Rules

DEPRECATED: This rule is consolidated into ts.correctness.missing-timeout-on-external-call. External calls should define timeout, cancellation, or retry behavior.

A method annotated @NoAllocation creates heap objects via `new`.

Spring Boot applications in the default package cannot be scanned properly and will fail at runtime.

Calling `to_json` with no arguments was deprecated in older Ruby JSON versions. The method now requires an argument (or uses the JSON generator state from the wrapper).

Calling `.step_by(0)` on an iterator panics when the iterator is consumed.

The `object_id` method result is compared using `==` instead of the `equal?` method. Using `equal?` is the idiomatic way to test object identity in Ruby.

Abstract methods must not have a body

A `before_action` references a method that is not defined in the current controller scope.

The same callback method name is used across multiple `after_commit` or `after_*_commit` declarations. Only the last declaration takes effect.

Nest bootstrap entries should register `ValidationPipe` globally when controllers parse bodies or DTOs.

Express JWT middleware should check revocation state when bearer tokens can be invalidated early.

Next.js route segments should declare an error.tsx handler so async and client failures surface safely.

`#[ignore]` without a nearby ticket reference or reason makes the test easy to forget.

JSX images need a meaningful `alt` value, or an explicit empty string when the image is decorative.

Apollo Server bootstrap should declare validation rules or plugins that bound query cost.

Functions and methods with non-void return types should contain at least one return statement.

External links opened in a new tab should set rel noopener or noreferrer.

Opening links in a new tab without rel=noopener lets the destination page access window.opener.

Flow-control conditions should not resolve to a constant boolean value.

A block is attached to a method call that already has arguments, but the intended receiver of the block is ambiguous. Add parentheses to clarify whether the block belongs to the outer or inner method.

The first argument to a method call starts with a unary operator, which can be ambiguous. For example, `foo +bar` could be parsed as `foo(+bar)` or `foo() + bar` by readers.

A regex literal `/pattern/` is used as a method argument without parentheses. This can be confused with the division operator by readers.

DISTINCT with multiple columns including computed expressions may be ambiguous

Regex patterns compiled with `Regex::new` should be anchored to avoid unintended substring matches, which can lead to security bypasses.

Checking for an annotation at runtime that is retained only at SOURCE or CLASS level will always return false.

Express apps should use Helmet or equivalent header hardening middleware.

The number of format specifiers in the format string does not match the number of arguments provided.

Arns should use correctly placed pseudo parameters

Array iteration callbacks with block bodies should return a value when required.

Comparing an array variable to a non-array value (string literal, number, boolean) is almost certainly a logic bug.

An array, list, or string is accessed at length()/size(), which is always one past the last valid index.

Provide a compare function when sorting non-string arrays.

Arrow functions require => body

The `assert` keyword in Java is disabled at runtime. Do not use it for argument validation or precondition checks in production code.

Calls to `assertThat()` or `verify()` must include a chained assertion (e.g. `.isEqualTo()`, `.isGreaterThan()`) or the test assertion is silently ignored.

append returns a new slice; dropping the result loses the appended element.

Assignment target must be an lvalue

Code assigns to or updates a symbol declared by an import.

Detected direct assignment to the `exports` variable.

Control-flow conditions should compare values, not perform assignments.

The `class_name` option on associations should be a string literal, not a constant reference.

The executor passed to `new Promise` is declared `async`.

Hashing a unit value `()` via `Hash::hash` is a no-op — all unit values hash identically.

Transmuting `*const T` to `&T` creates a reference with no lifetime guarantees.

Transmuting `&T` to `*const T` is unnecessary — use `as` casts instead.

Transmuting `*const T` to `*mut T` is safer through a reference cast.

An attribute that does not target properties should not be applied to a property declaration.

Attributedefinitions / keyschemas mismatch

Attributes are not valid on closures

Attributes are not valid on functions

Attributes cannot target class constants

The expression uses the same variable on both sides of a compound assignment (e.g. `x += x + y`), which simplifies to a non-obvious result (`2x + y`). This may indicate a typo or unintentional logic.

Server Actions that mutate state must validate sessions locally before reaching privileged sinks.

Backend routes should enforce authorization directly instead of relying on frontend gating alone.

Availability zone parameters should not be hardcoded

`:true` and `:false` symbols are usually typos for boolean literals.

`controller()` method on an AngularJS module is discouraged in favor of component-based architecture.

Calling `.clone()` on `&&T` clones the inner `&T`, not the underlying `T`.

Calling `.map()` before `.count()` has no effect on the count result.

