SAST ルール

Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST ルール

概要

Datadog Static Code Analysis は、コードベースにおけるセキュリティ脆弱性、バグ、保守性の問題を検出するのに役立つ、すぐに使えるルールを提供します。詳細はセットアップドキュメントを参照してください。

Ruleset ID: csharp-best-practices C# のベストプラクティスを強制するルール。

Avoid calling GC.SuppressFinalize()

avoid-call-gc-suppress-finalize

Avoid conditions that are always true

condition-always-true

Avoid empty catch sections

no-empty-catch

Avoid empty finalizer

no-empty-finalizer

Avoid exceptions in finalizers

finalizer-no-exception

Avoid FormattableString

avoid-formattablestring

Avoid keywords as variables names

variable-names

Avoid nested operators

no-nested-ternary

Avoid NotImplementedException

avoid-notimplementedexception

Avoid protected members in sealed class

sealed-class-protected-members

Avoid redundant modifiers

redundant-modifiers

Avoid StartsWith or EndsWith with one character

strings-with-one-char

Avoid Thread.sleep in tests

no-sleep-in-tests

Avoid using a public contructor for an abstract class

public-abstract-constructors

Avoid using GC.Collect

avoid-gc-collect

Avoid using goto statements

avoid-goto-use

Check language of DiagnosticAnalyzer

diagnostic-analyzer-language

Check type of interface with DynamicInterfaceCastable

dynamic-interface-castable

Checks for always-true expressions on collections and arrays

unnecessary-length-count-check

Class should be static

static-class

Classes with Dispose() should implement IDisposable

disposable-interface

Detects improper usage of void return in an async method

async-task-not-void

Dispose objects at most once

dispose-objects-once

Do not assign a variable to itself

no-self-assign

Do not compare with NaN

comparison-nan

Do not lock on on publicly accessible instance

locking-public-instances

Do not rethrow exception

do-not-rethrow

Do not throw exceptions in special methods

no-exception-special-methods

Do not throw generic exceptions

use-specific-exceptions

Do not use ConfigureAwaitOptions.SuppressThrowing with Task

suppressthrowing

Do not use operators that do not exists

avoid-non-existing-operators

Do not use Optional on ref or out. parameters

optional-ref-out

Do not use OutAttribute on string parameters for P/Invokes

outattr-on-pinvoke

Do not use ReferenceEquals with value types

reference-equals-value-types

Do not use stackalloc in loops

stackallow-loops

Do not use TaskContinuationOptions

incorrect-complete-options

Do not use the same operator twice

no-double-operators

Document comments should reference existing parameters

reference-documentation-comment

Enforce correct TSelf parameter usage

ensure-self-type-parameter

Enforce Guid parameter initialization

use-proper-new-guid

Enforces an int operand on bitwise and shift operations

bitwise-right-operand-int

Enforces that base is object when using base.Equals

base-equals

Ensure code coverage exclusions are justified

coverage-justification

Ensure correct usage of ConstantExpected

constant-expected

Ensure objects are used

objects-ensure-use

Ensures that a ThreadStatic field is not initialized

do-not-initialize-threadstatic

Ensures ThreadStatic fields are marked static

ignored-threadstatic

Exceptions must be thrown

exception-must-be-thrown

Exceptions should be made public

exceptions-public

IndexOf function should check the first character

indexof-checks

Prefer is keyword over as

is-instead-of-as

Prevent catching NullReference

catch-nullreference

Prevent empty default cases

no-empty-default

Prevents the return of an IDisposable from a using statement

using-idisposable-return

Prevents using `==` and `!=` operators on floats and doubles

float-equality

Return a Task and not `null`

completed-task-not-null

Set MaxResponseHeadersLength to a reasonable size

maxresponseheaderslength-size

Specify how attributes are used

attributeusage

Suggest using string's indexer property over toCharArray()

redundant-tochararray

Test method name should follow conventions

test-method-names

ToString() should never return `null`

tostring-not-return-null

Use Assembly.Load

use-assembly-load

Use AsSpan instead of range-based indexers for string

asspan-instead-of-range

Use Contains for simple equality

contains-not-any

Use Contains to check if a string contains something

indexof-contains

Use StartsWith Instead of IndexOf

startswith-instead-of-indexof

Use StringComparison to compare strings

stringcomparison

Validate platform capatibility

platform-compatibility

Warns on class private constructors that are dead code

class-no-private-constructors

When inheriting exception, implement all constructors

exception-constructors

XML Documentation comments should have a summary

summary-documentation-comment

Ruleset ID: csharp-code-style C# のコードスタイルを強制するルール。

Avoid prefix boolean returning method with `get`

boolean-get-method-name

Avoid short class names

short-class-name

Avoid short method names

short-method-name

Avoid short variable names

short-variable

Follow class naming conventions

class-naming-conventions

Follow variable naming conventions

variable-naming-conventions

Interface names should start with I

interface-first-letter

Ruleset ID: csharp-inclusive C# コードをよりインクルーシブにするためのルール。

Check class definition language

class-definition

Check function definition language

method-definition

Check variable assignment language

variable-assignment

Ensure comment wording is inclusive

comments

Ruleset ID: csharp-security C# コードのセキュリティ上の問題の検出に特化したルール。

Avoid external input controlling reflection

no-unsafe-reflection

Avoid path traversal

path-traversal

Avoid predictable IV

predictable-iv

Avoid pseudo-random numbers

no-pseudo-random

Avoid temporary hardcoded files

no-hardcoded-tempfile

Avoid unsafe blocks

avoid-unsafe

Avoid unsafe CORS headers

unsafe-cors

Avoid unsafe temporary file creation

unsafe-temp-file

Avoid using protocols without SSL

avoid-unencrypted-protocols

Avoid weak hash algorithms

weak-hash-algorithms

Detect an XPath input from an HTTP request

xpath-injection

Do not bypass certificates validation

check-server-ssl-sertificates

Do not define env vars from user input

untrusted-env-var

Do not use a predictable salt

no-predictable-salt

Do not use BinaryFormatter as it is insecure and vulnerable

avoid-binary-formatter

Do not use weak ciphers

weak-cipher

Do not use weak SSL protocols

weak-ssl-protocols

Enforce trust boundaries

trust-boundaries

Ensure cookies have the secure flag

cookie-http-only

Ensure cookies have the secure flag

cookie-secure-flag

Filter large requests

request-length

JWT must always be verified

jwt-verify

Prevent LDAP injection

ldap-injection

Prevent shell injection

shell-injection

Prevent SQL queries built from strings

sql-injection

Prevent XSS attacks

xss-protection

Prevent XXE attack from XML parser

avoid-xml-xxe

Request validation should not be disabled

disable-request-validation

Unintended property updates expose sensitive data

avoid-autobinding

Use standard crypto algorithms

use-standard-crypto

Ruleset ID: docker-best-practices Docker の使用に関するベストプラクティス。

Always pin versions in apt-get install

apt-pin-version

Always pin versions with pip

pip-pin-versions

Always tag the version of an image

tag-image-version

Always use -y with apt-get install

apt-get-yes

Always use -y with dnf install

dnf-use-y

Always use -y with yum install

yum-use-y

Always use -y with zypper install

zypper-use-y

Avoid commands not made for containers

avoid-commands-not-relevant

Avoid fetching data from HTTP endpoint

avoid-http

Avoid privilege escalation via setuid or setgid

no-new-privileges

Avoid service with writable filesystem

service-writable-filesystem

COPY cannot reference the FROM alias

copy-reference-from

COPY with more than 2 args must end with /

copy-end-slash

Do not expose sensitive ports

expose-admin-ports

Do not give wide permissions on files

avoid-chmod-777

Do not refer to an environment variable within the same ENV

env-no-refer-envvar

Do not use cache when installing packages

pip-no-cache

Do not use latest tag

no-latest-tag

Do not use multiple CMD

multiple-cmd

Do not use multiple ENTRYPOINT

multiple-entrypoint

Do not use multiple HEALTHCHECK

multiple-healthcheck

Do not use no-install-recommends

apt-get-no-install-recommends

Dockerfiles should specify a base image

no-from-image

Expose a valid UNIX port number

expose-valid-port

First instruction should be ARG or FROM

first-instruction

FROM aliases must be unique

alias-must-be-unique

FROM or MAINTAINER cannot be triggered within ONBUILD

onbuild-allowed-actions

Last user should not be root

no-root-user

Run yarn clean after yarn install

yarn-clean

The maintainer entry is deprecated

maintainer-deprecated

Use -l with useradd

useradd-l-flag

Use absolute paths or. use WORKDIR to switch directories

use-absolute-paths

Use absolute workdir

absolute-workdir

Use COPY instead of ADD

avoid-add-use-copy

Use either wget or curl but not both

curl-or-wget

Use only an allowed registry in the FROM image

only-use-allowed-registry

Use SHELL to change the default shell

change-default-shell

Ruleset ID: elixir-security

A rule against functions that may have vulnerabilities.

