--- title: SAST Rules description: View rules for multiple languages for Static Code Analysis. breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules --- # SAST Rules {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="warning" %} Code Security is not available for the site. {% /alert %} {% /callout %} ## Overview{% #overview %} Datadog Static Code Analysis provides out-of-the-box rules to help detect security vulnerabilities, bugs, and maintainability issues in your codebase. For more information, see the [Setup documentation](https://docs.datadoghq.com/security/code_security/static_analysis/setup.md). Ruleset ID: apex-code-style Code Security rules to write Apex rules that follows established coding standards. Avoid avoiding a variable to itselfself-assign\> Avoid global definitionsavoid-global\> Avoid hardcoded Record Idhardcoded-record-id\> Avoid unused parametersunused-parameters\> Class name should be in CamelCaseclass-name\> Encapsulated if should be mergedmergeable-if\> Function name should be in camelCasefunction-name\> Inverted boolean logic is hard to read and should be avoidedinverted-boolean-logic\> Switch statements must have else clauseswitch-when-else\>Ruleset ID: apex-security Rules focused on finding security issues in your Apex code. Avoid DML native statementsavoid-dml-native-statements\> Avoid DML statements in constructorcsrf-constructor\> Avoid hardcoded salesforce URLhardcoded-salesforce-url\> Avoid HTTP urlno-http\> Check sharing level for queriessharing-level-for-query\> Classes with SOQL queries must specify sharing levelclass-sharing-level\> Prevent SOQL injectionsoql-injection\> Prevent usage of hardcoded keyshardcoded-key\>Ruleset ID: bash-code-quality Rules to enforce code quality for Bash scripts. Avoid ambiguous argument concatenation with $@ or ${name[@]}ambiguous-argument-concatenation\> Avoid cat when it only forwards one file to the next commanduseless-cat\> Avoid combining test operators with -a or -oambiguous-compound-test-operators\> Avoid double negation in string testdouble-negation-in-string-test\> Avoid iteration over command outputavoid-iteration-over-command-output\> Avoid ls piped to grep (prefer globs or find)avoid-ls-grep-pipelines\> Do not for-loop over find command substitution outputdont-for-loop-over-find-output\> Do not mask command exit status in export assignmentsdont-mask-return-values\> Handle cd failureshandle-cd-failures\> Missing spaces around comparison operatormissing-spaces-around-comparison-operator\> Prefer dollar parens over backticks for command substitutionno-old-style-command-substitution\> Test commands directly instead of reading $? in a bracket testavoid-indirect-exit-code-check\> Use read -r so backslashes in input are not treated as escapesread-interprets-backslashes\>Ruleset ID: bash-security Rules to enforce security best practices for Bash scripts. Avoid client-side expansion inside double-quoted ssh argumentslocal-expansion-in-remote-command\> Avoid eval on list expansions ($@ and ${name[@]})avoid-eval-on-list-expansions\> Avoid parsing ps output for process matchingavoid-parsing-ps-output\> Do not execute command substitution output as a commanddont-execute-command-substitution-output\> Do not inject data into shell code strings (sh -c)dont-inject-data-into-shell-code-strings\> Do not use expanding double quotes in trap handler actionspremature-expansion-in-trap\> Double quote to prevent globbing and word splittingdouble-quote-variable-expansions\> Double-quote command substitutions to avoid word splitting and globsdouble-quote-command-substitutions\> Globs starting with * or ? may be parsed as CLI optionsprevent-option-injection-via-globs\> Guard rm when unset variable expands to filesystem root pathguard-rm-rf-variable-paths\> Prefer parameter expansion over echo-to-sed for text replacementsavoid-echo-to-sed-pipeline\> Quote unset arguments that can undergo pathname expansionavoid-unquoted-unset\> Single-quote character classes to prevent glob expansionsingle-quote-character-classes\> sudo does not affect redirectssudo-does-not-affect-redirection\> Use find -print0 with xargs -0 for safe path boundariesuse-print0-with-xargs\>Ruleset ID: csharp-best-practices Rules to enforce C# best practices. API method explicitly documents its typeannotate-producesresponsetype\> Avoid calling GC.SuppressFinalize()avoid-call-gc-suppress-finalize\> Avoid conditions that are always truecondition-always-true\> Avoid empty catch sectionsno-empty-catch\> Avoid empty finalizerno-empty-finalizer\> Avoid exceptions in finalizersfinalizer-no-exception\> Avoid FormattableStringavoid-formattablestring\> Avoid keywords as variables namesvariable-names\> Avoid nested operatorsno-nested-ternary\> Avoid NotImplementedExceptionavoid-notimplementedexception\> Avoid protected members in sealed classsealed-class-protected-members\> Avoid redundant modifiersredundant-modifiers\> Avoid StartsWith or EndsWith with one characterstrings-with-one-char\> Avoid Thread.sleep in testsno-sleep-in-tests\> Avoid using a public contructor for an abstract classpublic-abstract-constructors\> Avoid using GC.Collectavoid-gc-collect\> Avoid using goto statementsavoid-goto-use\> Check language of DiagnosticAnalyzerdiagnostic-analyzer-language\> Check type of interface with DynamicInterfaceCastabledynamic-interface-castable\> Checks for always-true expressions on collections and arraysunnecessary-length-count-check\> Class should be staticstatic-class\> Classes with Dispose() should implement IDisposabledisposable-interface\> Detects improper usage of void return in an async methodasync-task-not-void\> Dispose objects at most oncedispose-objects-once\> Do not assign a variable to itselfno-self-assign\> Do not compare with NaNcomparison-nan\> Do not lock on on publicly accessible instancelocking-public-instances\> Do not rethrow exceptiondo-not-rethrow\> Do not throw exceptions in special methodsno-exception-special-methods\> Do not throw generic exceptionsuse-specific-exceptions\> Do not use ConfigureAwaitOptions.SuppressThrowing with Tasksuppressthrowing\> Do not use operators that do not existsavoid-non-existing-operators\> Do not use Optional on ref or out. parametersoptional-ref-out\> Do not use OutAttribute on string parameters for P/Invokesoutattr-on-pinvoke\> Do not use ReferenceEquals with value typesreference-equals-value-types\> Do not use stackalloc in loopsloop-stackalloc\> Do not use stackalloc in loopsstackallow-loops\> Do not use TaskContinuationOptionsincorrect-complete-options\> Do not use the same operator twiceno-double-operators\> Document comments should reference existing parametersreference-documentation-comment\> Enforce correct TSelf parameter usageensure-self-type-parameter\> Enforce Guid parameter initializationuse-proper-new-guid\> Enforces an int operand on bitwise and shift operationsbitwise-right-operand-int\> Enforces that base is object when using base.Equalsbase-equals\> Ensure code coverage exclusions are justifiedcoverage-justification\> Ensure correct usage of ConstantExpectedconstant-expected\> Ensure objects are usedobjects-ensure-use\> Ensures that a ThreadStatic field is not initializeddo-not-initialize-threadstatic\> Ensures ThreadStatic fields are marked staticignored-threadstatic\> Exceptions must be thrownexception-must-be-thrown\> Exceptions should be made publicexceptions-public\> IndexOf function should check the first characterindexof-checks\> No ConfigureAwaitOptions.SuppressThrowing with Tasktask-suppress-throwing\> Prefer is keyword over asis-instead-of-as\> Prefer StringBuilder when building string in a loopuse-stringbuilder\> Prevent catching NullReferencecatch-nullreference\> Prevent empty default casesno-empty-default\> Prevents the return of an IDisposable from a using statementusing-idisposable-return\> Prevents using `==` and `!