Calls to `.replace()` or `.replacen()` with identical pattern and replacement have no effect.

Calling `.sorted()` on an unordered collection like HashMap or HashSet is misleading.

Using the `any` type defeats TypeScript's type safety guarantees.

Do not read `arguments.callee` or `arguments.caller` in functions.

`END` registers a block to run at program exit. Using it inside a method is invalid and the block will never execute.

`javascript:` URLs can execute arbitrary script when used as navigation targets in href, src, or action attributes.

Core code should not depend on nondeterministic random generation.

Do not use `new` with the result of `require()`. The `require()` return value is not a constructor and this pattern is almost always a bug.

Do not call `process.exit` from application logic; reserve termination for CLI entrypoints.

A `return` inside an `ensure` block discards any exception that was raised, silently swallowing errors.

`std::mem::size_of_val(&ref)` returns the size of the reference itself, not the pointed-to value.

`remove_dir_all` is vulnerable to TOCTOU (time-of-check-time-of-use) races when the directory tree contains symbolic links.

Calling `.unwrap()` on `option_env!()` panics at compile-time if the environment variable is unset.

`with` statements make binding resolution unpredictable and are disallowed in strict mode.

Namespace import member access should reference names exported by the target module.

Methods such as update_column and touch persist data without running model validations.

`actix_cors` configurations must not combine `allow_any_origin` with `supports_credentials`.

Hand-rolled HTML escaping and sanitization should be replaced with vetted sanitizers or safe rendering paths.

Use `allow_nil` instead of `allow_blank` in `delegate` declarations.

Django REST Framework APIs should default to authenticated permission classes instead of `AllowAny`.

DRF views that accept POST, PUT, PATCH, or DELETE should not declare `AllowAny` unless the endpoint is intentionally public.

`management.endpoint.health.show-details=always` (or YAML equivalent) publishes detailed health payloads to any caller, which often leaks dependency and infrastructure facts.

Ambiguous abbreviated names in exported APIs reduce readability and onboarding speed.

Context files and shared preferences must not use MODE_WORLD_READABLE or MODE_WORLD_WRITABLE.

APIs that require callers to invoke methods in strict hidden order are fragile.

Using the map index as a React key breaks reconciliation when lists reorder, filter, or insert items.

Array spread or repeated concat in loops allocates per iteration and scales poorly.

assert statements should only appear in test files

Extract assignments from if, unless, while, and until conditions.

Direct filesystem read APIs should not consume request- or upload-controlled filenames.

Bare exception handlers catch all errors and hide root causes.

A bare return at the end of a function adds no value and should be removed

Cycles involving barrel files obscure ownership and complicate module boundaries.

Go network services should avoid explicit binds to `0.0.0.0`, `::`, or `[::]` unless public exposure is intentional and controlled.

Python network services should avoid explicit binds to `0.0.0.0` or `::` unless public exposure is intentional and controlled.

Rust network services should avoid explicit binds to `0.0.0.0`, `::`, or `[::]` unless public exposure is intentional and controlled.

Network-facing services should not explicitly bind to every interface unless public exposure is intentional and protected.

Calling block_on from async code can deadlock the runtime.

Do not call `alert`, `confirm`, or `prompt` in application code.

Warp filters and handlers run on the async runtime; avoid `std::fs`, `thread::sleep`, and `unwrap` on request paths without `spawn_blocking` or proper errors.

Long blocking sleeps (>100ms) in narrow unit tests slow CI and hide synchronization bugs.

std::thread::sleep blocks the executor thread inside async code.

Public APIs with multiple boolean flags reduce readability and increase change risk.

Wildcard CSRF exclusions should not cover account, billing, admin, password, or profile endpoints.

The created and beforeCreate hooks may run on the server during SSR; accessing window or document there causes errors.

Access and session tokens should not be stored in long-lived browser storage.

each_with_object is called with a numeric literal, nil, or boolean. Mutations inside the block are silently lost because these types are immutable.

React effects should not serialize independent fetches that can run in parallel or move server-side.

The third argument to define() for case-insensitive constants is deprecated.

Casting a function pointer to an integer type discards pointer metadata and is unsafe.

`<<-SQL.squish` parses as calling `.squish` on the delimiter string `'SQL'`, not on the heredoc body. Wrap the heredoc in parentheses: `(<<-SQL).squish`.

Default argument values that reference themselves are circular and always nil.

Avoid class constants inside traits

FTP transmits credentials and data without encryption

Python outbound requests should use HTTPS, not plain HTTP, when calling external services.