unsafe-functions

Avoid weak hash algorithms.

weak-hash-algorithms

Ruleset ID: github-actions GitHub Actions をチェックし、権限やバージョン固定などの危険なパターンを検出するルール。

Dangerous GitHub Actions trigger

dangerous-trigger

Script injection through user controlled values

script-injection

Unspecified workflows level permissions

permissions

Workflow depends on unpinned GitHub Actions

unpinned-actions

Ruleset ID: go-best-practices Go コードの記述をより高速かつ容易にするためのルール。コードスタイルからバグ防止まで、開発者が高性能で、保守性と効率性に優れた Go コードを書くのを支援します。

Avoid bare returns

avoid-bare-return

Avoid calling the GC directly

avoid-call-to-gc

Avoid custom time format

time-parse-format

Avoid empty critical sections

avoid-empty-critical-sections

Avoid invalid regular expression

valid-regular-expression

Avoid manual string trimming

manual-string-trimming

Avoid negative zero

negative-zero

Avoid redundant nil check

redundant-nil-check

Avoid regexp.Match in a loop

loop-regexp-match

Avoid select statement with one case

single-case-select

Avoid superfluous else

superfluous-else

Avoid useless bit operations

useless-bitwise-operation

Bad nil guard

bad-nil-guard

Call the context cancellation function

context-cancelable

Check to prevent a length less than 0

check-len

Common invalid host-port pairs

invalid-host-port-pair

Declare and assign variables in one statement

merge-declaration-assignment

Detects if `m.Run()` was actually called in `TestMain`

missing-run-in-test

Do not check address to nil

comparing-address-nil

Do not compare to true

comparison-true

Do not copy a slice in a for loop

replace-loop-copy

Do not defer Lock

defer-lock

Do not modify function parameter

modify-parameter

Do not redefine built-in ID

redefine-builtin-id

Do not use append for assignment

equivalent-append

Do not use bytes.SplitN or bytes.SplitAfterN with limit < 0

bytes-splitn

Do not use Printf with Sprintf

printf-sprintf

Do not use redundant negation

redundant-negation

Do not use strings.Split[After]N with negative limit

strings-splitn

Don't put time units in Duration variables

duration-variable-names

Dot imports should be avoided

avoid-dot-imports

Errors should be named errFoo or ErrFoo

err-prefixed-with-err

Expand math.Pow calls

math-pow-expansion

fmt.Sprintf("%s", var) should not be used if var is a string

simplify-sprintf-with-string

Functions prefixed by get should return something

get-return

Functions returning boolean should not use prefix get

boolean-get-function-name

Inefficient string comparison

inefficient-string-comparison

Invalid seek value

invalid-seek-value

Invalid signal being trapped

signal-trapped

No need to check for nil before a loop

avoid-nil-check-loop

No value is equal to NaN

do-not-compare-nan

Omit default slices

omit-default-slice-index

Omit redundant type declaration

redundant-type-var-declaration

os.FileMode value appears it should be in octal

non-octal-os-filemode

Prevent empty default case for select without condition

for-select-default-empty

Prevent identical comparison

compare-identical

Prevent self-assignment of variables

self-assignment

Prevent using escapes in regular expression

regexp-raw-string

Put constants and values on the right

avoid-yoda-conditions

Regexp FindAll with n=0 returns nothing

regexp-zero-results

Remove unnecessary blank identifiers

unnecessary-blank-identifier

Replace var % 1 by 0

mod-one-always-zero

Replace w.Write([]byte(fmt.Sprintf())) with fmt.Fprintf()

use-fprintf-when-possible

Simplify boolean expression

simplify-boolean-expression

Simplify make and avoid 0 as second argument

simplify-make

Simplify pointer operation

simplify-pointer-operation

Sleep is in nanoseconds by default; verify short sleep

verify-short-sleep

strings.Replace with 0 does not do anything

strings-replace-zero

The Context should be the first argument in a function

context-first-argument

The default case of a switch should be first or last

switch-default-first-or-last

Use append to concatenate slices

concatenate-slices

Use bytes.Equal instead of bytes.Compare

bytes-compare-equal

Use bytes.ReplaceAll instead of bytes.Replace

bytes-replaceall

Use fmt.Errorf instead of errors.New with fmt.Sprintf

errors-new-errorf

Use Since() instead of Now().Sub()

time-now-sub

Use strings.Contains instead of strings.Index with -1

strings-index-contains

Use strings.ReplaceAll instead of strings.Replace

strings-replaceall

Verify that duplicate imports are necessary

duplicate-imports

Ruleset ID: go-inclusive Go コードの言い回しの問題をチェックするルール。

Use inclusive language in comments

comments

Use inclusive language in function declarations

function-declaration

Use inclusive language in type declarations

types

Use inclusive language in variable names

variables

Ruleset ID: go-security Go のコードベースで一般的なセキュリティ上の問題 (SQL インジェクション、XSS、シェルインジェクションなど) を検出するルール。

Avoid command injection

command-injection

Avoid formatted string in templates

unescape-template-data-js

Avoid hardcoded temporary file

tempfile-creation

Avoid HTTP functions without timeouts

http-support-timeout

Avoid insecure GRPC connection

grpc-client-insecure

Avoid insecure GRPC server

grpc-server-insecure

Avoid leaking data to a logger

error-leakage

Avoid manually built SQL queries

sql-format-string

Avoid SetString() from big.Rat

avoid-rat-setstring

Binding to 0.0.0.0 opens up the application to all traffic

do-not-bind-all-interfaces

Calling hmac.New with unchanging hash.New

hmac-needs-new

CGI is outdated

import-cgi

DES and Triple DES are now insecure

import-des

Do not build SQL queries with string concatenations

sql-string-concatenation

Do not bypass HTML escaping with ResponseWriter

responsewriter-no-fprintf

Do not create a directory with write permissions for all

mkdir-permissions

Do not create a file with too much permissions

write-file-permissions

Do not ignore SSH host validation

ssh-ignore-keys

Do not use insecure ciphers

tls-cipher

Do not use tainted URL

taint-url

Do not use telnet without encryption

telnet-request

Ensure JWT use a secure algorithm

jwt-algorithm

Ensure MinVersion is defined for TLS client

ssl-min-version

Ensure TLS verification

tls-skip-verify

Ensure we use https://

http-request-secure

File permissions

chmod-permissions

Math/rand random number generation is insecure

math-rand-insecure

Odd hash.Sum call flow

hashsum

Prevent decompression bomb

decompression-bomb

Prevent Memory Aliasing

range-memory-aliasing

Prevent XSS injection by setting HttpOnly to false

session-http-only

Prevent XSS injection by setting HttpOnly to true

cookie-http-only

RC4 encryption is now insecure

import-rc4

RSA keys should have a minimum of 2,048 bits

minimum-rsa-key-length

Session must be secure

cookie-secure

Session must be secure

session-secure

SSLv3 is not secure and should be avoided

ssl-v3-insecure

The md5 hashing algorithm is insecure

import-md5

The SHA-1 algorithm family is no longer secure

import-sha1

Unsafe reflection

unsafe-reflection

Ruleset ID: java-best-practices Java のベストプラクティスを強制するルール。

Avoid Calendar class use

avoid-calendar-creation

Avoid creating FileStream directly

avoid-filestream

Avoid declaring a field type as MessageDigest

avoid-message-digest-field

Avoid instantiating strings

avoid-string-instantiation

Avoid reassigning parameters

avoid-reassigning-parameters

Avoid redundant initialization

redundant-initializer

Avoid switch with very few branches

switch-few-branches

Avoid using printStackTrace()