=` operators on floats and doublesfloat-equality\> Return a Task and not `null`completed-task-not-null\> Set MaxResponseHeadersLength to a reasonable sizemaxresponseheaderslength-size\> Specify how attributes are usedattributeusage\> Suggest using string's indexer property over toCharArray()redundant-tochararray\> Test method name should follow conventionstest-method-names\> ToString() should never return `null`tostring-not-return-null\> Use Assembly.Loaduse-assembly-load\> Use AsSpan instead of range-based indexers for stringasspan-instead-of-range\> Use constant template when logging datalogger-constant-template\> Use Contains for simple equalitycontains-not-any\> Use Contains to check if a string contains somethingindexof-contains\> Use model binding instead of data from requestuse-model-binding\> Use StartsWith instead of IndexOfstartswith-indexof\> Use StartsWith Instead of IndexOfstartswith-instead-of-indexof\> Use StringComparison to compare stringsstringcomparison\> Validate platform capatibilityplatform-compatibility\> Warns on class private constructors that are dead codeclass-no-private-constructors\> When inheriting exception, implement all constructorsexception-constructors\> XML Documentation comments should have a summarysummary-documentation-comment\>Ruleset ID: csharp-code-style Rules to enforce C# code style. Avoid prefix boolean returning method with `get`boolean-get-method-name\> Avoid short class namesshort-class-name\> Avoid short method namesshort-method-name\> Avoid short variable namesshort-variable\> Follow class naming conventionsclass-naming-conventions\> Follow variable naming conventionsvariable-naming-conventions\> Interface names should start with Iinterface-first-letter\>Ruleset ID: csharp-inclusive Rules to make your C# code more inclusive. Check class definition languageclass-definition\> Check function definition languagemethod-definition\> Check variable assignment languagevariable-assignment\> Ensure comment wording is inclusivecomments\>Ruleset ID: csharp-security Rules focused on finding security issues in your C# code. Avoid external input controlling reflectionno-unsafe-reflection\> Avoid logging exceptionlogging-exception\> Avoid path traversalpath-traversal\> Avoid potential server side request forgeries (SSRFs)avoid-potential-ssrf\> Avoid predictable IVpredictable-iv\> Avoid pseudo-random numbersno-pseudo-random\> Avoid temporary hardcoded filesno-hardcoded-tempfile\> Avoid unsafe blocksavoid-unsafe\> Avoid unsafe CORS headersunsafe-cors\> Avoid unsafe temporary file creationunsafe-temp-file\> Avoid using protocols without SSLavoid-unencrypted-protocols\> Avoid weak hash algorithmsweak-hash-algorithms\> Detect an XPath input from an HTTP requestxpath-injection\> Do not bypass certificates validationcheck-server-ssl-sertificates\> Do not define env vars from user inputuntrusted-env-var\> Do not enable debug in productionavoid-debug-mode\> Do not use a predictable saltno-predictable-salt\> Do not use BinaryFormatter as it is insecure and vulnerableavoid-binary-formatter\> Do not use weak ciphersweak-cipher\> Do not use weak SSL protocolsweak-ssl-protocols\> Enforce trust boundariestrust-boundaries\> Ensure cookies have the secure flagcookie-http-only\> Ensure cookies have the secure flagcookie-secure-flag\> Ensure no sensitive information is being loggedensure-secure-logging\> Filter large requestsrequest-length\> JWT must always be verifiedjwt-verify\> Prevent LDAP injectionldap-injection\> Prevent shell injectionshell-injection\> Prevent SQL queries built from stringssql-injection\> Prevent XSS attacksxss-protection\> Prevent XXE attack from XML parseravoid-xml-xxe\> Request validation should not be disableddisable-request-validation\> Set MaxResponseHeadersLength to a reasonable sizemax-response-headers-length\> Unintended property updates expose sensitive dataavoid-autobinding\> Use standard crypto algorithmsuse-standard-crypto\>Ruleset ID: elixir-security A rule against functions that may have vulnerabilities.unsafe-functions\> Avoid weak hash algorithms.weak-hash-algorithms\>Ruleset ID: go-best-practices Rules to make writing Go code faster and easier. From code style to preventing bugs, this ruleset helps developers writing performant, maintainable, and efficient Go code. Avoid bare returnsavoid-bare-return\> Avoid calling the GC directlyavoid-call-to-gc\> Avoid custom time formattime-parse-format\> Avoid empty critical sectionsavoid-empty-critical-sections\> Avoid invalid regular expressionvalid-regular-expression\> Avoid manual string trimmingmanual-string-trimming\> Avoid negative zeronegative-zero\> Avoid redundant nil checkredundant-nil-check\> Avoid regexp.Match in a looploop-regexp-match\> Avoid select statement with one casesingle-case-select\> Avoid superfluous elsesuperfluous-else\> Avoid useless bit operationsuseless-bitwise-operation\> Bad nil guardbad-nil-guard\> Call the context cancellation functioncontext-cancelable\> Check to prevent a length less than 0check-len\> Common invalid host-port pairsinvalid-host-port-pair\> Declare and assign variables in one statementmerge-declaration-assignment\> Detects if `m.Run()` was actually called in `TestMain`missing-run-in-test\> Do not check address to nilcomparing-address-nil\> Do not compare to truecomparison-true\> Do not copy a slice in a for loopreplace-loop-copy\> Do not defer Lockdefer-lock\> Do not modify function parametermodify-parameter\> Do not redefine built-in IDredefine-builtin-id\> Do not use append for assignmentequivalent-append\> Do not use bytes.SplitN or bytes.SplitAfterN with limit < 0bytes-splitn\> Do not use Printf with Sprintfprintf-sprintf\> Do not use redundant negationredundant-negation\> Do not use strings.Split[After]N with negative limitstrings-splitn\> Don't put time units in Duration variablesduration-variable-names\> Dot imports should be avoidedavoid-dot-imports\> Errors should be named errFoo or ErrFooerr-prefixed-with-err\> Expand math.Pow callsmath-pow-expansion\> fmt.Sprintf("%s", var) should not be used if var is a stringsimplify-sprintf-with-string\> Functions prefixed by get should return somethingget-return\> Functions returning boolean should not use prefix getboolean-get-function-name\> Inefficient string comparisoninefficient-string-comparison\> Invalid seek valueinvalid-seek-value\> Invalid signal being trappedsignal-trapped\> No need to check for nil before a loopavoid-nil-check-loop\> No value is equal to NaNdo-not-compare-nan\> Omit default slicesomit-default-slice-index\> Omit redundant type declarationredundant-type-var-declaration\> os.FileMode value appears it should be in octalnon-octal-os-filemode\> Prevent empty default case for select without conditionfor-select-default-empty\> Prevent identical comparisoncompare-identical\> Prevent self-assignment of variablesself-assignment\> Prevent using escapes in regular expressionregexp-raw-string\> Put constants and values on the rightavoid-yoda-conditions\> Regexp FindAll with n=0 returns nothingregexp-zero-results\> Remove unnecessary blank identifiersunnecessary-blank-identifier\> Replace var % 1 by 0mod-one-always-zero\> Replace w.Write([]byte(fmt.Sprintf())) with fmt.Fprintf()use-fprintf-when-possible\> Simplify boolean expressionsimplify-boolean-expression\> Simplify make and avoid 0 as second argumentsimplify-make\> Simplify pointer operationsimplify-pointer-operation\> Sleep is in nanoseconds by default; verify short sleepverify-short-sleep\> strings.Replace with 0 does not do anythingstrings-replace-zero\> The Context should be the first argument in a functioncontext-first-argument\> The default case of a switch should be first or lastswitch-default-first-or-last\> Use append to concatenate slicesconcatenate-slices\> Use bytes.Equal instead of bytes.Comparebytes-compare-equal\> Use bytes.ReplaceAll instead of bytes.Replacebytes-replaceall\> Use fmt.Errorf instead of errors.New with fmt.Sprintferrors-new-errorf\> Use Since() instead of Now().Sub()time-now-sub\> Use strings.Contains instead of strings.Index with -1strings-index-contains\> Use strings.ReplaceAll instead of strings.Replacestrings-replaceall\> Verify that duplicate imports are necessaryduplicate-imports\>Ruleset ID: go-inclusive Check Go code for wording issues. Use inclusive language in commentscomments\> Use inclusive language in function declarationsfunction-declaration\> Use inclusive language in type declarationstypes\> Use inclusive language in variable namesvariables\>Ruleset ID: go-security Detect common security issues (such as SQL injection, XSS, or shell injection) in your Go codebase. Avoid command injectioncommand-injection\> Avoid formatted string in templatesunescape-template-data-js\> Avoid hardcoded temporary filetempfile-creation\> Avoid HTTP functions without timeoutshttp-support-timeout\> Avoid insecure GRPC connectiongrpc-client-insecure\> Avoid insecure GRPC servergrpc-server-insecure\> Avoid leaking data to a loggererror-leakage\> Avoid manually built SQL queriessql-format-string\> Avoid SetString() from big.Ratavoid-rat-setstring\> Binding to 0.0.0.0 opens up the application to all trafficdo-not-bind-all-interfaces\> Calling hmac.New with unchanging hash.Newhmac-needs-new\> CGI is outdatedimport-cgi\> DES and Triple DES are now insecureimport-des\> Do not build SQL queries with string concatenationssql-string-concatenation\> Do not bypass HTML escaping with ResponseWriterresponsewriter-no-fprintf\> Do not create a directory with write permissions for allmkdir-permissions\> Do not create a file with too much permissionswrite-file-permissions\> Do not ignore SSH host validationssh-ignore-keys\> Do not use insecure cipherstls-cipher\> Do not use tainted URLtaint-url\> Do not use telnet without encryptiontelnet-request\> Ensure JWT use a secure algorithmjwt-algorithm\> Ensure MinVersion is defined for TLS clientssl-min-version\> Ensure TLS verificationtls-skip-verify\> Ensure we use https://http-request-secure\> File permissionschmod-permissions\> Math/rand random number generation is insecuremath-rand-insecure\> Odd