescue the Exception class

no-rescue-exception

Do not return from an ensure block

no-return-ensure

Do not suppress exceptions without a comment

no-suppress-exceptions

Do not use :: to define class methods

method-definition-colon

Do not use `then` for multi-line if/unless/when/in

no-then

Do not use eql? for strings

eql-string

Do not use parallel assignment to define variables

parallel-assignment

Do not use trailing underscores in destructuring assignments

trailing-underscore-variables

Do not use unless with else

no-else-with-unless

Enforce using Integer to check the type of an integer number

integer-type-checking

Ensure lambdas have parenthesis around parameters

lambda-parameters

Omit parentheses if a lambda has no parameter

lambda-no-parameter

Omit the rb file extension in a require

no-explicit-rb-to-require

Optional arguments should appear at the end

optional-arguments

Organize methods in modules

top-level-methods

Prefer `%i` to the literal array syntax

percent-i

Prefer `%w` to the literal array syntax

percent-w

Prefer `Time.now` over `Time.new`

time-now

Prefer atomic file operations

atomic-file-operations

Prefer case over if-elsif

case-vs-if-elsif

Prefer equal? over == when comparing object_id

identity-comparison

Prefer is_a? over kind_of?

isa-over-kindof

Prefer proc over Proc.new

proc-over-procnew

Prefer string chars with empty string

string-chars

Prefer until over while for negative conditions

while-with-negatives

Prefer using `warn` over `$stderr.puts`

use-warn

Prefer using hash each_key and each_value

hash-each

Prefer using hash key and value

hash-key

Prefer using iterators over for loops

no-for-loops

Prefer using Kernel#loop with break for post-loop tests

loop-with-break

Prefer using reverse_each

reverse-each

Prevent nested method

no-nested-method

Separate the exception class and the message

exception-class-message-separate

Use &&= to check if a variable may exist

existence-check-shorthand

Use ||= to initialize variables if they are not already

initialization-shorthand

Use double colons only to reference constants

double-colon-method-calls

Use fdiv on two integers float division

float-division

Use fetch to check hash keys

hash-fetch

Use fetch with default over custom check

hash-fetch-default

Use hash literal

avoid-hash-constructor

Use helper functions to read files

file-read

Use helper functions to write files

file-write

Use instance_of? for class comparison

class-comparison

Use Kernel#loop instead of while/until

infinite-loop

Use new syntax when keys are symbols

hash-literals

Use symbols instead of strings for hash keys

symbols-as-keys

Use the method's implicit 'begin'

implicit-begin

Wrap assignment in condition

condition-safe-alignment

Wrap hash literal in braces if last in array

hash-literal-as-last-array-item

You should not inherit from Struct.new

no-extend-struct-new

Ruleset ID: ruby-code-style Code Analysis rules to write Ruby rules that follows established coding standards.

Avoid parentheses for methods without arguments

method-parens

Avoid parentheses when methods take no arguments

method-call-no-args-parens

Avoid using Perl-style special variables

no-cryptic-perlisms

Prefer ranges/between over of complex comparisons

ranges-or-between

Prefer sprintf and form

sprintf

Prefer using `first` and `last` to improve readability

first-and-last

Prefer using Array `join`

array-join

Prefer using ranges for random numbers

random-numbers

Prefer using then over yield_self

yield-self-to-then

Use parentheses with 'super' with arguments

super-with-args

Use predicate methods over explicit comparisons with `==`

predicate-methods

Use self to define class methods

class-methods

Ruleset ID: ruby-inclusive Write inclusive Ruby code

Check class names for wording issues

class-definition

Check comments for wording issues

comments

Check method and parameters names for wording issues

function-definition

Check variable names for wording issues

var-definition

Ruleset ID: ruby-security Rules focused on finding security issues in your Ruby code.