avoid-printstacktrace

Avoid using specific implementation types

loose-coupling

Default label should be last in a switch

default-label-not-last-in-switch

Do not add an empty string

add-empty-string

Do not append char as strings

sb-append-char

Do not return internal array

return-internal-array

Do not use a string with only one character

indexof-char

Do not use StringBuffer or StringBuilder as a class field

string-buffer-field

Don't reassign a catch variable

avoid-reassigning-catch-vars

Loops can be simplified or removed

while-loop-with-literal-boolean

Preserve the thrown stack trace

preserve-stack-trace

Replace Vector with List

replace-vector-with-list

Separate lines for each field declaration

one-declaration-per-line

Should clone array

array-is-stored-directly

Should use Map instead of Hashtable

replace-hashtable-with-map

Switch statements should have a default case

missing-switch-statement-default

Test assertions for booleans can be simplified

simplify-test-assertions-boolean

Test assertions using equals comparison can be simplified

simplify-test-assertions-equals

Test assertions using null comparison can be simplified

simplify-test-assertions-null

Test assertions using operator comparison can be simplified

simplify-test-assertions-ops

The literals should be first in String comparisons

literals-first-in-comparison

Too many control variables in for loop

forloop-variable-count

Use asList to create a list from array

arrays-aslist

Use StringBuffer to concatenate strings

use-stringbuffer

Ruleset ID: java-code-style Java のコードスタイルを強制するルール。

Avoid negation in your ternary operation

confusing-ternary

Avoid prefix boolean returning method with `get`

boolean-get-method-name

Avoid unnecessary object extend

extends-object

Avoid useless final type in interface method

final-param-in-abstract-method

Avoid using dollar signs in variable names

avoid-dollar-signs

Avoid using Java native code

avoid-using-native-code

Avoid using protected field in final class

avoid-protected-in-final-class

Consider calling super in constructor

call-super-in-constructor

Enforce a naming convention for any type of class

class-naming-conventions

Enforce generic naming standards

generics-naming

Enforce using control statement brackets

control-statement-braces

Enforce using the LocalHome suffix for Session EJB

local-home-naming-convention

Package names should not contain uppercase characters

package-case

Simplify for loops for while loops

for-loop-should-be-while-loop

Ruleset ID: java-inclusive コードやコメントにおける不適切な表現を避けるための Java 向けのルール。

Check class definition language

class-definition

Check function definition language

function-definition

Check variable assignment language

variable-assignment

Ruleset ID: java-security Java コードのセキュリティ上の問題の検出に特化したルール。

Avoid DES keys

keygenerator-avoid-des

Avoid LDAP injections

ldap-injection

Avoid NullCipher

avoid-null-cipher

Avoid overly permissive CORS

permissive-cors

Avoid SQL injection

sql-injection

Avoid TrustStrategies that trust certificates blindly

no-trust-strategy

Avoid unsafe deserialization

json-unsafe-deserialization

Avoid user-generated class names for reflection

unsafe-reflection

Avoid user-input file

spring-request-file-tainted

Bad hexadecimal concatenation

bad-hexa-concatenation

Blowfish should use a large key

blowfish-short-key

Cookies HTTP only

cookies-http-only

Cookies should not have a long expiration

cookies-persistence

DefaultHttpClient with default constructor is not secure

default-http-client-def-cons

Detect an XPath input from an HTTP request

tainted-xpath

Do not disable CSRF

spring-csrf-disable

Do not give write access to others

files-permissions

Do not use a pseudo-random number to generate a secret

no-pseudo-random-secret

Do not use custom digest

message-digest-custom

Do not use DES

no-des-cipher

Do not use unvalidated request

unvalidated-redirect

Do not use weak crypto algorithm

crypto-algorithm

Do not use weak SSL context

ssl-context

ECB mode is insecure

aes-ecb-insecure

ECB mode is insecure

cipher-padding-oracle

Enforce trust boundaries

trust-boundaries

Ensure cookies have the secure flag

cookies-secure-flag

HostnameVerifier should check certificates

hostname-verifier-true

Ignore SAML comments

ignore-saml-comment

MD2, MD4, and MD5 are weak hash functions

weak-message-digest-md5

No hardcoded secret with algorithm methods

algorithm-no-hardcoded-secret

Potential code injection when using GroovyShell

groovyshell-code-injection

Potential code injection when using Spring Expression

spring-expression-injection

Potential path traversal from request

path-traversal-file-read

Prefer SecureRandom over Random

avoid-random

Prevent command injection

command-injection

Prevent deserialization

object-deserialization

Prevent HTTP parameter pollution

http-parameter-pollution

Prevent LDAP Entry Poisoning

ldap-entry-poisoning

Prevent path traversal

path-traversal

Prevent SSRF

tainted-url-host

Prevent XSS attacks

xss-protection

RSA should use a long key

rsa-short-key

RSA with no padding is insecure

no-rsa-no-padding

Secret should not be hardcoded in code

hardcoded-crypto-key

SHA-1 is a weak hash function

weak-message-digest-sha1

SMTP server identify must be enforced

smtp-insecure-connection

Spring CSRF unrestricted RequestMapping

spring-csrf-requestmapping

SQL injection in BasePeer

sql-injection-turbine

SQL injection in Hibernate

sql-injection-hibernate

SQL injection in SqlUtil.execQuery

potential-sql-injection

Use a randomly-generated IV

random-iv

Use of socket on HTTP port

unencrypted-socket

XML parsing vulnerable to XEE

xml-parsing-xee

XML parsing vulnerable to XXE for SAX Parsers

xml-parsing-xxe-saxparser

XML parsing vulnerable to XXE for TransformerFactory

xml-parsing-xxe-transformer

XML parsing vulnerable to XXE for XML Reader

xml-parsing-xxe-xmlreader

XML parsing vulnerable to XXE for XPath

xml-parsing-xxe-xpath

Ruleset ID: javascript-best-practices JavaScript のベストプラクティスを強制するルール。

Avoid assignment operators in conditional expressions

no-cond-assign

Avoid bind calls that are unnecessary

no-unnecessary-bind

Avoid constructors that do nothing or only call super

no-useless-constructor

Avoid default parameters before normal parameters

default-param-last

Avoid direct comparison with NaN

use-isnan

Avoid duplicate case labels

no-duplicate-case

Avoid duplicate class members

no-dupe-class-members

Avoid duplicate keys in object literals

no-dupe-keys

Avoid empty block statements

no-empty

Avoid empty character classes in regular expressions

no-empty-character-class

Avoid empty destructuring patterns

no-empty-pattern

Avoid leaving console debug statements

no-console

Avoid lexical declarations in case clauses

no-case-declarations

Avoid negating the left operand of relational operators

no-unsafe-negation

Avoid new statements with the Symbol object

no-new-symbol

Avoid reassigning exceptions in catch clauses

no-ex-assign

Avoid the use of alert, confirm, and prompt

no-alert

Avoid the use of arguments.caller or arguments.callee

no-caller

Avoid the use of the __iterator__ property

no-iterator

Avoid the use of the __proto__ property

no-proto

Avoid throwing literals instead of an object or error type

no-throw-literal

Avoid unnecessary classes containing only static members

no-unnecessary-class

Avoid unnecessary if-else chains that only returns a boolean

no-if-else-return

Avoid unnecessary jump statements

no-useless-jumps

Avoid unnecessary ternary operations that return a boolean

no-unnecessary-ternary

Avoid unused expressions

no-unused-expressions

Avoid using delete on variables directly

no-delete-var

Avoid using JavaScript in URLs

no-script-url

Avoid using octal literals to prevent unexpected behavior

no-octal

Avoid variable or function declaration in nested blocks

no-inner-declarations

Check for loop is moving in the right direction

for-direction

Compare typeof expressions against valid strings

valid-typeof

Direct comparison with -0 detected

no-compare-neg-zero

Disallow reassigning const variables

no-const-assign

Disallow reassigning function declarations

no-func-assign

Disallow the use of debugger

no-debugger

Disallow unreachable code

no-unreachable

Ensure you don't use promises without `await`ing them first.