hash.Sum call flowhashsum\> Prevent decompression bombdecompression-bomb\> Prevent Memory Aliasingrange-memory-aliasing\> Prevent XSS injection by setting HttpOnly to falsesession-http-only\> Prevent XSS injection by setting HttpOnly to truecookie-http-only\> RC4 encryption is now insecureimport-rc4\> RSA keys should have a minimum of 2,048 bitsminimum-rsa-key-length\> Session must be securecookie-secure\> Session must be securesession-secure\> SSLv3 is not secure and should be avoidedssl-v3-insecure\> The md5 hashing algorithm is insecureimport-md5\> The SHA-1 algorithm family is no longer secureimport-sha1\> Unsafe reflectionunsafe-reflection\>Ruleset ID: java-best-practices Rules to enforce Java best practices. Avoid Calendar class useavoid-calendar-creation\> Avoid creating FileStream directlyavoid-filestream\> Avoid declaring a field type as MessageDigestavoid-message-digest-field\> Avoid inefficient empty string testinefficient-empty-string-test\> Avoid instantiating stringsavoid-string-instantiation\> Avoid propagation exception messagesavoid-propagate-exception-info\> Avoid reassigning parametersavoid-reassigning-parameters\> Avoid redundant initializationredundant-initializer\> Avoid switch with very few branchesswitch-few-branches\> Avoid useless null checks on guaranteed non-null values.useless-null\> Avoid using printStackTrace()avoid-printstacktrace\> Avoid using specific implementation typesloose-coupling\> Check that boxed types are not nullboxed-types-null\> Default label should be last in a switchdefault-label-not-last-in-switch\> Do not add an empty stringadd-empty-string\> Do not append char as stringssb-append-char\> Do not return internal arrayreturn-internal-array\> Do not use a string with only one characterindexof-char\> Do not use StringBuffer or StringBuilder as a class fieldstring-buffer-field\> Don't reassign a catch variableavoid-reassigning-catch-vars\> Loops can be simplified or removedwhile-loop-with-literal-boolean\> Preserve the thrown stack tracepreserve-stack-trace\> Replace Vector with Listreplace-vector-with-list\> Separate lines for each field declarationone-declaration-per-line\> Should clone arrayarray-is-stored-directly\> Should use Map instead of Hashtablereplace-hashtable-with-map\> Switch statements should have a default casemissing-switch-statement-default\> Test assertions for booleans can be simplifiedsimplify-test-assertions-boolean\> Test assertions using equals comparison can be simplifiedsimplify-test-assertions-equals\> Test assertions using null comparison can be simplifiedsimplify-test-assertions-null\> Test assertions using operator comparison can be simplifiedsimplify-test-assertions-ops\> The literals should be first in String comparisonsliterals-first-in-comparison\> Too many control variables in for loopforloop-variable-count\> Use asList to create a list from arrayarrays-aslist\> Use StringBuffer to concatenate stringsuse-stringbuffer\>Ruleset ID: java-code-style Rules to enforce Java code style. Avoid `System.loadLibrary` for improved Java portability.avoid-using-native-code\> Avoid negation in your ternary operationconfusing-ternary\> Avoid prefix boolean returning method with `get`boolean-get-method-name\> Avoid unnecessary object extendextends-object\> Avoid useless final type in interface methodfinal-param-in-abstract-method\> Avoid using dollar signs in variable namesavoid-dollar-signs\> Avoid using protected field in final classavoid-protected-in-final-class\> Consider calling super in constructorcall-super-in-constructor\> Enforce a naming convention for any type of classclass-naming-conventions\> Enforce generic naming standardsgenerics-naming\> Enforce using control statement bracketscontrol-statement-braces\> Enforce using the LocalHome suffix for Session EJBlocal-home-naming-convention\> Package names should not contain uppercase characterspackage-case\> Simplify for loops for while loopsfor-loop-should-be-while-loop\>Ruleset ID: java-inclusive Rules for Java to avoid inappropriate wording in the code and comments. Avoid non-inclusive terms in class namesclass-definition\> Avoid non-inclusive terms in function and parameter namesfunction-definition\> Check variable assignment languagevariable-assignment\>Ruleset ID: java-security Rules focused on finding security issues in Java code. Avoid DES keyskeygenerator-avoid-des\> Avoid LDAP injectionsldap-injection\> Avoid NullCipheravoid-null-cipher\> Avoid overly permissive CORSpermissive-cors\> Avoid SQL injectionsql-injection\> Avoid TrustStrategies that trust certificates blindlyno-trust-strategy\> Avoid unsafe deserializationjson-unsafe-deserialization\> Avoid user-generated class names for reflectionunsafe-reflection\> Avoid user-input filespring-request-file-tainted\> Bad hexadecimal concatenationbad-hexa-concatenation\> Blowfish should use a large keyblowfish-short-key\> Cookies HTTP onlycookies-http-only\> Cookies should not have a long expirationcookies-persistence\> DefaultHttpClient with default constructor is not securedefault-http-client-def-cons\> Detect an XPath input from an HTTP requesttainted-xpath\> Do not disable CSRFspring-csrf-disable\> Do not give write access to othersfiles-permissions\> Do not use a pseudo-random number to generate a secretno-pseudo-random-secret\> Do not use custom digestmessage-digest-custom\> Do not use DESno-des-cipher\> Do not use unvalidated requestunvalidated-redirect\> Do not use weak crypto algorithmcrypto-algorithm\> Do not use weak SSL contextssl-context\> ECB mode is insecureaes-ecb-insecure\> ECB mode is insecurecipher-padding-oracle\> Enforce trust boundariestrust-boundaries\> Ensure cookies have the secure flagcookies-secure-flag\> HostnameVerifier should check certificateshostname-verifier-true\> Ignore SAML commentsignore-saml-comment\> Invalid permissions for temporary filetempfile-permissions\> MD2, MD4, and MD5 are weak hash functionsweak-message-digest-md5\> No hardcoded secret with algorithm methodsalgorithm-no-hardcoded-secret\> Potential code injection when using GroovyShellgroovyshell-code-injection\> Potential code injection when using Spring Expressionspring-expression-injection\> Potential path traversal from requestpath-traversal-file-read\> Prefer SecureRandom over Randomavoid-random\> Prevent command injectioncommand-injection\> Prevent deserializationobject-deserialization\> Prevent HTTP parameter pollutionhttp-parameter-pollution\> Prevent LDAP Entry Poisoningldap-entry-poisoning\> Prevent path traversalpath-traversal\> Prevent SSRFtainted-url-host\> Prevent XSS attacksxss-protection\> RSA should use a long keyrsa-short-key\> RSA with no padding is insecureno-rsa-no-padding\> Secret should not be hardcoded in codehardcoded-crypto-key\> SHA-1 is a weak hash functionweak-message-digest-sha1\> SMTP server identify must be enforcedsmtp-insecure-connection\> Spring CSRF unrestricted RequestMappingspring-csrf-requestmapping\> SQL injection in BasePeersql-injection-turbine\> SQL injection in Hibernatesql-injection-hibernate\> SQL injection in SqlUtil.execQuerypotential-sql-injection\> Temporary file not deletedtempfile-delete\> Use a randomly-generated IVrandom-iv\> Use of socket on HTTP portunencrypted-socket\> XML parsing vulnerable to XEExml-parsing-xee\> XML parsing vulnerable to XXE for SAX Parsersxml-parsing-xxe-saxparser\> XML parsing vulnerable to XXE for TransformerFactoryxml-parsing-xxe-transformer\> XML parsing vulnerable to XXE for XML Readerxml-parsing-xxe-xmlreader\> XML parsing vulnerable to XXE for XPathxml-parsing-xxe-xpath\>Ruleset ID: javascript-best-practices Rules to enforce JavaScript best practices. Avoid assignment operators in conditional expressionsno-cond-assign\> Avoid bind calls that are unnecessaryno-unnecessary-bind\> Avoid constructors that do nothing or only call superno-useless-constructor\> Avoid default parameters before normal parametersdefault-param-last\> Avoid direct comparison with NaNuse-isnan\> Avoid duplicate case labelsno-duplicate-case\> Avoid duplicate class membersno-dupe-class-members\> Avoid duplicate keys in object literalsno-dupe-keys\> Avoid empty block statementsno-empty\> Avoid empty character classes in regular expressionsno-empty-character-class\> Avoid empty destructuring patternsno-empty-pattern\> Avoid leaving console debug statementsno-console\> Avoid lexical declarations in case clausesno-case-declarations\> Avoid negating the left operand of relational operatorsno-unsafe-negation\> Avoid new statements with the Symbol objectno-new-symbol\> Avoid reassigning exceptions in catch clausesno-ex-assign\> Avoid the use of alert, confirm, and promptno-alert\> Avoid the use of arguments.caller or arguments.calleeno-caller\> Avoid the use of the __iterator__ propertyno-iterator\> Avoid the use of the __proto__ propertyno-proto\> Avoid throwing literals instead of an object or error typeno-throw-literal\> Avoid unnecessary classes containing only static