Avoid constantize

rails-avoid-constantize

Avoid content tag

no-content-tag

Avoid create_with bypasses strong parameter protection

create-with

Avoid FTP connections

no-ftp

Avoid hardcoded basic auth with rails

rails-basic-auth

Avoid hardcoded temp files

hardcoded-tmp-file

Avoid html_safe

no-html-safe

Avoid manual template creation

rails-manual-template

Avoid MD5 to generate hashes

no-md5-digest

Avoid Random

avoid-random

Avoid raw, which leads to XSS

rails-avoid-raw

Avoid SHA1 to generate hashes

no-sha1-digest

Avoid SQL injection

sql-injection

Avoid syscall

avoid-syscall

Avoid use of eval

no-eval

Check for potential shell injection

shell-injection

Do not hardcode JWT secrets

jwt-secret-hardcoded

Do not use unsafe deserialization

unsafe-deserialization

Ensure cookies are serialized using JSON

rails-cookies-serializer

Ensure forgery protection is enabled

rails-csrf

Ensure HTML entities are escaped in JSON

rails-escape-json-entities

Ensure JWT are verified

jwt-no-verify

Ensure JWT use an algorithm

jwt-algorithm-none

Ensure RSA keys are large enough

rsa-key-size

Ensure SSL connections are verified

ssl-no-verify

Prevent use of http protocol

no-http

Prevent using YAML functions

yaml-load

Ruleset ID: tsx-react This plugin exports a recommended configuration that enforces React good practices.

Avoid comments from being inserted as text nodes

jsx-no-comment-textnodes

Avoid deprecated methods

no-deprecated

Avoid passing children as props

no-children-prop

Avoid usage of the return value of ReactDOM.render

no-render-return-value

Avoid using children with dangerouslySetInnerHTML

no-danger-with-children

Avoid using string references

no-string-refs

Enforce class for returning value in render function

require-render-return

Ensures unique key prop

tsx-no-duplicate-key

Prevent missing key props in iterators/collection literals

tsx-key

Prevent target='_blank' security risks

tsx-no-target-blank

Ruleset ID: typescript-best-practices Rules to enforce TypeScript best practices.

Avoid assigning a value with type any

no-unsafe-assignment

Avoid assignment operators in conditional expressions

no-cond-assign

Avoid certain types

ban-types

Avoid duplicate constituents of unions or intersections

no-duplicate-type-constituents

Avoid duplicate enum member values

no-duplicate-enum-values

Avoid duplicate keys in object literals

no-dupe-keys

Avoid empty block statements

no-empty

Avoid empty character classes in regular expressions

no-empty-character-class

Avoid empty destructuring patterns

no-empty-pattern

Avoid extra non-null assertions

no-extra-non-null-assertion

Avoid leaving console debug statements

no-console

Avoid negating the left operand of relational operators

no-unsafe-negation

Avoid non-null assertions after an optional chain

no-non-null-optional-chain

Avoid reassigning exceptions in catch clauses

no-ex-assign

Avoid require statements

no-var-requires

Avoid the any type

no-explicit-any

Avoid the use of alert, confirm, and prompt

no-alert

Avoid the use of arguments.caller or arguments.callee

no-caller

Avoid the use of the __iterator__ property

no-iterator

Avoid the use of the __proto__ property

no-proto

Avoid triple slash in favor of ES6 import declarations

triple-slash-reference

Avoid TypeScript namespaces

no-namespace

Avoid unnecessary constraints on generic types

no-unnecessary-type-constraint

Avoid unsafe declaration merging

no-unsafe-declaration-merging

Avoid using delete on variables directly

no-delete-var

Avoid using Javascript in URLs

no-script-url

Avoid variable or function declaration in nested blocks

no-inner-declarations

Check for loop is moving in the right direction

for-direction

Consistent naming for boolean props

boolean-prop-naming

Direct comparison with -0 detected

no-compare-neg-zero

Disallow the use of debugger

no-debugger

Invoking a constructor must use parentheses

new-parens

Prevent the use methods similar to eval()

no-implied-eval

Promise executor cannot be an async function

no-async-promise-executor

Require yield in generator functions

require-yield

Ruleset ID: typescript-browser-security Rules focused on finding security issues in your TypeScript web applications.