promise-await

Function parameters redeclared

no-dupe-args

Invoking a constructor must use parentheses

new-parens

Prefer an optional chain instead of chaining operators

prefer-optional-chain

Prefer using an object spread over `Object.assign`

prefer-object-spread

Prevent assigning to imported bindings

no-import-assign

Prevent the use methods similar to eval()

no-implied-eval

Promise executor cannot be an async function

no-async-promise-executor

Require yield in generator functions

require-yield

The with statement can lead to ambiguous code

no-with

Ruleset ID: javascript-browser-security JavaScript Web アプリケーションのセキュリティ上の問題の検出に特化したルール。

Avoid manual sanitization of inputs

manual-sanitization

Check origin of events

event-check-origin

Do not inject unsanitized HTML

react-dangerously-inner-html

Do not modify innerHTML or outerHTML

inner-outer-html

Do not store sensitive data to local storage

local-storage-sensitive-data

Do not use variable for regular expressions

regexp-non-literal

Specify origin in postMessage

postmessage-permissive-origin

Websockets must use SSL connections

insecure-websocket

Ruleset ID: javascript-code-style JavaScript のコードスタイルを強制するルール。

Assignment name should use camelCase

assignment-name

Avoid Array constructors

no-array-constructor

Avoid assignment operators in return statements

no-return-assign

Avoid comparisons where both sides are exactly the same

no-self-compare

Avoid duplicate module imports

no-duplicate-imports

Avoid equal signs at the beginning of regular expressions

no-div-regex

Avoid if statements as the only statement in else blocks

no-lonely-if

Avoid leading or trailing decimal points in numbers

no-floating-decimal

Avoid new operators outside of assignments or comparisons

no-new

Avoid new operators with the Function object

no-new-func

Avoid Object constructors

no-new-object

Avoid the use of chained assignment expressions

no-multi-assign

Class name should be `PascalCase`

class-name

Enforce a maximum number of parameters in a function

max-params

Enforce named function expressions

func-names

Enforce the use of === and !==

strict-equals

Function name should use camelCase or PascalCase

function-naming

Function names must match the name of the assignation.

func-name-matching

Method name should use camelCase

method-name

Parameter name should use camelCase

parameter-name

Require let or const instead of var

no-var

Specify the base to parse numbers in

radix

Ruleset ID: javascript-common-security JavaScript コードのセキュリティ上の問題の検出に特化したルール。

Avoid insecure HTTP requests with Axios

axios-avoid-insecure-http

Do not use external XML entities

xml-no-external-entities

Function argument names should be unique

unique-function-arguments

Ruleset ID: javascript-express Express.js のベストプラクティスとセキュリティ向けのルール。

Avoid allowing access to unintended directories or files

path-traversal

Avoid rendering resource based on unsanitized user input

external-resource

Avoid sending unsanitized user input in response

xss-vulnerability

Avoid setting insecure cookie settings

insecure-cookie

Avoid using an insecure Access-Control-Allow-Origin header

insecure-allow-origin

Avoid using unsanitized user input with sendFile

external-filename-upload

Enforce overriding default config

default-session-config

Ensure an isRevoked method is used for tokens

jwt-not-revoked

Express application should use Helmet

missing-helmet

Limit exposure to sensitive directories and files

access-restriction

Server fingerprinting misconfiguration

reduce-server-fingerprinting

Use `https` protocol over `http`

https-protocol-missing

Ruleset ID: javascript-inclusive コードやコメントにおける不適切な表現を避けるための JavaScript 向けのルール。

Check comments for wording issues

comments

Check declaration names for wording issues

declarations

Check identifier names for wording issues

identifiers

Check parameter names for wording issues

formal-parameters

Ruleset ID: javascript-node-security Node における潜在的なセキュリティホットスポットを特定するルール。追加のトリアージを要する誤検知が含まれる場合があります。

Avoid `eval` with expressions

detect-eval-with-expression

Avoid Buffer(argument) with non-literal values

detect-new-buffer

Avoid calls to 'buffer' with 'noAssert' flag set

detect-buffer-noassert

Avoid command injection

command-injection

Avoid DES and 3DES

avoid-des

Avoid hardcoded HMAC keys

hardcoded-hmac-key

Avoid instances of 'child_process' and non-literal 'exec()'

detect-child-process

Avoid logging sensitive data

log-sensitive-data

Avoid RC4

avoid-crypto-rc4

Avoid require with non-literal values

detect-non-literal-require

Avoid SHA1 security protocol

avoid-crypto-sha1

Avoid SQL injection

sql-injection

Avoid SQL injections

variable-sql-statement-injection

Avoid variables in 'fs' calls filename argument

detect-non-literal-fs-filename

Avoid weak hash algorithm from CryptoJS

crypto-avoid-weak-hash

Detects hardcoded JWT tokens within the codebase.

detected-jwt-token

Detects non-literal values in regular expressions

detect-non-literal-regexp

Do not give 777 permissions to a file

chmod-permissions

Do not put sensitive data in objects

jwt-sensitive-data

Do not use weak hash functions

insecure-hash

Use default encryption from the JWT library

jwt-weak-encryption

Use strong security mechanisms with argon2

argon2

Ruleset ID: jsx-react このプラグインは React のベストプラクティスを強制する recommended 構成をエクスポートします。

A list component should have a key to prevent re-rendering

list-component-needs-key

Avoid comments from being inserted as text nodes

jsx-no-comment-textnodes

Avoid deprecated methods

no-deprecated

Avoid duplicate properties in JSX

jsx-no-duplicate-props

Avoid nested components

no-nested-components

Avoid passing children as props

no-children-prop

Avoid usage of the return value of ReactDOM.render

no-render-return-value

Avoid using children with dangerouslySetInnerHTML

no-danger-with-children

Avoid using string references

no-string-refs

Avoid using the initial state variable in setState

setstate-same-var

Do not use array indexes for a list component's key

list-component-no-index

Do not use positive values for a span's tabIndex attribute

no-tabindex-positive

Do not use this in functional components

no-this-in-component

Enforce class for returning value in render function

require-render-return

Ensures unique key prop

jsx-no-duplicate-key

Fragments should not be used when there is 1 child

no-redundant-fragments

Headings must be accessible

no-unaccessible-heading

Prevent missing key props in iterators/collection literals

jsx-key

Prevent target='_blank' security risks

jsx-no-target-blank

React hooks should be called correctly

improper-hook-call

React's useState should not be directly called

usestate-direct-usage

Ruleset ID: kotlin-best-practices Kotlin のベストプラクティスを強制するルール。

A Kotlin (script) file should not be empty.

no-empty-file

An empty parentheses block before a lambda is redundant.

parens-before-trailing-lambda

Class bodies should not be empty

no-empty-class-bodies

Class names should be upper camel case

class-naming

Enforce final newline

final-newline

Enforce if/else expressions to use braces

if-else-bracing

Enforce modifier ordering

modifier-order

Enforce not returning Unit type

no-unit-return

Enforce packing naming convention

package-naming

Function names should be camel case

function-naming

No wildcard imports

no-wildcard-import

Ruleset ID: kotlin-code-style Kotlin のコードスタイルを強制するルール。

All arguments should be on separate lines or the same line.