membersno-unnecessary-class\> Avoid unnecessary if-else chains that only returns a booleanno-if-else-return\> Avoid unnecessary jump statementsno-useless-jumps\> Avoid unnecessary ternary operations that return a booleanno-unnecessary-ternary\> Avoid unused expressionsno-unused-expressions\> Avoid using delete on variables directlyno-delete-var\> Avoid using JavaScript in URLsno-script-url\> Avoid using octal literals to prevent unexpected behaviorno-octal\> Avoid variable or function declaration in nested blocksno-inner-declarations\> Check for loop is moving in the right directionfor-direction\> Compare typeof expressions against valid stringsvalid-typeof\> Direct comparison with -0 detectedno-compare-neg-zero\> Disallow reassigning const variablesno-const-assign\> Disallow reassigning function declarationsno-func-assign\> Disallow the use of debuggerno-debugger\> Disallow unreachable codeno-unreachable\> Ensure you don't use promises without `await`ing them first.promise-await\> Function parameters redeclaredno-dupe-args\> Invoking a constructor must use parenthesesnew-parens\> Prefer an optional chain instead of chaining operatorsprefer-optional-chain\> Prefer using an object spread over `Object.assign`prefer-object-spread\> Prevent assigning to imported bindingsno-import-assign\> Prevent the use methods similar to eval()no-implied-eval\> Promise executor cannot be an async functionno-async-promise-executor\> Require yield in generator functionsrequire-yield\> The with statement can lead to ambiguous codeno-with\>Ruleset ID: javascript-browser-security Rules focused on finding security issues in your JavaScript web applications. Avoid manual sanitization of inputsmanual-sanitization\> Check for PolinRider vulnerabilitypolinrider\> Check origin of eventsevent-check-origin\> Do not inject unsanitized HTMLreact-dangerously-inner-html\> Do not modify innerHTML or outerHTMLinner-outer-html\> Do not store sensitive data to local storagelocal-storage-sensitive-data\> Do not use variable for regular expressionsregexp-non-literal\> Specify origin in postMessagepostmessage-permissive-origin\> Websockets must use SSL connectionsinsecure-websocket\>Ruleset ID: javascript-code-style Rules to enforce JavaScript code style. Assignment name should use camelCaseassignment-name\> Avoid Array constructorsno-array-constructor\> Avoid assignment operators in return statementsno-return-assign\> Avoid comparisons where both sides are exactly the sameno-self-compare\> Avoid duplicate module importsno-duplicate-imports\> Avoid equal signs at the beginning of regular expressionsno-div-regex\> Avoid if statements as the only statement in else blocksno-lonely-if\> Avoid leading or trailing decimal points in numbersno-floating-decimal\> Avoid new operators outside of assignments or comparisonsno-new\> Avoid new operators with the Function objectno-new-func\> Avoid Object constructorsno-new-object\> Avoid the use of chained assignment expressionsno-multi-assign\> Class name should be `PascalCase`class-name\> Enforce a maximum number of parameters in a functionmax-params\> Enforce named function expressionsfunc-names\> Enforce the use of === and !==strict-equals\> Function name should use camelCase or PascalCasefunction-naming\> Function names must match the name of the assignation.func-name-matching\> Method name should use camelCasemethod-name\> Parameter name should use camelCaseparameter-name\> Require let or const instead of varno-var\> Specify the base to parse numbers inradix\>Ruleset ID: javascript-common-security Rules focused on finding security issues in your JavaScript code. Avoid insecure HTTP requests with Axiosaxios-avoid-insecure-http\> Do not use external XML entitiesxml-no-external-entities\> Function argument names should be uniqueunique-function-arguments\>Ruleset ID: javascript-express Rules specifically for Express.js best practices and security. Avoid allowing access to unintended directories or filespath-traversal\> Avoid rendering resource based on unsanitized user inputexternal-resource\> Avoid sending unsanitized user input in responsexss-vulnerability\> Avoid setting insecure cookie settingsinsecure-cookie\> Avoid using an insecure Access-Control-Allow-Origin headerinsecure-allow-origin\> Avoid using unsanitized user input with sendFileexternal-filename-upload\> Enforce overriding default configdefault-session-config\> Ensure an isRevoked method is used for tokensjwt-not-revoked\> Express application should use Helmetmissing-helmet\> Limit exposure to sensitive directories and filesaccess-restriction\> Server fingerprinting misconfigurationreduce-server-fingerprinting\> Use `https` protocol over `http`https-protocol-missing\>Ruleset ID: javascript-inclusive Rules for JavaScript to avoid inappropriate wording in the code and comments. Check comments for wording issuescomments\> Check declaration names for wording issuesdeclarations\> Check identifier names for wording issuesidentifiers\> Check parameter names for wording issuesformal-parameters\>Ruleset ID: javascript-node-security Rules to identify potential security hotspots in Node. This may include false positives that require further triage. Avoid `eval` with expressionsdetect-eval-with-expression\> Avoid Buffer(argument) with non-literal valuesdetect-new-buffer\> Avoid calls to 'buffer' with 'noAssert' flag setdetect-buffer-noassert\> Avoid command injectioncommand-injection\> Avoid DES and 3DESavoid-des\> Avoid hardcoded HMAC keyshardcoded-hmac-key\> Avoid instances of 'child_process' and non-literal 'exec()'detect-child-process\> Avoid logging sensitive datalog-sensitive-data\> Avoid RC4avoid-crypto-rc4\> Avoid require with non-literal valuesdetect-non-literal-require\> Avoid SHA1 security protocolavoid-crypto-sha1\> Avoid SQL injectionsql-injection\> Avoid SQL injectionsvariable-sql-statement-injection\> Avoid variables in 'fs' calls filename argumentdetect-non-literal-fs-filename\> Avoid weak hash algorithm from CryptoJScrypto-avoid-weak-hash\> Detects non-literal values in regular expressionsdetect-non-literal-regexp\> Do not give 777 permissions to a filechmod-permissions\> Do not put sensitive data in objectsjwt-sensitive-data\> Do not use weak hash functionsinsecure-hash\> Use default encryption from the JWT libraryjwt-weak-encryption\> Use strong security mechanisms with argon2argon2\>Ruleset ID: jsx-react This plugin exports a `recommended` configuration that enforces React good practices. A list component should have a key to prevent re-renderinglist-component-needs-key\> Avoid comments from being inserted as text nodesjsx-no-comment-textnodes\> Avoid deprecated methodsno-deprecated\> Avoid duplicate properties in JSXjsx-no-duplicate-props\> Avoid nested componentsno-nested-components\> Avoid passing children as propsno-children-prop\> Avoid usage of the return value of ReactDOM.renderno-render-return-value\> Avoid using children with dangerouslySetInnerHTMLno-danger-with-children\> Avoid using string referencesno-string-refs\> Avoid using the initial state variable in setStatesetstate-same-var\> Do not use array indexes for a list component's keylist-component-no-index\> Do not use positive values for a span's tabIndex attributeno-tabindex-positive\> Do not use this in functional componentsno-this-in-component\> Enforce class for returning value in render functionrequire-render-return\> Ensures unique key propjsx-no-duplicate-key\> Fragments should not be used when there is 1 childno-redundant-fragments\> Headings must be accessibleno-unaccessible-heading\> Prevent missing key props in iterators/collection literalsjsx-key\> Prevent target='_blank' security risksjsx-no-target-blank\> React hooks should be called correctlyimproper-hook-call\> React's useState should not be directly calledusestate-direct-usage\>Ruleset ID: kotlin-best-practices Rules to enforce Kotlin best practices. A Kotlin (script) file should not be empty.no-empty-file\> An empty parentheses block before a lambda is redundant.parens-before-trailing-lambda\> Class bodies should not be emptyno-empty-class-bodies\> Class names should be upper camel caseclass-naming\> Enforce final newlinefinal-newline\> Enforce if/else expressions to use bracesif-else-bracing\> Enforce modifier orderingmodifier-order\> Enforce not returning Unit typeno-unit-return\> Enforce packing naming conventionpackage-naming\> Function names should be camel casefunction-naming\> No wildcard importsno-wildcard-import\>Ruleset ID: kotlin-code-style Rules to enforce Kotlin code style. All arguments should be on separate lines or the same line.argument-list-wrapping\> Annotated declarations should be visually separatedannotation-blank-line\> Avoid comments directly within Kotlin type parameterstype-parameter-comment\> Avoid extra spaces inside Kotlin angle bracketsangle-bracket-spacing\> Avoid very short function namesfunction-name-min-length\> Braces required for multiline for, while, and do statements.multiline-loop\> Braces