Python process execution helpers must not receive request-controlled arguments.

Comparing a function pointer to null after casting to an integer is error-prone and unnecessary.

Comparing functions or callables with equality operators is unreliable.

Calling `.count`, `.size`, or `.length` on a static array or hash literal computes a value known at parse-time. Prefer assigning the literal to a constant or using the literal directly.

Route error logs through the project logger.

Use the project logger instead of console.log.

return, break, continue, and throw in finally alter normal flow.

Ranging over a slice of large fixed-size arrays copies each element by value.

Ranging over a large fixed-size array copies the entire array value per iteration.

Browser-facing Django views that change state should remain CSRF-protected unless they are explicitly token-authenticated APIs.

Errors should inherit from StandardError so routine rescue handlers behave predictably.

Non-interactive elements that listen for pointer or key events without a widget role usually hide custom interaction that needs explicit semantics.

defer inside a loop holds resources until the surrounding function returns.

Go code should use `os.CreateTemp` and `os.MkdirTemp` instead of the deprecated `ioutil.TempFile` / `ioutil.TempDir` helpers.

`$cookieStore` is a deprecated AngularJS service replaced by `$cookies`.

`.success()` and `.error()` on `$http` promise are deprecated in favor of `.then()` and `.catch()`.

BigDecimal.new is deprecated since BigDecimal 1.3.3 and removed in 2.0.0. Use BigDecimal() instead.

File.exists?, Dir.exists?, and iterator? are deprecated. Use File.exist?, Dir.exist?, and block_given? instead.

The `replace` property in AngularJS directive definitions is deprecated and removed in AngularJS 1.7+.

isMounted is a legacy anti-pattern that leads to stale references and masks async lifecycle bugs.

OpenSSL::Cipher and OpenSSL::Digest constant APIs are deprecated; prefer string algorithm names.

`SSLContext.getInstance` should not request SSL, SSLv2, SSLv3, TLSv1.0, or TLSv1.1.

Use CGI.escape, URI.encode_www_form_component, or Addressable instead.

URI.regexp is deprecated and removed in modern Ruby releases.

Vue.config.keyCodes was removed in Vue 3. Use key alias modifiers directly instead.

Keep environment variable access inside config modules.

Helmet should keep nosniff, HSTS, DNS prefetch control, Expect-CT, and referrer policy enabled unless another gateway enforces them.

Jinja2 environments should keep autoescaping enabled for HTML rendering contexts.

Disabling CSRF globally is unsafe for cookie-backed browser sessions unless the app is clearly hardened as a stateless API (for example OAuth2 resource server with stateless sessions).

Do not divide by literal zero.

Django responses should avoid `mark_safe` when content can include untrusted input.

A case statement has two identical when conditions. This is usually a copy-paste mistake that causes the second matching branch to never execute.

An if-elsif chain has two consecutive elsif blocks with identical conditions. This is likely a copy-paste error that causes the second matching branch to never execute.

Repeated keys in an array literal overwrite earlier entries.

Repeated keys in a dict literal overwrite earlier entries.

Remove duplicate symbol or string keys in the same hash literal.

Module should not export the same name more than once.

Avoid duplicate types in union declarations

Avoid dynamic class constant fetch

Python services should not execute runtime-generated code via `eval` or `exec`.

Do not execute runtime-generated PHP via eval, string assert, or create_function.

Do not execute runtime-generated Ruby via eval, exec, or *_eval helpers.

Do not pass `format!(...)` (or equivalent string concatenation) into `sqlx::query` or `diesel::sql_query` sinks.

ECB mode is deterministic and reveals patterns in plaintext

A begin block contains an else clause but no rescue clause. In Ruby, else in a begin block only runs when no exception is raised, which is useless without rescue.

Reading from an array with `$value[]` appends null and returns the new element.

An ensure block has no body. Either add cleanup code or remove the ensure clause.

Empty parentheses () are used as an expression, which always evaluates to nil and is almost always a mistake.

String interpolation with nothing inside the braces #{} produces nothing and is always a mistake.

Jackson `ObjectMapper` should not call `enableDefaultTyping` or `activateDefaultTyping`, and `@JsonTypeInfo(use = Id.CLASS|MINIMAL_CLASS)` should not be applied without an allowlist.

Python process execution should avoid `shell=True` unless shell interpretation is explicitly required and tightly controlled.

Fastify applications should not disable body limits or configure unusually large defaults without compensating controls.

Functions like count() and strlen() inside loop conditions run on every iteration.

Sorting or heavy transforms in React render paths should be memoized or precomputed.