argument-list-wrapping

Annotated declarations should be visually separated

annotation-blank-line

Avoid comments directly within Kotlin type parameters

type-parameter-comment

Avoid extra spaces inside Kotlin angle brackets

angle-bracket-spacing

Avoid very short function names

function-name-min-length

Braces required for multiline for, while, and do statements.

multiline-loop

Braces required for multiline if or if/else statements.

multiline-if-else

Enforce annotation separation

annotation-spacing

Enforce block comment alignment

block-comment-formatting

Enforce brace spacing for lambdas

brace-spacing

Enforce comment placement in class parameter

class-parameter-comment

Enforce comment placement in type argument

type-argument-comment

Enforce comment placement in value argument

value-argument-comment

Enforce consistent newline usage

no-consecutive-blank-lines

Enforce consistent spacing around colon

colon-spacing

Enforce correct block comment usage

no-consecutive-comments

Enforce extension function spacing

extension-function-spacing

Enforce function return type spacing

function-return-type-spacing

Enforce function type spacing

function-type-modifier-spacing

Enforce line comment spacing

comment-spacing

Enforce nullable type spacing

nullable-type-spacing

Enforce proper spacing for declarations with comments

comment-declaration-spacing

Enforce range operator spacing

range-spacing

Enforce single line if statement styling

if-else-wrapping

Enforce spacing after the fun keyword

function-keyword-spacing

Enforce spacing around double colons

double-colon-spacing

Enforce unary operator spacing

unary-operator-spacing

Enums should be a single line or one entry per line.

enum-wrapping

Kotlin enum entries must follow naming conventions

enum-entry-naming

Line cannot exceed default max length

max-line-len

No blank lines at the start of a class

no-empty-lead-line-class

No leading empty lines in method blocks

no-empty-lead-line-method

Prevents line break before assignment operator

no-line-break-before-assignment

Statements should not be on same line as curly brace

statement-wrapping

Use an EOL comment over a single line block comment

no-single-line-block-comment

Ruleset ID: kotlin-security Kotlin コードのセキュリティ上の問題の検出に特化したルール。

Always validate SSL/TLS certificates

verify-ssl-certificates

Always verify SSL/TLS hostnames when validating certificates

verify-ssl-hostname

Avoid building paths from untrusted data

avoid-path-traversal

Avoid hardcoding secrets in JWT signing algorithms

no-hardcoded-secret

Avoid pseudo-random numbers

no-pseudo-random

Avoid unsafe 'none' algorithm when creating JWTs

secure-jwt-algorithm

Avoid unsafe CORS headers

no-unsafe-cors

Avoid using deprecated HTTP clients

ensure-modern-httpclient

Avoid using runtime finalizers on exit

no-finalizers-on-exit

Avoid using user input for runtime commands

avoid-runtime-injection

Create new IVs for every counter mode encryption operation

no-iv-reuse

Cryptographic key generation must use strong key sizes

ensure-strong-keysizes

Do not use a predictable salt

no-predictable-salt

Enforce secure TLS version

enforce-secure-tls

Ensure cookies have the secure flag

cookie-http-only

Ensure network sockets use SSL/TLS encryption

ensure-secure-socket

LDAP connections must use explicit user credentials

avoid-anonymous-ldap

Prevent SQL queries built from strings

sql-injection

Prevent XXE attack from XML parser

avoid-xml-xxe

Use strong cipher algorithms instead of deprecated ones

avoid-weak-ciphers

Ruleset ID: php-best-practices コードスタイルの改善、バグ防止、高性能・保守性・効率性に優れた PHP コードの実現のために、PHP のベストプラクティスを強制するルール。

Assignments within subexpressions reduce code clarity

subexpression-assignment

Avoid empty blocks

avoid-empty-blocks

Avoid nested ternary expressions

no-nested-ternary

Avoid reassigning parameters as it's bug prone

avoid-reassigning-parameters

Do not assign a variable to itself

no-self-assign

Do not silence errors, they should not be ignored

avoid-silencing-errors

Do not throw generic exceptions

use-specific-exceptions

Do not use operators that don't exist

avoid-non-existant-operators

Do not use the same operator twice

no-double-operators

Ensure loop references are unset after the loop

unset-loop-references

Exceptions must be thrown

exception-must-be-thrown

If conditions should have different code blocks

condition-similar-block

Methods should explicitly declare their visibility

explicit-method-visibility

Prefer using require_once or include_once

prefer-require-include-once

References in a static method should prefer static over self

prefer-static-reference

Use str_replace when a regex is unnecessary

unnecessary-preg-replace

Ruleset ID: php-code-style PHP のコードスタイルを強制するルール。

All code should be reachable, dead code should be avoided

no-unreachable

Avoid illogical comparisons with count

illogical-count-compare

Avoid short class names

short-class-name

Avoid short method names

short-method-name

Avoid short variable names

short-variable-name

Avoid useless statements in code

useless-statement

Avoid using undefined exceptions

undefined-exception

Bad null guards can cause null pointer dereferences

bad-null-guard

Do not use this in a static method

no-this-static

Ensure newly created objects are used

objects-ensure-use

Separate lines for each declaration

single-var-declaration

Ruleset ID: php-security PHP コードのセキュリティ上の問題の検出に特化したルール。

Avoid building paths from unsanitized input

laravel-path-traversal-storage

Avoid building paths from untrusted data

laravel-path-traversal

Avoid enabling debug mode in applications

debug-mode-on

Avoid enabling entity loader

unsafe-entity-loader

Avoid executing shell commands with arbitrary input

avoid-backticks

Avoid HTML XSS attacks

html-xss

Avoid possible command injections when sending mail

laravel-mail-command-injection

Avoid potential command injections

command-injection

Avoid potential path injections in Laravel

laravel-avoid-path-injection

Avoid potential server side request forgeries (SSRFs)

avoid-potential-ssrf

Avoid potential server side request forgeries (SSRFs)