required for multiline if or if/else statements.multiline-if-else\> Enforce annotation separationannotation-spacing\> Enforce block comment alignmentblock-comment-formatting\> Enforce brace spacing for lambdasbrace-spacing\> Enforce comment placement in class parameterclass-parameter-comment\> Enforce comment placement in type argumenttype-argument-comment\> Enforce comment placement in value argumentvalue-argument-comment\> Enforce consistent newline usageno-consecutive-blank-lines\> Enforce consistent spacing around coloncolon-spacing\> Enforce correct block comment usageno-consecutive-comments\> Enforce extension function spacingextension-function-spacing\> Enforce function return type spacingfunction-return-type-spacing\> Enforce function type spacingfunction-type-modifier-spacing\> Enforce line comment spacingcomment-spacing\> Enforce nullable type spacingnullable-type-spacing\> Enforce proper spacing for declarations with commentscomment-declaration-spacing\> Enforce range operator spacingrange-spacing\> Enforce single line if statement stylingif-else-wrapping\> Enforce spacing after the fun keywordfunction-keyword-spacing\> Enforce spacing around double colonsdouble-colon-spacing\> Enforce unary operator spacingunary-operator-spacing\> Enums should be a single line or one entry per line.enum-wrapping\> Kotlin enum entries must follow naming conventionsenum-entry-naming\> Line cannot exceed default max lengthmax-line-len\> No blank lines at the start of a classno-empty-lead-line-class\> No leading empty lines in method blocksno-empty-lead-line-method\> Prevents line break before assignment operatorno-line-break-before-assignment\> Statements should not be on same line as curly bracestatement-wrapping\> Use an EOL comment over a single line block commentno-single-line-block-comment\>Ruleset ID: kotlin-security Rules focused on finding security issues in your Kotlin code. Always validate SSL/TLS certificatesverify-ssl-certificates\> Always verify SSL/TLS hostnames when validating certificatesverify-ssl-hostname\> Avoid building paths from untrusted dataavoid-path-traversal\> Avoid hardcoding secrets in JWT signing algorithmsno-hardcoded-secret\> Avoid pseudo-random numbersno-pseudo-random\> Avoid unsafe 'none' algorithm when creating JWTssecure-jwt-algorithm\> Avoid unsafe CORS headersno-unsafe-cors\> Avoid using deprecated HTTP clientsensure-modern-httpclient\> Avoid using runtime finalizers on exitno-finalizers-on-exit\> Avoid using user input for runtime commandsavoid-runtime-injection\> Create new IVs for every counter mode encryption operationno-iv-reuse\> Cryptographic key generation must use strong key sizesensure-strong-keysizes\> Do not use a predictable saltno-predictable-salt\> Enforce secure TLS versionenforce-secure-tls\> Ensure cookies have the secure flagcookie-http-only\> Ensure network sockets use SSL/TLS encryptionensure-secure-socket\> LDAP connections must use explicit user credentialsavoid-anonymous-ldap\> Prevent SQL queries built from stringssql-injection\> Prevent XXE attack from XML parseravoid-xml-xxe\> Use strong cipher algorithms instead of deprecated onesavoid-weak-ciphers\>Ruleset ID: php-best-practices Rules to enforce PHP best practices, enhancing code style, preventing bugs, and promoting performant, maintainable, and efficient PHP code. Assignments within subexpressions reduce code claritysubexpression-assignment\> Avoid empty blocksavoid-empty-blocks\> Avoid nested ternary expressionsno-nested-ternary\> Avoid reassigning parameters as it's bug proneavoid-reassigning-parameters\> Do not assign a variable to itselfno-self-assign\> Do not silence errors, they should not be ignoredavoid-silencing-errors\> Do not throw generic exceptionsuse-specific-exceptions\> Do not use operators that don't existavoid-non-existant-operators\> Do not use the same operator twiceno-double-operators\> Ensure loop references are unset after the loopunset-loop-references\> Exceptions must be thrownexception-must-be-thrown\> If conditions should have different code blockscondition-similar-block\> Methods should explicitly declare their visibilityexplicit-method-visibility\> Prefer using require_once or include_onceprefer-require-include-once\> References in a static method should prefer static over selfprefer-static-reference\> Use str_replace when a regex is unnecessaryunnecessary-preg-replace\>Ruleset ID: php-code-style Rules to enforce PHP code style. All code should be reachable, dead code should be avoidedno-unreachable\> Avoid illogical comparisons with countillogical-count-compare\> Avoid short class namesshort-class-name\> Avoid short method namesshort-method-name\> Avoid short variable namesshort-variable-name\> Avoid useless statements in codeuseless-statement\> Avoid using undefined exceptionsundefined-exception\> Bad null guards can cause null pointer dereferencesbad-null-guard\> Do not use this in a static methodno-this-static\> Ensure newly created objects are usedobjects-ensure-use\> Separate lines for each declarationsingle-var-declaration\>Ruleset ID: php-security Rules focused on finding security issues in your PHP code. Avoid building paths from unsanitized inputlaravel-path-traversal-storage\> Avoid building paths from untrusted datalaravel-path-traversal\> Avoid connecting to a LDAP server without passwordldap-without-password\> Avoid enabling debug mode in applicationsdebug-mode-on\> Avoid enabling entity loaderunsafe-entity-loader\> Avoid executing shell commands with arbitrary inputavoid-backticks\> Avoid HTML XSS attackshtml-xss\> Avoid possible command injections when sending maillaravel-mail-command-injection\> Avoid potential command injectionscommand-injection\> Avoid potential path injections in Laravellaravel-avoid-path-injection\> Avoid potential server side request forgeries (SSRFs)avoid-potential-ssrf\> Avoid potential server side request forgeries (SSRFs)tainted-url-host\> Avoid pseudo-random numbersno-pseudo-random\> Avoid side effects in a file that defines symbolsno-side-effect\> Avoid the use of unserializeavoid-unserialize\> Avoid unsafe call to unlinkavoid-unlink\> Avoid unsafe CORS headersunsafe-cors\> Avoid unsafe CORS headers in Symfonysymfony-unsafe-cors\> Avoid using SHA224avoid-sha224\> Avoid using the phpinfo functionavoid-using-phpinfo\> Avoid using unsafe flags in XML parsersxml-unsafe-parser-flags\> Do not call assert on unsanitized user inputassert-user-input\> Do not call extract on untrusted user dataextract-untrusted-data\> Do not call intval on untrusted user dataintval-untrusted-data\> Do not create a file with too many permissionswrite-file-permissions\> Do not disable CSRF protectionsymfony-csrf-disabled\> Do not disable hostname validationcurl-hostname-verification\> Do not generate insecure session IDsinsecure-session-id\> Do not redirect using arbitrary unsanitized valuessymfony-arbitrary-redirect\> Do not trust unsanitized user input for I/Oavoid-path-injection\> Do not use a weak hash algorithmweak-hash-algorithm\> Do not use Mcrypt as it is deprecatedmcrypt-deprecated\> Do not write responses with unsanitized datalaravel-response-write\> Enable CSRF token verification to avoid CSRF attackslaravel-csrf-not-verified\> Ensure cookies have the secure flag setcookie-secure-flag\> Ensure cookies set the HttpOnly flagcookie-http-only\> Ensure Laravel cookies are encryptedlaravel-cookie-not-encrypted\> Ensure that SSL peers are verifiedcurl-verify-peer\> FTP should be avoided, unless it is used with SSLavoid-using-ftp\> LDAP connections should be authenticatedldap-authenticate-connection\> Prevent injection through include statementsinclude-injection\> Prevent LDAP injectionldap-injection\> Prevent native SQL injectionslaravel-native-sql-injection\> Prevent raw SQL injectionslaravel-raw-sql-injection\> Prevent SQL queries built from unsanitized inputlaravel-sql-injection\> Prevent SQL queries built from unsanitized inputsql-injection\> Use of eval can be insecureno-eval\> Verify certificates during SSL/TLS connectionscurl-certificate-verification\>Ruleset ID: python-best-practices Best practices for Python to write efficient and bug-free code. __bytes__ method should returns bytes, not stringreturn-bytes-not-string\> __slots__ should not be a single stringslots-no-single-string\> a function must be defined only oncefunction-already-exists\> a method has the same name than an attributemethod-hidden\> assertRaises must check for a specific exceptionassertraises-specific-exception\> assigning to os.environ does not clear the environmentos-environ-no-assign\> Avoid duplicate keys in dictionariesavoid-duplicate-keys\> Avoid invalid assertinvalid-assert\> avoid string concatenationavoid-string-concat\> avoid unreachable codeunreachable-code\> check equal is used on consistent basic typesequal-basic-types\> Class methods should use self as first argumentclass-methods-use-self\> Do not assign to function argumentsfunction-variable-argument-name\> do