Assigning a value to itself is a no-op and likely indicates a copy-paste bug.

Directory listing middleware should not be enabled on public paths without a deliberate review.

`http.Dir("/")` or `http.Dir("\\")` used with `http.FileServer` or `http.StripPrefix` exposes the entire filesystem, enabling directory traversal.

An expression follows else on the same line. This is almost always a typo for elsif.

`template.HTML`, `template.JS`, and `template.CSS` should not wrap request-derived strings unless they were sanitized first.

Flask responses should not bypass escaping when interpolating `request` input into HTML helpers or template strings.

The flip-flop operator (`..`/`...` in conditionals) is deprecated since Ruby 2.6 and has confusing evaluation semantics.

Using global variables is an anti-pattern that can lead to hard-to-debug side effects

JWT, session, and strategy secrets should not be embedded directly in source code.

Python source should not embed static secrets such as API keys, tokens, or passwords in plain text.

Temporary paths should use tempfile module instead of string literals

Bare side-effect imports outside setup files make module behavior implicit.

Production Rust code should not import `md5`, `sha1`, `des`, or `rc4` for security-sensitive purposes.

Production Go code should not import `crypto/md5`, `crypto/sha1`, `crypto/des`, or `crypto/rc4` for security-sensitive purposes.

next/document should only be imported in pages/_document.(ts|tsx) or src/pages/_document.(ts|tsx).

pages/_document should use next/document's Head component, not next/head.

Include and require statements must not load files from request-derived or tainted path values.

Duplicating props into useState without an explicit sync strategy hides updates and confuses controlled versus uncontrolled boundaries.

Creating `function` handlers or `.bind()` calls inside JSX forces new function identities every render and makes memoized children re-render unnecessarily.

Java `Cipher.getInstance` should not request ECB mode or legacy algorithms like DES and RC4.

Weak ciphers like DES, ARC2, ARC4, and Blowfish should not be used

Application servers should terminate TLS locally or document trusted edge termination before exposing plain HTTP listeners.

Prefer `JSON.parse` over `JSON.load`, `JSON.restore`, or permissive Oj/MultiJson loaders.

Mako templates with empty default_filters or disable_unicode=True are vulnerable to XSS

Outbound mail/file transfer code should not rely on plaintext transport endpoints for sensitive traffic.

SSLv2, SSLv3, and TLSv1 are known to be vulnerable to protocol-level attacks

Python temporary files should not use `mktemp` or `tempnam` helpers that create race-prone filenames.

urllib.urlopen() and urlretrieve() do not validate TLS certificates by default

Standard library XML parsers are vulnerable to XXE and entity expansion attacks

IO.read and related IO class methods can spawn subprocesses when the path starts with a pipe.

JSON stringify/parse cloning is expensive and loses type fidelity for rich objects.

Do not use `Kernel.open` with a leading pipe, which spawns a shell command.

Object spread inside loops creates repeated allocations and can degrade throughput.

Logs, stdout or stderr, and direct response sinks should not expose sensitive fields or internal diagnostic detail.

Password hashing should not use `argon2i` or `argon2d` when safer modern modes are available.

Legacy class lifecycle hooks are brittle in strict mode and block migration toward modern React patterns.

String refs rely on older React behavior that is harder to analyze and less reliable than callback or object refs.

Deprecated test waiting APIs like wait(), waitForElement(), and waitForDomChange() should be replaced with waitFor().

HttpClient/URL/RestTemplate usage in unit tests should target fakes or embedded servers.

requests/httpx/urllib calls in unit tests should be doubled or recorded.

Net::HTTP, Faraday, or HTTParty usage in specs should be doubled or recorded.

Unit tests should not dial the real network; prefer fakes or httptest servers.

reqwest usage in tests should target local servers or fakes.

Low-level cryptography.hazmat and pycrypto imports bypass safer high-level APIs

Eloquent writes should not use `$request->all()` or fully unguarded models for sensitive records.

Combining value with defaultValue leads to ambiguous ownership between React and the DOM.

A regex literal contains both named captures (?<name>) and numbered captures (parenthesized groups without names). Mixing these is confusing and can lead to errors.

Two def declarations with the same name exist in the same class, module, or top-level scope. The second definition silently overwrites the first.

A begin-rescue block rescues the same exception class more than once. The second rescue clause will never match since the first handles it first.

Mutable defaults in function signatures retain state across calls.

Shared module state should not be exported with `let`/`var` or reassigned after export.

Computed properties should not produce side effects such as assignments or array mutations.

Per-item awaits inside map-like flows often create avoidable latency and fan-out bottlenecks.