tainted-url-host

Avoid pseudo-random numbers

no-pseudo-random

Avoid side effects in a file that defines symbols

no-side-effect

Avoid unsafe CORS headers

unsafe-cors

Avoid unsafe CORS headers in Symfony

symfony-unsafe-cors

Avoid using the phpinfo function

avoid-using-phpinfo

Avoid using unsafe flags in XML parsers

xml-unsafe-parser-flags

Do not call assert on unsanitized user input

assert-user-input

Do not call extract on untrusted user data

extract-untrusted-data

Do not call intval on untrusted user data

intval-untrusted-data

Do not create a file with too many permissions

write-file-permissions

Do not disable CSRF protection

symfony-csrf-disabled

Do not disable hostname validation

curl-hostname-verification

Do not generate insecure session IDs

insecure-session-id

Do not redirect using arbitrary unsanitized values

symfony-arbitrary-redirect

Do not trust unsanitized user input for I/O

avoid-path-injection

Do not use a weak hash algorithm

weak-hash-algorithm

Do not use Mcrypt as it is deprecated

mcrypt-deprecated

Do not write responses with unsanitized data

laravel-response-write

Enable CSRF token verification to avoid CSRF attacks

laravel-csrf-not-verified

Ensure cookies have the secure flag set

cookie-secure-flag

Ensure cookies set the HttpOnly flag

cookie-http-only

Ensure Laravel cookies are encrypted

laravel-cookie-not-encrypted

FTP should be avoided, unless it is used with SSL

avoid-using-ftp

LDAP connections should be authenticated

ldap-authenticate-connection

Prevent LDAP injection

ldap-injection

Prevent native SQL injections

laravel-native-sql-injection

Prevent raw SQL injections

laravel-raw-sql-injection

Prevent SQL queries built from unsanitized input

laravel-sql-injection

Prevent SQL queries built from unsanitized input

sql-injection

Use of eval can be insecure

no-eval

Verify certificates during SSL/TLS connections

curl-certificate-verification

Ruleset ID: python-best-practices 効率的でバグのないコードを書くための Python のベストプラクティス。

__bytes__ method should returns bytes, not string

return-bytes-not-string

__slots__ should not be a single string

slots-no-single-string

a function must be defined only once

function-already-exists

a method has the same name than an attribute

method-hidden

assertRaises must check for a specific exception

assertraises-specific-exception

assigning to os.environ does not clear the environment

os-environ-no-assign

Avoid duplicate keys in dictionaries

avoid-duplicate-keys

Avoid invalid assert

invalid-assert

avoid string concatenation

avoid-string-concat

avoid unreachable code

unreachable-code

check equal is used on consistent basic types

equal-basic-types

Class methods should use self as first argument

class-methods-use-self

Do not assign to function arguments

function-variable-argument-name

do not assign to itself

self-assignment

do not compare to True in a condition

no-if-true

do not have arguments with the same name

argument-same-name

Do not have too many nested blocks

nested-blocks

Do not ignore Exception with a pass statement

no-silent-exception

do not modify a dictionary while iterating on it

collection-while-iterating

do not raise base exception

no-base-exception

Do not raise NotImplemented - it does not exists

raising-not-implemented

do not return outside a function

return-outside-function

Do not use a raise statement without a specific exception

no-bare-raise

do not use Any type

any-type-disallow

do not use bare except

no-bare-except

do not use break or continue in finally block

finally-no-break-continue-return

do not use datetime.today()

no-datetime-today

do not use double negation

no-double-not

do not use exit()

no-exit

Do not use for i in range(len(<array>))

no-range-loop-with-len

do not use format string with logging functions

logging-no-format

do not use hasattr to check if a value is callable

use-callable-not-hasattr

do not use operations =+ and =-

no-equal-unary

do not use operator -- and ++

no-double-unary-operator

do not use self as parameter for static methods

static-method-no-self

do not use special method on data class

dataclass-special-methods

do not use too many nested if conditions

too-many-nested-if

do not use too many nested loops and conditions

too-many-while

ensure classes have an __init__ method

init-method-required

ensure exception inherit a base exception

exception-inherit

ensure special methods have the correct arguments

special-methods-arguments

ensure that both __exit__ and __enter__ are defined

ctx-manager-enter-exit-defined

getter/setter must have 1 or 2 arguments respectively

get-set-arguments

if conditions must have different code blocks

condition-similar-block

If using generic exception, it should be last

generic-exception-last

in comparisons, variables must be left

comparison-constant-left

make sure class names are readable

ambiguous-class-name

make sure function names are readable

ambiguous-function-name

make sure variable names are readable

ambiguous-variable-name

module imported twice

import-modules-twice

No return in an __init__ function

init-no-return-value

only one module to import per import statement

import-single-module

strip() argument should not have duplicate characters

invalid-strip-call

TODO and FIXME comments must have ownership

comment-fixme-todo-ownership

use a base class only once

no-duplicate-base-class

use isinstance instead of type

type-check-isinstance

use super() to call the parent constructor

init-call-parent

when an if condition returns an value, else is not necessary

if-return-no-else

Ruleset ID: python-code-style Python のコードスタイルを強制するルール。

class name should be PascalCase

class-name

classes must be less than 900 lines

max-class-lines

function name and parameters should use snake_case

function-naming

Functions must be less than 200 lines

max-function-lines

Ruleset ID: python-django Django のベストプラクティスとセキュリティ向けのルール。

always specify max_length for a Charfield

model-charfield-max-length

Command coming from incoming request

os-system-from-request

Command coming from incoming request

subprocess-from-request

do not specify content-type for JsonResponse

jsonresponse-no-content-type

do not use __unicode__

no-unicode-on-models

do not use NullBooleanField

no-null-boolean

Filename coming from the request

open-filename-from-request

Lack of sanitization of user data

http-response-from-request

use convenience imports whenever possible

use-convenience-imports

use help_text to document model columns

model-help-text

use JsonResponse instead of HttpResponse to send JSON data

http-response-with-json-dumps

Ruleset ID: python-flask Flask のベストプラクティスとセキュリティ向けのルール。

Avoid potential cookie injections

cookie-injection

Avoid potential SSRF attacks in your Python code

avoid-ssrf

Do not use template created with strings

no-render-template-string

Do not use text() as it leads to SQL injection

disable-sqlalchemy-text

Make sure cookies are safe and secure

secure-cookie

Prevent LDAP injection

ldap-injection

Unsanitized data is sent to popen, causing command injection

os-popen-command-injection

use jsonify instead of json.dumps for JSON output

use-jsonify

Use of unsanitized data to create processes

os-system-unsanitized-data

Use of unsanitized data to issue SQL queries

sqlalchemy-injection

Use of unsanitized data to make API calls

html-format-from-user-input

Use of unsanitized data to make API calls

ssrf-requests

Use of unsanitized data to open API

urlopen-unsanitized-data

Use of unsanitized data to open file

open-file-unsanitized-data

Your application should not listen on all interfaces

listen-all-interfaces

Ruleset ID: python-inclusive コードやコメントにおける不適切な表現を避けるための Python 向けのルール。

check comments for wording issues

comments

check function names for wording issues

function-definition

check variable names for wording issues

variable-name

Ruleset ID: python-pandas

pandas コードが適切に使用されているかをチェックするためのルールセット。

import 宣言がコーディングガイドラインに従っていることを保証します。
非推奨のコードやメソッドを避けます。
可能な限り非効率なコードを避けます。

Avoid using inplace=True

avoid-inplace

Import pandas according to coding guidelines

import-as-pd

prefer iloc or loc rather than ix

loc-not-ix

prefer notna to notnull

notna-instead-of-notnull

prefer read_csv to read_table

use-read-csv-not-read-table

Use arithmetic operator instead of a function

arith-operator-not-functions

Use isna instead of isnull

isna-instead-of-isnull

Use operators to compare values, not functions

comp-operator-not-function

Use pivot_table instead of pivot or unstack

pivot-table

Ruleset ID: python-security

Python コードにおけるセキュリティおよび脆弱性の問題の検出に特化したルール。OWASP Top 10 や SANS Top 25 に含まれる問題も対象にします。

不適切な暗号化およびハッシュプロトコルの使用
アクセスコントロールの欠如
セキュリティ構成不備
SQL インジェクション
ハードコーディングされた認証情報
シェルインジェクション
安全でないデシリアライゼーション

