Contributing
Two paths, both bot-validated before a human looks. Rule contributions need TP + FP fixtures + a docs page + a registry entry. Everything else follows the standard PR flow.
Two paths
- Rule contributions (new detectors). Read CONTRIBUTING-RULES.md. The PR validator gates every submission.
- Everything else (CLI, MCP server, extension, daemon, web, docs, scripts). Read CONTRIBUTING.md.
Quick start
# Skip the binary download in dev — set the flag.
CODEMORE_SKIP_BINARY_DOWNLOAD=1 npm ci
# Type-check.
npx tsc -p tsconfig.publish.json
# Run the CLI against a fixture.
node cli.js scan corpus/rules/vibe-no-rate-limit/tp --json --enable-experimental
# Run the PR validator on the working tree.
node scripts/validate-rule-pr.js
# Unit tests.
npm run test:unitA rule contribution must include
- Rule module under
shared/packs/<pack>/<rule-id>.ts - TP fixture under
corpus/rules/<rule-id>/tp/— MUST trigger the rule - FP fixture under
corpus/rules/<rule-id>/fp/— MUST NOT trigger the rule - Docs page under
docs/rules/<rule-id>.md - Registration entry in the pack's
index.ts
Verify before opening a PR
npx tsc -p tsconfig.publish.jsonis clean.node scripts/validate-rule-pr.jsreports passed.npm run scan:samplesproduces no new BLOCKERs on the reference apps — our false-positive canary.npx mocha --require ts-node/register test/parity.test.tsis green.
Security disclosures
Read SECURITY.md. Don't open public GitHub issues for security findings — use the private vulnerability reporting flow.
Code of conduct
By participating you agree to abide by our Code of Conduct.