Declaring functions inside other functions is discouraged and hard to test.

Switch statements nested inside other switch statements are hard to follow.

Performance hygiene signal for go sources.

Performance hygiene signal for java sources.

Performance hygiene signal for php sources.

Performance hygiene signal for python sources.

Performance hygiene signal for ruby sources.

Performance hygiene signal for rust sources.

Performance hygiene signal for go sources.

Performance hygiene signal for java sources.

Performance hygiene signal for php sources.

Performance hygiene signal for python sources.

Performance hygiene signal for ruby sources.

Performance hygiene signal for rust sources.

Performance hygiene signal for go sources.

Performance hygiene signal for java sources.

Performance hygiene signal for php sources.

Performance hygiene signal for python sources.

Performance hygiene signal for ruby sources.

Performance hygiene signal for rust sources.

Passing a byte string literal with non-UTF-8 sequences to `str::from_utf8_unchecked` creates invalid UTF-8 strings that violate Rust's safety assumptions about `&str`.

Client-side lifecycle hooks should not reference process.server, process.client, or process.browser.

Redirect helpers must not send users to hosts or paths derived directly from request input without validation.

Do not use html_safe, raw, or safe_concat to bypass escaping.

Using `isize::MAX` or `usize::MAX` in a range expression can cause overflow.

Catching `Exception` or `BaseException` makes error handling too broad.

`os.WriteFile` or `os.OpenFile` with permission bits above `0600` (owner read/write) may expose sensitive data to other users on the system.

Implementing `fn type_id` inside `impl Error for` blocks leaks internal type details and breaks trait object safety guarantees.

Vue instance reserved keys ($el, $data, $props, etc.) should not be overwritten to prevent framework contract violations.

Async request handlers should propagate errors instead of panicking or unwrapping Results.

Rocket route handlers should not `unwrap`, `expect`, or otherwise panic on values derived from the HTTP request.

Function parameters that are large fixed-size arrays (>80 bytes) cause excessive copying when passed by value.

Express session cookies should not explicitly opt into cross-site or wildcard-style scope.

FastAPI `CORSMiddleware` should not combine wildcard origins, methods, or headers with `allow_credentials=True`.

Files that can carry user or security data should not be created with world-accessible modes.

Do not pair wildcard or `very_permissive` origin policies with credentialed CORS or private-network access in `tower-http`.

URL/URI literals should not use `ftp://`, `telnet://`, or `jar:http://`.

Do not pass literal passwords to http_basic_authenticate_with.

Positive `tabIndex` values create a custom keyboard order that is fragile and usually less accessible than DOM order.

Dereferencing a variable in a catch or finally block may throw a NullPointerException if the variable was assigned from a failed operation.

Chaining a method call on a `.get()`, `.poll()`, or `.peek()` result may throw a NullPointerException.

Temporary file creation should use secure helpers with random suffixes and restrictive permissions.

session_id must not be set from weak hash helpers, uniqid, or request-derived values.

Tokens, reset links, and session secrets should be generated from cryptographically strong randomness.

Domain-facing APIs with many primitive parameters should use richer value objects.

authenticate_with_http_digest and authenticate_or_request_with_http_digest are vulnerable to denial-of-service attacks in affected Rails versions.

curl_exec in tests should target doubles or local fixtures.

Do not wrap request-sourced strings in `RawHtml` (or similar) without escaping in Rocket handlers.

Request-derived values should not be interpolated into raw HTML strings.

Database query sinks must not receive request-driven or dynamically interpolated SQL text.

Raw response sinks should not echo request data without escaping or sanitization. JSON.stringify and JSON responses are excluded — their output is not executable markup.

React hooks must only be called at the top level of React function components or custom hooks, not inside conditions, loops, or regular functions.

`createFactory` is a legacy helper for pre-JSX code and is removed from modern React typings and guidance.

`findDOMNode` reaches through component boundaries with a deprecated escape hatch that breaks strict mode migrations.

Python file read operations should not consume request-controlled path segments.

Unit tests should not open real sockets; prefer doubles, recordings, or local fakes.

Function definitions should not shadow builtin names like list, dict, str, or int

Repeated fetches for the same stable request identity waste network and CPU budget.

Servlet writers should not emit raw request parameters or headers without encoding or policy checks.

Constructing regular expressions inside loops repeatedly allocates and reparses patterns.

Outbound `http.Post` bodies should not be built directly from request values without validation or redaction.

Outbound HTTP helpers should not receive URLs or bodies directly from `params` or other tainted sources without validation.