Auto escape should be set to true

jinja-autoescape

avoid deserializing untrusted YAML

yaml-load

Avoid HTML built in strings

html-string-from-parameters

Avoid SQL injections

variable-sql-statement-injection

avoid unsafe function to (de)serialize data

deserialize-untrusted-data

Call of a spawn process without sanitization

os-spawn

Command execution without sanitization

os-system

Do not hardcode temporary file or directory names

hardcoded-tmp-file

do not let all users write permissions

file-write-others

Do not make http calls without encryption

requests-http

do not pass hardcoded credentials

sql-server-security-credentials

Do not use an empty list as a default parameter

no-empty-list-as-parameter

Do not use insecure encryption protocols

insecure-ssl-protocols

Do not use insecure functions

insecure-hash-functions

Do not use insecure YAML deserialization

ruamel-unsafe-yaml

Ensure JWT signatures are verified

insecure-jwt

Make sure temporary files are secure

mktemp

no timeout was given on call to external resource

requests-timeout

shell argument leads to unnecessary privileges

subprocess-shell-true

should not bypass certificate verification

ssl-unverified-context

The use of compile can be insecure

no-compile

The use of exec can be insecure

no-exec

Unsafe execution of shell commands

asyncio-subprocess-create-shell

Unsafe execution of shell commands

asyncio-subprocess-exec

use env vars over hardcoded values

aws-boto-credentials

use of eval can be insecure

no-eval

use secrets package over random package

avoid-random

verify should be True

request-verify

Ruleset ID: rails-best-practices Ruby on Rails コードを書くためのベストプラクティス。

Prefer using hash syntax for enums

enums

Prefer using HTTP status code symbols

http-status-code-symbols

Prefer using render plain

plain-text-rendering

Prefer using self over read attribute

read-attribute

Prefer using self over write attribute

write-attribute

Use find_each to iterate over a collection of AR objects

find-each

Ruleset ID: ruby-best-practices Ruby のベストプラクティスを強制するルール。

Use `Array()` to ensure your variable is an array

array-coercion

Avoid `DateTime` unless for historical purposes

no-datetime

Avoid array and hash constructor when empty

literal-hash-array

Avoid attr

prevent-attr

Avoid class variables

no-class-var

Avoid explicit use of the case equality operator

no-case-equality

Avoid hash optional paramters

no-optional-hash-params

Avoid slow string concatenation

concat-strings

Avoid standard constants

global-stdout

Avoid string concatenation

string-interpolation

Avoid unnecessary disjunctive assignments in constructor

disjunctive-assign-in-const

Avoid unnecessary uses of `!!`

no-double-negation

Avoid using 'rescue' as a modifier

no-rescue-modifier

Avoid using BEGIN blocks

no-begin-blocks

Avoid using END blocks

no-end-blocks

Avoid using the character literal syntax

no-character-literals

Do not extend Data.define

no-extend-data-define

Do not rescue the Exception class

no-rescue-exception

Do not return from an ensure block

no-return-ensure

Do not suppress exceptions without a comment

no-suppress-exceptions

Do not use :: to define class methods

method-definition-colon

Do not use `then` for multi-line if/unless/when/in

no-then

Do not use eql? for strings

eql-string

Do not use parallel assignment to define variables

parallel-assignment

Do not use trailing underscores in destructuring assignments

trailing-underscore-variables

Do not use unless with else

no-else-with-unless

Enforce using Integer to check the type of an integer number

integer-type-checking

Ensure lambdas have parenthesis around parameters

lambda-parameters

Omit parentheses if a lambda has no parameter

lambda-no-parameter

Omit the rb file extension in a require

no-explicit-rb-to-require

Optional arguments should appear at the end

optional-arguments

Organize methods in modules

top-level-methods

Prefer `Time.now` over `Time.new`

time-now

Prefer atomic file operations

atomic-file-operations

Prefer case over if-elsif

case-vs-if-elsif

Prefer equal? over == when comparing object_id

identity-comparison

Prefer is_a? over kind_of?

isa-over-kindof

Prefer proc over Proc.new

proc-over-procnew

Prefer string chars with empty string

string-chars

Prefer until over while for negative conditions

while-with-negatives

Prefer using `warn` over `$stderr.puts`

use-warn

Prefer using hash each_key and each_value

hash-each

Prefer using hash key and value

hash-key

Prefer using iterators over for loops

no-for-loops

Prefer using Kernel#loop with break for post-loop tests

loop-with-break

Prefer using reverse_each

reverse-each

Prevent nested method

no-nested-method

Separate the exception class and the message

exception-class-message-separate

Use &&= to check if a variable may exist

existence-check-shorthand

Use ||= to initialize variables if they are not already

initialization-shorthand

Use double colons only to reference constants

double-colon-method-calls

Use fdiv on two integers float division

float-division

Use fetch to check hash keys

hash-fetch

Use fetch with default over custom check

hash-fetch-default

Use hash literal

avoid-hash-constructor

Use helper functions to read files

file-read

Use helper functions to write files

file-write

Use instance_of? for class comparison

class-comparison

Use Kernel#loop instead of while/until

infinite-loop

Use new syntax when keys are symbols

hash-literals

Use symbols instead of strings for hash keys

symbols-as-keys

Use the method's implicit 'begin'

implicit-begin

Wrap assignment in condition

condition-safe-alignment

Wrap hash literal in braces if last in array

hash-literal-as-last-array-item

You should not inherit from Struct.new

no-extend-struct-new

Ruleset ID: ruby-code-style 確立されたコーディング標準に準拠した Ruby コードスタイルのための Code Security のルール。