not assign to itselfself-assignment\> do not compare to True in a conditionno-if-true\> do not have arguments with the same nameargument-same-name\> Do not have too many nested blocksnested-blocks\> Do not ignore Exception with a pass statementno-silent-exception\> do not modify a dictionary while iterating on itcollection-while-iterating\> do not raise base exceptionno-base-exception\> Do not raise NotImplemented - it does not existsraising-not-implemented\> do not return outside a functionreturn-outside-function\> Do not use a raise statement without a specific exceptionno-bare-raise\> do not use Any typeany-type-disallow\> do not use bare exceptno-bare-except\> do not use break or continue in finally blockfinally-no-break-continue-return\> do not use datetime.today()no-datetime-today\> do not use double negationno-double-not\> do not use exit()no-exit\> Do not use for i in range(len())no-range-loop-with-len\> do not use format string with logging functionslogging-no-format\> do not use hasattr to check if a value is callableuse-callable-not-hasattr\> do not use operations =+ and =-no-equal-unary\> do not use operator -- and ++no-double-unary-operator\> do not use self as parameter for static methodsstatic-method-no-self\> do not use special method on data classdataclass-special-methods\> do not use too many nested if conditionstoo-many-nested-if\> do not use too many nested loops and conditionstoo-many-while\> ensure classes have an __init__ methodinit-method-required\> ensure exception inherit a base exceptionexception-inherit\> ensure special methods have the correct argumentsspecial-methods-arguments\> ensure that both __exit__ and __enter__ are definedctx-manager-enter-exit-defined\> getter/setter must have 1 or 2 arguments respectivelyget-set-arguments\> if conditions must have different code blockscondition-similar-block\> If using generic exception, it should be lastgeneric-exception-last\> in comparisons, variables must be leftcomparison-constant-left\> make sure class names are readableambiguous-class-name\> make sure function names are readableambiguous-function-name\> make sure variable names are readableambiguous-variable-name\> module imported twiceimport-modules-twice\> No return in an __init__ functioninit-no-return-value\> only one module to import per import statementimport-single-module\> strip() argument should not have duplicate charactersinvalid-strip-call\> TODO and FIXME comments must have ownershipcomment-fixme-todo-ownership\> use a base class only onceno-duplicate-base-class\> use isinstance instead of typetype-check-isinstance\> use super() to call the parent constructorinit-call-parent\> when an if condition returns an value, else is not necessaryif-return-no-else\>Ruleset ID: python-code-style Rules to enforce Python code style. class name should be PascalCaseclass-name\> classes must be less than 900 linesmax-class-lines\> function name and parameters should use snake_casefunction-naming\> Functions must be less than 200 linesmax-function-lines\>Ruleset ID: python-django Rules specifically for Django best practices and security. always specify max_length for a Charfieldmodel-charfield-max-length\> Command coming from incoming requestos-system-from-request\> Command coming from incoming requestsubprocess-from-request\> do not specify content-type for JsonResponsejsonresponse-no-content-type\> do not use __unicode__no-unicode-on-models\> do not use NullBooleanFieldno-null-boolean\> Filename coming from the requestopen-filename-from-request\> Lack of sanitization of user datahttp-response-from-request\> use convenience imports whenever possibleuse-convenience-imports\> use help_text to document model columnsmodel-help-text\> use JsonResponse instead of HttpResponse to send JSON datahttp-response-with-json-dumps\>Ruleset ID: python-flask Rules specifically for Flask best practices and security. Avoid command injectioncommand-injection\> Avoid potential cookie injectionscookie-injection\> Avoid potential SSRF attacks in your Python codeavoid-ssrf\> Detect an XPath input from an HTTP requestxpath-injection\> Do not use template created with stringsno-render-template-string\> Do not use text() as it leads to SQL injectiondisable-sqlalchemy-text\> Make sure cookies are safe and securesecure-cookie\> Prevent LDAP injectionldap-injection\> Unsanitized data is sent to popen, causing command injectionos-popen-command-injection\> use jsonify instead of json.dumps for JSON outputuse-jsonify\> Use of unsanitized data to create processesos-system-unsanitized-data\> Use of unsanitized data to issue SQL queriessqlalchemy-injection\> Use of unsanitized data to make API callshtml-format-from-user-input\> Use of unsanitized data to make API callsssrf-requests\> Use of unsanitized data to open APIurlopen-unsanitized-data\> Use of unsanitized data to open fileopen-file-unsanitized-data\> Your application should not listen on all interfaceslisten-all-interfaces\>Ruleset ID: python-inclusive Rules for Python to avoid inappropriate wording in the code and comments. check comments for wording issuescomments\> check function names for wording issuesfunction-definition\> check variable names for wording issuesvariable-name\>Ruleset ID: python-pandas A set of rules to check that pandas code is used appropriately. - Ensures `import` declarations follow coding guidelines. - Avoid deprecated code and methods. - Avoid inefficient code whenever possible. Avoid using inplace=Trueavoid-inplace\> Import pandas according to coding guidelinesimport-as-pd\> prefer iloc or loc rather than ixloc-not-ix\> prefer notna to notnullnotna-instead-of-notnull\> prefer read_csv to read_tableuse-read-csv-not-read-table\> Use arithmetic operator instead of a functionarith-operator-not-functions\> Use isna instead of isnullisna-instead-of-isnull\> Use operators to compare values, not functionscomp-operator-not-function\> Use pivot_table instead of pivot or unstackpivot-table\>Ruleset ID: python-security Rules focused on finding security and vulnerability issues in your Python code, including those found in the OWASP10 and SANS25. - Use of bad encryption and hashing protocols - Lack of access control - Security misconfiguration - SQL injections - Hardcoded credentials - Shell injection - Unsafe deserialization Auto escape should be set to truejinja-autoescape\> avoid deserializing untrusted YAMLyaml-load\> Avoid HTML built in stringshtml-string-from-parameters\> Avoid SQL injectionsvariable-sql-statement-injection\> avoid unsafe function to (de)serialize datadeserialize-untrusted-data\> Call of a spawn process without sanitizationos-spawn\> Command execution without sanitizationos-system\> Do not hardcode temporary file or directory nameshardcoded-tmp-file\> do not let all users write permissionsfile-write-others\> Do not make http calls without encryptionrequests-http\> do not pass hardcoded credentialssql-server-security-credentials\> Do not use an empty list as a default parameterno-empty-list-as-parameter\> Do not use insecure encryption protocolsinsecure-ssl-protocols\> Do not use insecure functionsinsecure-hash-functions\> Do not use insecure YAML deserializationruamel-unsafe-yaml\> Ensure JWT signatures are verifiedinsecure-jwt\> Make sure temporary files are securemktemp\> no timeout was given on call to external resourcerequests-timeout\> Potential XXE attackxxe-injection\> shell argument leads to unnecessary privilegessubprocess-shell-true\> should not bypass certificate verificationssl-unverified-context\> The use of compile can be insecureno-compile\> The use of exec can be insecureno-exec\> Unsafe execution of shell commandsasyncio-subprocess-create-shell\> Unsafe execution of shell commandsasyncio-subprocess-exec\> use env vars over hardcoded valuesaws-boto-credentials\> use of eval can be insecureno-eval\> use secrets package over random packageavoid-random\> verify should be Truerequest-verify\>Ruleset ID: rails-best-practices Best practices to write Ruby on Rails code. Prefer using hash syntax for enumsenums\> Prefer using HTTP status code symbolshttp-status-code-symbols\> Prefer using render plainplain-text-rendering\> Prefer using self over read attributeread-attribute\> Prefer using self over write attributewrite-attribute\> Use find_each to iterate over a collection of AR objectsfind-each\>Ruleset ID: ruby-best-practices Rules to enforce Ruby best practices. Use `Array()` to ensure your variable is an arrayarray-coercion\> Avoid `DateTime` unless for historical purposesno-datetime\> Avoid array and hash constructor when emptyliteral-hash-array\> Avoid attrprevent-attr\> Avoid class variablesno-class-var\> Avoid explicit use of the case equality operatorno-case-equality\> Avoid hash optional paramtersno-optional-hash-params\> Avoid slow string concatenationconcat-strings\> Avoid standard constantsglobal-stdout\> Avoid string concatenationstring-interpolation\> Avoid unnecessary disjunctive assignments in constructordisjunctive-assign-in-const\> Avoid unnecessary uses of `!!