Avoid manual sanitization of inputs

manual-sanitization

Check origin of events

event-check-origin

Do not inject unsanitized HTML

react-dangerously-inner-html

Do not modify innerHTML or outerHTML

inner-outer-html

Do not store sensitive data to local storage

local-storage-sensitive-data

Do not use variable for regular expressions

regexp-non-literal

Specify origin in postMessage

postmessage-permissive-origin

Websockets must use SSL connections

insecure-websocket

Ruleset ID: typescript-code-style Rules considered to be best practice for modern TypeScript codebases, but that do not impact program logic. These rules are generally opinionated about enforcing simpler code patterns.

Assigment name should use camelCase

assignment-name

Avoid @ts-<directive> comments

ban-ts-comment

Avoid Array constructors

no-array-constructor

Avoid assignment operators in return statements

no-return-assign

Avoid comparisons where both sides are exactly the same

no-self-compare

Avoid duplicate module imports

no-duplicate-imports

Avoid empty exports that don't change anything

no-useless-empty-export

Avoid equal signs explicitly at the beginning of regex

no-div-regex

Avoid explicit type declarations for variables and params

no-inferrable-types

Avoid if statements as the only statement in else blocks

no-lonely-if

Avoid leading or trailing decimal points in numbers

no-floating-decimal

Avoid new operators outside of assignments or comparisons

no-new

Avoid new operators with the Function object

no-new-func

Avoid non-null assertion in confusing locations

no-confusing-non-null-assertion

Avoid Object constructors

no-new-object

Avoid the declaration of empty interfaces

no-empty-interface

Avoid the use of chained assignment expressions

no-multi-assign

Avoid using TSLint comments

ban-tslint-comment

Class name should be `PascalCase`

class-name

Consistent use of the radix argument using parseInt

radix

Enforce a maximum number of parameters in a function

max-params

Enforce named function expressions

func-names

Enforce the use of === and !==

eqeqeq

Function name should use camelCase or PascalCase

function-naming

Function names must match the name of the assignation

func-name-matching

Method name should use camelCase

method-name

Parameter name should use camelCase

parameter-name

Require consistently using either T[] or Array<T> for arrays

array-type

Require let or const instead of var

no-var

Ruleset ID: typescript-common-security Rules focused on finding security issues in your TypeScript code.

Avoid insecure HTTP requests with Axios

axios-avoid-insecure-http

Do not use external XML entities

xml-no-external-entities

Function argument names should be unique

unique-function-arguments

Ruleset ID: typescript-express Rules specifically for Express.js TypeScript best practices and security.

Avoid allowing access to unintended directories or files

path-traversal

Avoid rendering resource based on unsanitized user input

external-resource

Avoid sending unsanitized user input in response

xss-vulnerability

Avoid setting insecure cookie settings

insecure-cookie

Avoid using a hard-coded secret

hardcoded-secret

Avoid using an insecure Access-Control-Allow-Origin header

insecure-allow-origin

Avoid using unsanitized user input with sendFile

external-filename-upload

Enforce overriding default config

default-session-config

Ensure an isRevoked method is used for tokens

jwt-not-revoked

Express application should use Helmet

missing-helmet

Limit exposure to sensitive directories and files

access-restriction

Server fingerprinting misconfiguration

reduce-server-fingerprinting

Use `https` protocol over `http`

https-protocol-missing

Ruleset ID: typescript-inclusive Rules for TypeScript to avoid inappropriate wording in the code and comments.

Check comments for wording issues

comments

Check declaration names for wording issues

declarations

Check identifier names for wording issues

identifiers

Check parameter names for wording issues

formal-parameters

Ruleset ID: typescript-node-security Rules to identify potential security hotspots in Node. This may include false positives that require further triage.

Avoid `eval` with expressions

detect-eval-with-expression

Avoid Buffer(argument) with non-literal values

detect-new-buffer

Avoid calls to 'buffer' with 'noAssert' flag set

detect-buffer-noassert

Avoid command injection

command-injection

Avoid DES and 3DES

avoid-des

Avoid instances of 'child_process' and non-literal 'exec()'

detect-child-process