Skip to content

Contributing

Two paths, both bot-validated before a human looks. Rule contributions need TP + FP fixtures + a docs page + a registry entry. Everything else follows the standard PR flow.

Two paths

  • Rule contributions (new detectors). Read CONTRIBUTING-RULES.md. The PR validator gates every submission.
  • Everything else (CLI, MCP server, extension, daemon, web, docs, scripts). Read CONTRIBUTING.md.

Quick start

shell
# Skip the binary download in dev — set the flag.
CODEMORE_SKIP_BINARY_DOWNLOAD=1 npm ci

# Type-check.
npx tsc -p tsconfig.publish.json

# Run the CLI against a fixture.
node cli.js scan corpus/rules/vibe-no-rate-limit/tp --json --enable-experimental

# Run the PR validator on the working tree.
node scripts/validate-rule-pr.js

# Unit tests.
npm run test:unit

A rule contribution must include

  1. Rule module under shared/packs/<pack>/<rule-id>.ts
  2. TP fixture under corpus/rules/<rule-id>/tp/ — MUST trigger the rule
  3. FP fixture under corpus/rules/<rule-id>/fp/ — MUST NOT trigger the rule
  4. Docs page under docs/rules/<rule-id>.md
  5. Registration entry in the pack's index.ts

Verify before opening a PR

  • npx tsc -p tsconfig.publish.json is clean.
  • node scripts/validate-rule-pr.js reports passed.
  • npm run scan:samples produces no new BLOCKERs on the reference apps — our false-positive canary.
  • npx mocha --require ts-node/register test/parity.test.ts is green.

Security disclosures

Read SECURITY.md. Don't open public GitHub issues for security findings — use the private vulnerability reporting flow.

Code of conduct

By participating you agree to abide by our Code of Conduct.

Next →
Browse the catalog before contributing
58 rules across 7 packs. See the shape, the lifecycle gates, the pack ownership before opening a PR.