Outbound HTTP clients should not forward tainted request/session material without validation or redaction.

Inline and text render modes bypass view escaping and are easy to misuse for cross-site scripting.

`render` options such as `html:`, `plain:`, or `inline:` must not consume unvalidated request data.

The path prefix for express.static should not be derived directly from request objects.

Logging and formatting helpers should not take request input as the format string itself.

Arrays indexed with request-derived keys can read or write out-of-bounds entries.

DynamoDB query and scan inputs should not be built directly from request input.

Rescuing Exception also catches signals and system exits that should not be swallowed.

Express error handlers should not send the err object directly to clients in production paths.

Passing a string as the first argument to `Collections.nCopies()` likely has the arguments reversed.

Calling `indexOf()` with an integer as the first argument and a string as the second likely has the arguments reversed.

`new SecureRandom(byte[])` should not be initialized with literal byte arrays, short fixed buffers, or string-derived seeds.

Sensitive fields should not be sent to logging, tracing, or analytics sinks.

Exceptions and rejection payloads should not include raw secrets or personal data.

Server components should not use browser-only APIs or client-only hooks without an explicit client boundary.

Synchronous state updates during mount trigger an extra render before the browser paints the initial tree.

Synchronous state updates during the legacy will-update lifecycle can cause infinite re-rendering loops.

Spawning `/bin/sh` or `bash` with `-c` enables shell metacharacter injection.

Apollo Server dev landing pages, sandbox UIs, and GraphQL Playground-style plugins should not load unconditionally in production builds.

Manual shouldComponentUpdate overrides increase maintenance cost and are rarely needed with modern React.

Getters and transformation callbacks (map/filter/reduce) should not produce side effects such as assignments or mutations.

sleep() in tests slows CI and hides synchronization bugs.

sleep in specs slows CI and hides synchronization bugs.

Unfiltered prop spreads hide which attributes reach the DOM and defeat static analysis of event handlers and accessibility props.

Spring Boot configuration should not force debug logging or wildcard actuator exposure.

Production HTTP security chains should not end with a broad permit-all fallback such as `anyRequest().permitAll()` or `requestMatchers("/**").permitAll()`.

Python SQL queries should not be built via f-string or string-formatting with user input.

electron-store writes that look like credentials should use OS-level secret storage instead.

Do not build filesystem paths by concatenating `__dirname` or `__filename` with strings or templates.

Using `strings.Index(string(x), ...)` with a `[]byte` argument causes an unnecessary allocation.

Synchronous filesystem calls on request paths block the event loop and degrade latency.

execSync and spawnSync should not run commands built from variables or template strings.

Request handlers should not call `readFileSync` or equivalent blocking file APIs.

Telnet sends credentials and data in cleartext

Production Go code should not import the `unsafe` package, which bypasses the type system and memory safety guarantees.

The `@` operator hides warnings and errors instead of handling them explicitly.

Reading this.state inside setState() leads to stale state references because React batches updates asynchronously.

Sleeping in tests slows CI and hides synchronization bugs.

`throw null;` throws a `NullPointerException` at the throw site instead of communicating intent. Throw a proper exception instance.

Sleeping in _test.go files slows CI and hides synchronization bugs.

Sleeping in tests slows suites and hides synchronization bugs.

time.Tick leaks the underlying ticker because it cannot be stopped.

Unit tests using real timers (setTimeout/setInterval with delays >50ms) without fake timers may produce flaky results under CI load.

`SetTrustedProxies` should list real upstreams instead of `nil` or `0.0.0.0/0` style catch-alls that spoof `X-Forwarded-For`.

DomSanitizer bypass helpers should not receive route, storage, or request-derived values without validation.

Asserting a tuple literal-like expression is usually always truthy and can mask failing checks.

Unbounded channels can grow without backpressure and exhaust memory.

Unbounded Promise fan-out over unknown input can exhaust downstream capacity.

A loop body starts with an unconditional return, break, or raise. This causes the loop to execute at most once and the remaining loop body is unreachable.

Apollo Server should not hard-enable introspection without environment guards.

Do not mark request-driven strings as HTML safe or bypass sanitization in views or helpers.

Raw Blade rendering (`{!! !!}`) should not directly render request, model, or translated user content.

Wrapping a list comprehension in list() or set() is redundant and should be simplified

Instance variables are nil until assigned, so `@var ||= value` in initialize is redundant.

Import declarations should reference modules that exist on disk or in node_modules.

React `dangerouslySetInnerHTML` should only render fixed or explicitly sanitized HTML.