Avoid parentheses for methods without arguments

method-parens

Avoid parentheses when methods take no arguments

method-call-no-args-parens

Avoid using Perl-style special variables

no-cryptic-perlisms

Prefer ranges/between over of complex comparisons

ranges-or-between

Prefer sprintf and form

sprintf

Prefer using `first` and `last` to improve readability

first-and-last

Prefer using Array `join`

array-join

Prefer using ranges for random numbers

random-numbers

Prefer using then over yield_self

yield-self-to-then

Use parentheses with 'super' with arguments

super-with-args

Use predicate methods over explicit comparisons with `==`

predicate-methods

Use self to define class methods

class-methods

Ruleset ID: ruby-inclusive インクルーシブな Ruby コードを書く

Check class names for wording issues

class-definition

Check comments for wording issues

comments

Check method and parameters names for wording issues

function-definition

Check variable names for wording issues

var-definition

Ruleset ID: ruby-security Ruby コードのセキュリティ上の問題の検出に特化したルール。

Avoid constantize

rails-avoid-constantize

Avoid content tag

no-content-tag

Avoid create_with bypasses strong parameter protection

create-with

Avoid FTP connections

no-ftp

Avoid hardcoded basic auth with rails

rails-basic-auth

Avoid hardcoded temp files

hardcoded-tmp-file

Avoid html_safe

no-html-safe

Avoid manual template creation

rails-manual-template

Avoid MD5 to generate hashes

no-md5-digest

Avoid Random

avoid-random

Avoid raw, which leads to XSS

rails-avoid-raw

Avoid sending files without sanitizing user input

rails-send-file

Avoid SHA1 to generate hashes

no-sha1-digest

Avoid SQL injection

sql-injection

Avoid storing sensitive info

avoid-clear-sensitive-info

Avoid syscall

avoid-syscall

Avoid use of eval

no-eval

Check for potential shell injection

shell-injection

Do not use unsafe deserialization

unsafe-deserialization

Ensure cookies are serialized using JSON

rails-cookies-serializer

Ensure forgery protection is enabled

rails-csrf

Ensure HTML entities are escaped in JSON

rails-escape-json-entities

Ensure JWT are verified

jwt-no-verify

Ensure JWT use an algorithm

jwt-algorithm-none

Ensure RSA keys are large enough

rsa-key-size

Ensure SSL connections are verified

ssl-no-verify

Prevent path injection

path-injection

Prevent use of http protocol

no-http

Prevent using YAML functions

yaml-load

Ruleset ID: tsx-react このプラグインは React のベストプラクティスを強制する recommended 構成をエクスポートします。

A list component should have a key to prevent re-rendering

list-component-needs-key

Avoid comments from being inserted as text nodes

jsx-no-comment-textnodes

Avoid deprecated methods

no-deprecated

Avoid nested components

no-nested-components

Avoid passing children as props

no-children-prop

Avoid usage of the return value of ReactDOM.render

no-render-return-value

Avoid using children with dangerouslySetInnerHTML

no-danger-with-children

Avoid using string references

no-string-refs

Avoid using the initial state variable in setState

setstate-same-var

Do not use array indexes for a list component's key

list-component-no-index

Do not use positive values for a span's tabIndex attribute

no-tabindex-positive

Do not use this in functional components

no-this-in-component

Enforce class for returning value in render function

require-render-return

Ensures unique key prop

tsx-no-duplicate-key

Fragments should not be used when there is 1 child

no-redundant-fragments

Headings must be accessible

no-unaccessible-heading

Prevent missing key props in iterators/collection literals

tsx-key

Prevent target='_blank' security risks

tsx-no-target-blank

React hooks should be called correctly

improper-hook-call

React's useState should not be directly called

usestate-direct-usage

Ruleset ID: typescript-best-practices TypeScript のベストプラクティスを強制するルール。

Avoid assigning a value with type any

no-unsafe-assignment

Avoid assignment operators in conditional expressions

no-cond-assign

Avoid bind calls that are unnecessary

no-unnecessary-bind

Avoid certain types

ban-types

Avoid constructors that do nothing or only call super

no-useless-constructor

Avoid default parameters before normal parameters

default-param-last

Avoid duplicate constituents of unions or intersections

no-duplicate-type-constituents

Avoid duplicate enum member values

no-duplicate-enum-values

Avoid duplicate keys in object literals

no-dupe-keys

Avoid empty block statements

no-empty

Avoid empty character classes in regular expressions

no-empty-character-class

Avoid empty destructuring patterns

no-empty-pattern

Avoid extra non-null assertions

no-extra-non-null-assertion

Avoid leaving console debug statements

no-console

Avoid negating the left operand of relational operators

no-unsafe-negation

Avoid non-null assertions after an optional chain

no-non-null-optional-chain

Avoid reassigning exceptions in catch clauses

no-ex-assign

Avoid require statements

no-var-requires

Avoid the any type

no-explicit-any

Avoid the use of alert, confirm, and prompt

no-alert

Avoid the use of arguments.caller or arguments.callee

no-caller

Avoid the use of the __iterator__ property

no-iterator

Avoid the use of the __proto__ property

no-proto

Avoid throwing literals instead of an object or error type

no-throw-literal

Avoid triple slash in favor of ES6 import declarations

triple-slash-reference

Avoid TypeScript namespaces

no-namespace

Avoid unnecessary classes containing only static members

no-unnecessary-class

Avoid unnecessary constraints on generic types

no-unnecessary-type-constraint

Avoid unnecessary if-else chains that only returns a boolean

no-if-else-return

Avoid unnecessary jump statements

no-useless-jumps

Avoid unnecessary ternary operations that return a boolean

no-unnecessary-ternary

Avoid unsafe declaration merging

no-unsafe-declaration-merging

Avoid unused expressions

no-unused-expressions

Avoid using delete on variables directly

no-delete-var

Avoid using Javascript in URLs

no-script-url

Avoid variable or function declaration in nested blocks

no-inner-declarations

Check for loop is moving in the right direction

for-direction

Consistent naming for boolean props

boolean-prop-naming

Direct comparison with -0 detected

no-compare-neg-zero

Disallow the use of debugger

no-debugger

Ensure you don't use promises without `await`ing them first

promise-await

Invoking a constructor must use parentheses

new-parens

Prefer an optional chain instead of chaining operators

prefer-optional-chain

Prefer using an object spread over `Object.assign`

prefer-object-spread

Prevent the use methods similar to eval()

no-implied-eval

Promise executor cannot be an async function

no-async-promise-executor

Require yield in generator functions

require-yield

Ruleset ID: typescript-browser-security TypeScript Web アプリケーションにおけるセキュリティ上の問題の検出に特化したルール。

Avoid manual sanitization of inputs

manual-sanitization

Check origin of events

event-check-origin

Do not inject unsanitized HTML

react-dangerously-inner-html

Do not modify innerHTML or outerHTML

inner-outer-html

Do not store sensitive data to local storage

local-storage-sensitive-data

Do not use variable for regular expressions

regexp-non-literal

Specify origin in postMessage

postmessage-permissive-origin

Websockets must use SSL connections

insecure-websocket

Ruleset ID: typescript-code-style 現代的な TypeScript コードベースにおけるベストプラクティスと考えられるが、プログラムロジックには影響しないルール。これらのルールは、よりシンプルなコードパターンの適用について一般に意見が強いものです。

Assigment name should use camelCase

assignment-name

Avoid @ts-<directive> comments

ban-ts-comment

Avoid Array constructors

no-array-constructor

Avoid assignment operators in return statements

no-return-assign

Avoid comparisons where both sides are exactly the same

no-self-compare

Avoid duplicate module imports

no-duplicate-imports

Avoid empty exports that don't change anything

no-useless-empty-export

Avoid equal signs explicitly at the beginning of regex

no-div-regex

Avoid explicit type declarations for variables and params

no-inferrable-types

Avoid if statements as the only statement in else blocks

no-lonely-if

Avoid leading or trailing decimal points in numbers

no-floating-decimal

Avoid new operators outside of assignments or comparisons

no-new

Avoid non-null assertion in confusing locations

no-confusing-non-null-assertion

Avoid Object constructors

no-new-object

Avoid the declaration of empty interfaces

no-empty-interface

Avoid the use of chained assignment expressions

no-multi-assign

Avoid using TSLint comments

ban-tslint-comment

Class name should be `PascalCase`

class-name

Enforce a maximum number of parameters in a function

max-params

Enforce named function expressions

func-names

Enforce the use of === and !==

strict-equals

Function name should use camelCase or PascalCase

function-naming

Function names must match the name of the assignation

func-name-matching

Method name should use camelCase

method-name

Parameter name should use camelCase

parameter-name

Require consistently using either T[] or Array<T> for arrays

array-type

Require let or const instead of var

no-var

Specify the base to parse numbers in

radix

Ruleset ID: typescript-common-security TypeScript コードのセキュリティ上の問題の検出に特化したルール。

Avoid insecure HTTP requests with Axios

axios-avoid-insecure-http

Do not use external XML entities

xml-no-external-entities

Function argument names should be unique

unique-function-arguments

Ruleset ID: typescript-express Express.js TypeScript のベストプラクティスとセキュリティ向けのルール。

Avoid allowing access to unintended directories or files

path-traversal

Avoid rendering resource based on unsanitized user input

external-resource

Avoid sending unsanitized user input in response

xss-vulnerability

Avoid setting insecure cookie settings

insecure-cookie

Avoid using an insecure Access-Control-Allow-Origin header

insecure-allow-origin

Avoid using unsanitized user input with sendFile

external-filename-upload

Enforce overriding default config

default-session-config

Ensure an isRevoked method is used for tokens

jwt-not-revoked

Express application should use Helmet

missing-helmet

Limit exposure to sensitive directories and files

access-restriction

Server fingerprinting misconfiguration

reduce-server-fingerprinting

Use `https` protocol over `http`

https-protocol-missing

Ruleset ID: typescript-inclusive コードやコメントにおける不適切な表現を避けるための TypeScript 向けのルール。

Check comments for wording issues

comments

Check declaration names for wording issues

declarations

Check identifier names for wording issues

identifiers

Check parameter names for wording issues

formal-parameters

Ruleset ID: typescript-node-security Node における潜在的なセキュリティホットスポットを特定するルール。追加のトリアージを要する誤検知が含まれる場合があります。

Avoid `eval` with expressions

detect-eval-with-expression

Avoid Buffer(argument) with non-literal values

detect-new-buffer

Avoid calls to 'buffer' with 'noAssert' flag set

detect-buffer-noassert

Avoid command injection

command-injection

Avoid DES and 3DES

avoid-des

Avoid instances of 'child_process' and non-literal 'exec()'

detect-child-process

Avoid logging sensitive data

log-sensitive-data

Avoid RC4

avoid-crypto-rc4

Avoid require with non-literal values

detect-non-literal-require

Avoid SHA1 security protocol

avoid-crypto-sha1

Avoid SQL injection

sql-injection

Avoid variables in 'fs' calls filename argument

detect-non-literal-fs-filename

Avoid weak hash algorithm from CryptoJS

crypto-avoid-weak-hash

Detects hardcoded HMAC keys

hardcoded-hmac-key

Detects hardcoded JWT tokens within the codebase

detected-jwt-token

Detects non-literal values in regular expressions

detect-non-literal-regexp

Do not give 777 permissions to a file

chmod-permissions

Do not put sensitive data in objects

jwt-sensitive-data

Do not use weah hash functions

insecure-hash

Use default encryption from the JWT library

jwt-weak-encryption

Use strong security mechanisms with argon2

argon2

SAST ルール

概要

Further Reading