Rules (58)
Every rule ships with a TP fixture + an FP fixture + a docs page + a registry entry — the PR bot enforces all four before a human reviews. Severity defaults are tunable per project via .codemorerc.json.
-23 rules
core-bugs-loose-equality
core-bugs-loose-equality
core-bugs-todo-fixme
core-bugs-todo-fixme
core-quality-async-without-await
core-quality-async-without-await
core-quality-empty-catch
core-quality-empty-catch
core-quality-leftover-console
core-quality-leftover-console
core-security-eval
core-security-eval
core-security-hardcoded-secret-pattern
core-security-hardcoded-secret-pattern
core-security-innerhtml-assignment
core-security-innerhtml-assignment
core-security-insecure-deserialization
core-security-insecure-deserialization
core-security-path-traversal
core-security-path-traversal
core-security-shell-injection
core-security-shell-injection
core-security-sql-injection-concat
core-security-sql-injection-concat
core-security-tls-disabled
core-security-tls-disabled
core-security-weak-hash
core-security-weak-hash
core-typescript-as-any
core-typescript-as-any
core-typescript-non-null-assertion-abuse
core-typescript-non-null-assertion-abuse
vibe-cors-wildcard-credentials
vibe-cors-wildcard-credentials
vibe-hardcoded-jwt
vibe-hardcoded-jwt
vibe-mcp-config-secret
vibe-mcp-config-secret
vibe-public-env-leak
vibe-public-env-leak
vibe-supabase-rls-disabled
vibe-supabase-rls-disabled
vibe-supabase-rls-permissive
vibe-supabase-rls-permissive
vibe-xss-dangerously-set
vibe-xss-dangerously-set
core-quality14 rules
Unused exports, complexity, dead conditionals, leftover prints, async-without-await — bug-class style smells.
core-quality-cyclomatic-complexity
core-quality-cyclomatic-complexity
MAJOR· TypeScript, JavaScript· experimental
core-quality-dead-conditional
core-quality-dead-conditional
MAJOR· TypeScript, JavaScript· experimental
core-quality-duplicate-string
core-quality-duplicate-string
MINOR· TypeScript, JavaScript· experimental
core-quality-empty-except
core-quality-empty-except
MAJOR· Python· experimental
core-quality-leftover-print
core-quality-leftover-print
MINOR· Python· experimental
core-quality-py-async-without-await
core-quality-py-async-without-await
MAJOR· Python· experimental
core-quality-py-cyclomatic-complexity
core-quality-py-cyclomatic-complexity
MAJOR· Python· experimental
core-quality-py-unreachable-code
core-quality-py-unreachable-code
MAJOR· Python· experimental
core-quality-py-unused-import
core-quality-py-unused-import
MAJOR· Python· experimental
core-quality-py-unused-variable
core-quality-py-unused-variable
MAJOR· Python· experimental
core-quality-unreachable-code
core-quality-unreachable-code
MAJOR· TypeScript, JavaScript· experimental
core-quality-unused-export
core-quality-unused-export
MAJOR· TypeScript, JavaScript· experimental
core-quality-unused-import
core-quality-unused-import
MAJOR· TypeScript, JavaScript· experimental
core-quality-unused-variable
core-quality-unused-variable
MAJOR· TypeScript, JavaScript· experimental
core-security12 rules
Injection, weak crypto, secrets, path traversal, eval, deserialization — the universal SAST class.
core-security-py-eval
core-security-py-eval
BLOCKER· Python· experimental
core-security-py-shell-injection
core-security-py-shell-injection
BLOCKER· Python· experimental
vibe-agent-tool-no-confirm
vibe-agent-tool-no-confirm
MAJOR· TypeScript, JavaScript, Python· beta
vibe-db-select-star-from-user-table
vibe-db-select-star-from-user-table
MAJOR· SQL, TypeScript, JavaScript· experimental
vibe-db-write-without-where
vibe-db-write-without-where
BLOCKER· SQL, TypeScript, JavaScript· experimental
vibe-llm-output-to-sink
vibe-llm-output-to-sink
BLOCKER· TypeScript, JavaScript, Python· beta
vibe-prompt-injection-sink
vibe-prompt-injection-sink
BLOCKER· TypeScript, JavaScript· experimental
vibe-py-secret-in-log
vibe-py-secret-in-log
MAJOR· Python· experimental
vibe-py-ssrf-fetch-user-input
vibe-py-ssrf-fetch-user-input
MAJOR· Python· experimental
vibe-secret-in-log
vibe-secret-in-log
MAJOR· TypeScript, JavaScript· experimental
vibe-ssrf-fetch-user-input
vibe-ssrf-fetch-user-input
MAJOR· TypeScript, JavaScript· experimental
vibe-supply-chain-hallucinated-import
vibe-supply-chain-hallucinated-import
MAJOR· TypeScript, JavaScript· experimental
vibe-auth3 rules
Missing session checks, BOLA, inverted auth — the lovable Lovable bugs.
vibe-frontend4 rules
XSS, CORS, missing rate limits, cookie flags, file-upload validation.
vibe-cookie-missing-flags
vibe-cookie-missing-flags
MAJOR· TypeScript, JavaScript· beta
vibe-file-upload-no-validation
vibe-file-upload-no-validation
MAJOR· TypeScript, JavaScript, Python· beta
vibe-no-input-validation
vibe-no-input-validation
MAJOR· TypeScript, JavaScript· experimental
vibe-no-rate-limit
vibe-no-rate-limit
MAJOR· TypeScript, JavaScript· experimental
vibe-secrets1 rules
Public env leaks, CI/CD secret echoes, MCP config secrets.
vibe-supabase1 rules
RLS disabled, permissive policies, anon-key reachable from client.