`no-double-negation\> Avoid using 'rescue' as a modifierno-rescue-modifier\> Avoid using BEGIN blocksno-begin-blocks\> Avoid using END blocksno-end-blocks\> Avoid using the character literal syntaxno-character-literals\> Do not extend Data.defineno-extend-data-define\> Do not rescue the Exception classno-rescue-exception\> Do not return from an ensure blockno-return-ensure\> Do not suppress exceptions without a commentno-suppress-exceptions\> Do not use :: to define class methodsmethod-definition-colon\> Do not use `then` for multi-line if/unless/when/inno-then\> Do not use eql? for stringseql-string\> Do not use parallel assignment to define variablesparallel-assignment\> Do not use trailing underscores in destructuring assignmentstrailing-underscore-variables\> Do not use unless with elseno-else-with-unless\> Enforce using Integer to check the type of an integer numberinteger-type-checking\> Ensure lambdas have parenthesis around parameterslambda-parameters\> Omit parentheses if a lambda has no parameterlambda-no-parameter\> Omit the rb file extension in a requireno-explicit-rb-to-require\> Optional arguments should appear at the endoptional-arguments\> Organize methods in modulestop-level-methods\> Prefer `Time.now` over `Time.new`time-now\> Prefer atomic file operationsatomic-file-operations\> Prefer case over if-elsifcase-vs-if-elsif\> Prefer equal? over == when comparing object_ididentity-comparison\> Prefer is_a? over kind_of?isa-over-kindof\> Prefer proc over Proc.newproc-over-procnew\> Prefer string chars with empty stringstring-chars\> Prefer until over while for negative conditionswhile-with-negatives\> Prefer using `warn` over `$stderr.puts`use-warn\> Prefer using hash each_key and each_valuehash-each\> Prefer using hash key and valuehash-key\> Prefer using iterators over for loopsno-for-loops\> Prefer using Kernel#loop with break for post-loop testsloop-with-break\> Prefer using reverse_eachreverse-each\> Prevent nested methodno-nested-method\> Separate the exception class and the messageexception-class-message-separate\> Use &&= to check if a variable may existexistence-check-shorthand\> Use ||= to initialize variables if they are not alreadyinitialization-shorthand\> Use double colons only to reference constantsdouble-colon-method-calls\> Use fdiv on two integers float divisionfloat-division\> Use fetch to check hash keyshash-fetch\> Use fetch with default over custom checkhash-fetch-default\> Use hash literalavoid-hash-constructor\> Use helper functions to read filesfile-read\> Use helper functions to write filesfile-write\> Use instance_of? for class comparisonclass-comparison\> Use Kernel#loop instead of while/untilinfinite-loop\> Use new syntax when keys are symbolshash-literals\> Use symbols instead of strings for hash keyssymbols-as-keys\> Use the method's implicit 'begin'implicit-begin\> Wrap assignment in conditioncondition-safe-alignment\> Wrap hash literal in braces if last in arrayhash-literal-as-last-array-item\> You should not inherit from Struct.newno-extend-struct-new\>Ruleset ID: ruby-code-style Code Security rules to write Ruby rules that follows established coding standards. Avoid parentheses for methods without argumentsmethod-parens\> Avoid parentheses when methods take no argumentsmethod-call-no-args-parens\> Avoid using Perl-style special variablesno-cryptic-perlisms\> Prefer ranges/between over of complex comparisonsranges-or-between\> Prefer sprintf and formsprintf\> Prefer using `first` and `last` to improve readabilityfirst-and-last\> Prefer using Array `join`array-join\> Prefer using ranges for random numbersrandom-numbers\> Prefer using then over yield_selfyield-self-to-then\> Use parentheses with 'super' with argumentssuper-with-args\> Use predicate methods over explicit comparisons with `==`predicate-methods\> Use self to define class methodsclass-methods\>Ruleset ID: ruby-inclusive Write inclusive Ruby code Check class names for wording issuesclass-definition\> Check comments for wording issuescomments\> Check method and parameters names for wording issuesfunction-definition\> Check variable names for wording issuesvar-definition\>Ruleset ID: ruby-security Rules focused on finding security issues in your Ruby code. Avoid constantizerails-avoid-constantize\> Avoid content tagno-content-tag\> Avoid create_with bypasses strong parameter protectioncreate-with\> Avoid FTP connectionsno-ftp\> Avoid hardcoded basic auth with railsrails-basic-auth\> Avoid hardcoded temp fileshardcoded-tmp-file\> Avoid html_safeno-html-safe\> Avoid manual template creationrails-manual-template\> Avoid MD5 to generate hashesno-md5-digest\> Avoid path traversal for Ruby on Rails applicationsrails-path-traversal\> Avoid Randomavoid-random\> Avoid raw, which leads to XSSrails-avoid-raw\> Avoid sending files without sanitizing user inputrails-send-file\> Avoid SHA1 to generate hashesno-sha1-digest\> Avoid SQL injectionsql-injection\> Avoid storing sensitive infoavoid-clear-sensitive-info\> Avoid syscallavoid-syscall\> Avoid use of evalno-eval\> Avoid XXE vulnerabilitiesxxe-nokogiri\> Check for potential shell injectionshell-injection\> Do not use unsafe deserializationunsafe-deserialization\> Ensure cookies are serialized using JSONrails-cookies-serializer\> Ensure forgery protection is enabledrails-csrf\> Ensure HTML entities are escaped in JSONrails-escape-json-entities\> Ensure JWT are verifiedjwt-no-verify\> Ensure JWT use an algorithmjwt-algorithm-none\> Ensure RSA keys are large enoughrsa-key-size\> Ensure SSL connections are verifiedssl-no-verify\> Prevent path injectionpath-injection\> Prevent use of http protocolno-http\> Prevent using YAML functionsyaml-load\>Ruleset ID: swift-code-style Code Security rules to write Swift rules that follows established coding standards. "try!" should not be usedavoid-try\> Closure expressions should not be nested too deeplynested-closure\> Closures should not have too many linesclosure-max-lines\> Collection size should not always be true or falsecollection-size\> Floating point values should not be tested for equalityfloat-equality\> Function names should comply with a naming conventionfunction-names\> IBInspectable should use proper typingibinspectable\> Increment or decrement are single statementincrement-decrement-single-stmt\> Max lines for class. Default: 100 linesmax-class-lines\> max lines of 200 defaultmax-function-lines\> Optionals should not be force-unwrappedforced-unwrapped\> Remove redundant identifier in optional binding guardguard-let-shorthand\> Remove redundant identifier in optional binding if conditionif-let-shorthand\> Replace multiple if with a switchsame-condition\> Tuples should not be too largetuples-too-large\> Use first rather than filter and firstfirst-predicate\> User must specify return type via ->.specify-return-type\> Variables of type IBOutlet should be privateiboutlet-private\>Ruleset ID: swift-security Rules focused on finding security issues in your Swift code. Allowing javascript to open windows is dangerouswebview-config\> Avoid DESavoid-des\> Avoid hardcoding IP addresseshardcoded-ip\> Avoid md5avoid-md5\> Avoid sha1avoid-sha1\> Don't use UserDefaults to store sensitive data.insecure-user-defaults\> Flag insecure TrustKit certificate pinning settingstrustkit-pinning\> Insecure AFNetworking certificate pinning configurationinsecure-afnet-cert-config\> Insecure storage mechanism usedinsecure-storage\> Parser should not resolve external entiriesxxe-parser\> Potential NoSQL injection in Realm queryrealm-nosql-injection\> Potential SQL injection from string formattingsql-injection\> Prevent export of sensitive dataexportable-keychain\> Untrusted user input is logged without sanitizationlog-injection\> Use of cryptographically weak Pseudo-Random Number Generatorweak-random\> Weak keychain, allowing an attacker to get secret dataweak-keychain\>Ruleset ID: tsx-react This plugin exports a `recommended` configuration that enforces React good practices. A list component should have a key to prevent re-renderinglist-component-needs-key\> Avoid comments from being inserted as text nodesjsx-no-comment-textnodes\> Avoid deprecated methodsno-deprecated\> Avoid nested componentsno-nested-components\> Avoid passing children as propsno-children-prop\> Avoid usage of the return value of ReactDOM.renderno-render-return-value\> Avoid using children with dangerouslySetInnerHTMLno-danger-with-children\> Avoid using string referencesno-string-refs\> Avoid using the initial state variable in setStatesetstate-same-var\> Do not use array indexes for a list component's keylist-component-no-index\> Do not use positive values for a span's tabIndex attributeno-tabindex-positive\> Do not use this in functional componentsno-this-in-component\> Enforce class for returning value in render functionrequire-render-return\> Enforce key prop for JSX elements in lists or iteratorstsx-key\> Fragments