`innerHTML` assignments should only use fixed or explicitly sanitized HTML.

Static CSP header values should not rely on unsafe-inline, unsafe-eval, or unsafe-hashes without nonces.

Python deserialization of untrusted data via `pickle` can enable arbitrary code execution.

Production Django settings should disable debug mode, restrict hosts, protect secrets, and enable HTTPS-aligned cookie flags.

`outerHTML`, `document.write*`, and `insertAdjacentHTML` should only receive fixed or explicitly sanitized HTML.

Using `new static()` can instantiate unexpected subclasses and weaken type guarantees.

Strong parameters and mass assignment sinks should not accept unfiltered request hashes or privileged attributes.

Cache keys built from unstable values cause low hit rates and repeated recomputation.

Untyped `serde_yaml` deserialization can instantiate arbitrary types from untrusted input.

One of the destructured variables from `.enumerate()` or `.zip()` is never used in the loop body.

A variable is compared to itself using ==, !=, <, >, <=, >=, or ===. This comparison always produces a known result and is likely a logic error.

An attribute is assigned to its own current value (e.g., self.x = self.x or @x = @x). This assignment has no effect.

Python path construction and file delivery helpers should not consume request- or route-derived segments without validation.

Path construction APIs should not consume request- or upload-derived segments without a trusted root and validation.

Regular expression construction should not consume request-derived pattern strings without validation.

Using backtick `git ls-files` inside a gemspec to list gem files couples the build to the git binary and repository state.

Calls to deprecated Thread instance methods stop(), suspend(), and resume() should be removed. These methods are inherently unsafe.

ThreadGroup.stop(), .suspend(), .resume(), .destroy(), and related methods are deprecated and unsafe.

Calling `.equals(null)` always returns false and may throw NullPointerException.

String interpolation with objects, arrays, or array literals using `${...}` syntax produces unexpected results. The resulting string will contain "Object" or "Array" rather than a meaningful representation.

User-controlled input (parameters named `input`, `data`, `body`, etc.) should not reach SQL execution or OS command sinks via `fmt.Sprintf` string interpolation.

Cryptographic ciphers should use modern authenticated modes and approved algorithms.

Python security-sensitive hashing should use SHA-256 or stronger, not MD5 or SHA-1.

RSA/DSA keys below 3072 bits are insufficient for modern security

Cryptographic hashing should use modern, collision-resistant algorithms.

Key-generation helpers should use current minimum strengths for RSA, AES, and HMAC keys.

OpenSSL and mcrypt usage should not rely on DES, RC4, Blowfish, ECB mode, or legacy mcrypt APIs.

Rust TLS configuration must not include cipher suites using RC4, 3DES, NULL, or EXPORT algorithms.

A when clause has no body expression. Add the intended behavior or remove the branch.

`postMessage` calls should not use `*` as the target origin when they carry application data.

Spring `@CrossOrigin("*")`, `allowedOrigins("*")`, and `addAllowedOriginPattern("*")` open the API to any origin.

`gin-contrib/cors` configurations must not combine wildcard origins with `AllowCredentials: true`.

Shell wildcards in subprocess calls can be expanded unexpectedly, enabling injection

File creation and permission changes should not grant broad local access.

Wrapping `angular.element()` objects with jQuery or `$()` is unnecessary and can cause issues.

XML-RPC uses XML serialization that is vulnerable to DTD attacks

The `await` keyword and `for await...of` are only valid inside an `async` function.

A literal appears on the left side of a binary expression where a variable is expected on the left.

`Rails.env` should be compared using predicate methods (`Rails.env.production?`) instead of equality operators.

A more general exception class is rescued after a more specific one. Ruby matches rescues top-to-bottom, so the specific handler never runs.

Magic comments like `# frozen_string_literal: true` must appear before any code in the file. When placed after code, they are ignored.

Null check uses || instead of && causing a NullPointerException when the variable is null.

Base64 validation of parameters

Basic cloudformation resource check

Basic cloudformation template configuration

Binary operation where both sides are identical, likely a copy-paste error.

Identical expressions on both sides of an operator is likely a copy-paste error.

A binary expression uses the same variable for both the left and right operand. This is likely a copy-paste error and produces a predictable result that may not be intended.

Hibernate `Session.createQuery`, `createNativeQuery`, and `createSQLQuery` calls must not build their query text from string concatenation or `String.format`.

A bitwise OR expression is compared with `==` to a constant but will never equal it.

Async functions should not call synchronous blocking APIs on the hot path.

`new Boolean(value)` creates a new object instance; use `Boolean.valueOf()` or autoboxing instead.