should not be used when there is 1 childno-redundant-fragments\> Headings must be accessibleno-unaccessible-heading\> Key props must be unique in JSX elements.tsx-no-duplicate-key\> Prevent target="_blank" links from security riskstsx-no-target-blank\> React hooks should be called correctlyimproper-hook-call\> React's useState should not be directly calledusestate-direct-usage\>Ruleset ID: typescript-best-practices Rules to enforce TypeScript best practices. Avoid assigning a value with type anyno-unsafe-assignment\> Avoid assignment operators in conditional expressionsno-cond-assign\> Avoid bind calls that are unnecessaryno-unnecessary-bind\> Avoid certain typesban-types\> Avoid constructors that do nothing or only call superno-useless-constructor\> Avoid default parameters before normal parametersdefault-param-last\> Avoid duplicate constituents of unions or intersectionsno-duplicate-type-constituents\> Avoid duplicate enum member valuesno-duplicate-enum-values\> Avoid duplicate keys in object literalsno-dupe-keys\> Avoid empty block statementsno-empty\> Avoid empty character classes in regular expressionsno-empty-character-class\> Avoid empty destructuring patternsno-empty-pattern\> Avoid extra non-null assertionsno-extra-non-null-assertion\> Avoid leaving console debug statementsno-console\> Avoid negating the left operand of relational operatorsno-unsafe-negation\> Avoid non-null assertions after an optional chainno-non-null-optional-chain\> Avoid reassigning exceptions in catch clausesno-ex-assign\> Avoid require statementsno-var-requires\> Avoid the any typeno-explicit-any\> Avoid the use of alert, confirm, and promptno-alert\> Avoid the use of arguments.caller or arguments.calleeno-caller\> Avoid the use of the __iterator__ propertyno-iterator\> Avoid the use of the __proto__ propertyno-proto\> Avoid throwing literals instead of an object or error typeno-throw-literal\> Avoid triple slash in favor of ES6 import declarationstriple-slash-reference\> Avoid TypeScript namespacesno-namespace\> Avoid unnecessary classes containing only static membersno-unnecessary-class\> Avoid unnecessary constraints on generic typesno-unnecessary-type-constraint\> Avoid unnecessary if-else chains that only returns a booleanno-if-else-return\> Avoid unnecessary jump statementsno-useless-jumps\> Avoid unnecessary ternary operations that return a booleanno-unnecessary-ternary\> Avoid unsafe declaration mergingno-unsafe-declaration-merging\> Avoid unused expressionsno-unused-expressions\> Avoid using delete on variables directlyno-delete-var\> Avoid using Javascript in URLsno-script-url\> Avoid variable or function declaration in nested blocksno-inner-declarations\> Check for loop is moving in the right directionfor-direction\> Consistent naming for boolean propsboolean-prop-naming\> Direct comparison with -0 detectedno-compare-neg-zero\> Disallow the use of debuggerno-debugger\> Ensure you don't use promises without `await`ing them firstpromise-await\> Invoking a constructor must use parenthesesnew-parens\> Prefer an optional chain instead of chaining operatorsprefer-optional-chain\> Prefer using an object spread over `Object.assign`prefer-object-spread\> Prevent the use methods similar to eval()no-implied-eval\> Promise executor cannot be an async functionno-async-promise-executor\> Require yield in generator functionsrequire-yield\>Ruleset ID: typescript-browser-security Rules focused on finding security issues in your TypeScript web applications. Avoid manual sanitization of inputsmanual-sanitization\> Check origin of eventsevent-check-origin\> Do not inject unsanitized HTMLreact-dangerously-inner-html\> Do not modify innerHTML or outerHTMLinner-outer-html\> Do not store sensitive data to local storagelocal-storage-sensitive-data\> Do not use variable for regular expressionsregexp-non-literal\> Specify origin in postMessagepostmessage-permissive-origin\> Websockets must use SSL connectionsinsecure-websocket\>Ruleset ID: typescript-code-style Rules considered to be best practice for modern TypeScript codebases, but that do not impact program logic. These rules are generally opinionated about enforcing simpler code patterns. Assigment name should use camelCaseassignment-name\> Avoid @ts- commentsban-ts-comment\> Avoid Array constructorsno-array-constructor\> Avoid assignment operators in return statementsno-return-assign\> Avoid comparisons where both sides are exactly the sameno-self-compare\> Avoid duplicate module importsno-duplicate-imports\> Avoid empty exports that don't change anythingno-useless-empty-export\> Avoid equal signs explicitly at the beginning of regexno-div-regex\> Avoid explicit type declarations for variables and paramsno-inferrable-types\> Avoid if statements as the only statement in else blocksno-lonely-if\> Avoid leading or trailing decimal points in numbersno-floating-decimal\> Avoid new operators outside of assignments or comparisonsno-new\> Avoid non-null assertion in confusing locationsno-confusing-non-null-assertion\> Avoid Object constructorsno-new-object\> Avoid the declaration of empty interfacesno-empty-interface\> Avoid the use of chained assignment expressionsno-multi-assign\> Avoid using TSLint commentsban-tslint-comment\> Class name should be `PascalCase`class-name\> Enforce a maximum number of parameters in a functionmax-params\> Enforce named function expressionsfunc-names\> Enforce the use of === and !==strict-equals\> Function name should use camelCase or PascalCasefunction-naming\> Function names must match the name of the assignationfunc-name-matching\> Method name should use camelCasemethod-name\> Parameter name should use camelCaseparameter-name\> Require consistently using either T[] or Array for arraysarray-type\> Require let or const instead of varno-var\> Specify the base to parse numbers inradix\>Ruleset ID: typescript-common-security Rules focused on finding security issues in your TypeScript code. Avoid insecure HTTP requests with Axiosaxios-avoid-insecure-http\> Do not use external XML entitiesxml-no-external-entities\> Function argument names should be uniqueunique-function-arguments\>Ruleset ID: typescript-express Rules specifically for Express.js TypeScript best practices and security. Avoid allowing access to unintended directories or filespath-traversal\> Avoid rendering resource based on unsanitized user inputexternal-resource\> Avoid sending unsanitized user input in responsexss-vulnerability\> Avoid setting insecure cookie settingsinsecure-cookie\> Avoid using an insecure Access-Control-Allow-Origin headerinsecure-allow-origin\> Avoid using unsanitized user input with sendFileexternal-filename-upload\> Enforce overriding default configdefault-session-config\> Ensure an isRevoked method is used for tokensjwt-not-revoked\> Express application should use Helmetmissing-helmet\> Limit exposure to sensitive directories and filesaccess-restriction\> Make sure your server uses the https protocolhttps-protocol-missing\> Server fingerprinting misconfigurationreduce-server-fingerprinting\>Ruleset ID: typescript-inclusive Rules for TypeScript to avoid inappropriate wording in the code and comments. Check comments for wording issuescomments\> Check declaration names for wording issuesdeclarations\> Check identifier names for wording issuesidentifiers\> Check parameter names for wording issuesformal-parameters\>Ruleset ID: typescript-node-security Rules to identify potential security hotspots in Node. This may include false positives that require further triage. Avoid `eval` with expressionsdetect-eval-with-expression\> Avoid Buffer(argument) with non-literal valuesdetect-new-buffer\> Avoid calls to 'buffer' with 'noAssert' flag setdetect-buffer-noassert\> Avoid command injectioncommand-injection\> Avoid DES and 3DESavoid-des\> Avoid instances of 'child_process' and non-literal 'exec()'detect-child-process\> Avoid logging sensitive datalog-sensitive-data\> Avoid RC4avoid-crypto-rc4\> Avoid require with non-literal valuesdetect-non-literal-require\> Avoid SHA1 security protocolavoid-crypto-sha1\> Avoid SQL injectionsql-injection\> Avoid variables in 'fs' calls filename argumentdetect-non-literal-fs-filename\> Avoid weak hash algorithm from CryptoJScrypto-avoid-weak-hash\> Detects hardcoded HMAC keyshardcoded-hmac-key\> Detects non-literal values in regular expressionsdetect-non-literal-regexp\> Do not give 777 permissions to a filechmod-permissions\> Do not put sensitive data in objectsjwt-sensitive-data\> Do not use weak hash functionsinsecure-hash\> Use default encryption from the JWT libraryjwt-weak-encryption\> Use strong security mechanisms with argon2argon2\>LanguagesAll Apex Bash C# Elixir Go Java JavaScript Kotlin PHP Python Ruby Swift TypeScriptCategoriesAll Best Practices Error Prone Code Style Security PerformanceSeveritiesAll Error Warning Notice Info ## Further Reading - [Learn about Datadog Code Security](https://docs.datadoghq.com/security/code_security.md)