Complex boolean expressions like `x > y - 1` or `x < y || x == y` can be written more concisely.

Expressions like `flag == true` or `flag != false` can be simplified to the bare boolean value or its negation.

Using a boxed Boolean directly in a conditional can throw NullPointerException if the value is null.

Array brackets should be placed with the type, not the variable name.

Returning null from a CacheLoader.load() method causes InvalidCacheLoadException at runtime. Guava caches do not support null values.

In Vue 3, $slots entries are functions. Access them by calling `$slots.slotName()`, not by treating them as values.

Bare `exit` or `exit!` calls halt process execution and should be avoided in application code.

A final method that throws UnsupportedOperationException is called from another method, which will always fail at runtime.

WaitGroup.Add called inside the goroutine races with Wait.

The number of arguments passed to sprintf, sscanf, or fscanf does not match the number of format placeholders.

Require error handling in callbacks.

`mem::forget` / `mem::drop` on a Copy type does nothing — the type is copied into the function.

`mem::forget` / `mem::drop` on a type that does not implement `Drop` is a no-op.

`mem::forget` / `mem::drop` on a reference drops only the reference, not the underlying value.

React effects that fetch remote data should attach AbortSignal wiring so stale responses cannot commit after dependencies change.

Cannot reference resources in the conditions block of the template

CASE_INSENSITIVE or (?i) without UNICODE_CASE or (?u) does not handle Unicode-aware case folding.

Casting Math.random() to int directly (without multiplying) always yields zero.

Check at least one essential container is specified

Check deletionpolicy values for resources

Check dependson values for resources

Check dynamic references secure strings are in supported locations

Check ec2 ebs properties

Check elastic cache redis cluster settings

A deferred Close runs even when the open call failed and returned a nil handle.

Check events rule targets are less than or equal to 5

Check fargate service scheduling strategy

Check fn::and structure for validity

Check fn::equals structure for validity

Check fn::if structure for validity

Check fn::not structure for validity

Check fn::or structure for validity

Check for noecho references

Two adjacent expressions in an array literal without a comma separator likely indicate a missing comma.

Check for subscriptionfilters have beyond 2 attachments to a cloudwatch log group

Check iam permission configuration

Check iam resource policies syntax

Check if a json object is within size limits

Check if a list has between min and max number of values specified

Check if a list has duplicate values

Check if a list that allows duplicates has any duplicates

Check if a number is between min and max

Check if a string has between min and max number of values specified

Check if conditions are used

Check if eol lambda function runtimes are used

Check if eol lambda function runtimes are used

Check if iam policies are properly configured

Check if imageid parameters have the correct type

Check if mappings are used

Check if parameters are used

Check if parameters have a valid value

Check if parameters have a valid value based on an allowed pattern

Check if password properties are correctly configured

Check if properties have a valid value

Check if property values adhere to a specific pattern

Check if refing to a iam resource with path set

Check if refs exist

Check if serverless resources have serverless transform

Check if the referenced conditions are defined

Check minimum 90 period is met between backupplan cold and delete

Check obsolete dependson configuration for resources

Optional.get without a presence check can throw.

Check outputs using importvalue

Check properties that are mutually exclusive

Check properties that are required together

Check properties that need at least one of a list of properties

Check properties that need only one of a list of properties

Check required properties for lambda if the deployment package is a .zip file

Check resource properties values

Check resources with auto expiring content have explicit retention period

Check resources with updatereplacepolicy/deletionpolicy have both

Check state machine definition for proper syntax

Check stateful resources have a set updatereplacepolicy/deletionpolicy

Check that modules resources are valid

Check the configuration of a resources updatepolicy

Check updatereplacepolicy values for resources

Check values of properties for valid refs and getatts

Checks for legacy instance type generations

Cidr validation of parameters

A class shares its simple name with a superclass referenced in the extends clause, causing ambiguity.

instanceof should only be used with valid class, interface, or trait names.

Classes can only implement interfaces

`clone()` methods should call `super.clone()` to create the correct object.

@Provides/@Inject methods returning Closeable types can cause resource management problems.

Closure use variables must be referenced

Cloudfront aliases

Codepipeline stage actions

Codepipeline stages

Passing a non-zero sized array to `Collection.toArray(T[])` is less efficient than passing a zero-sized array.

A collection is being added to itself, which is likely a logic error.

A collection checks if it contains itself — likely a logic error.

Complex column expressions should include an explicit alias

Prefer `change_table` with multiple column changes over repeated `change_column` calls.

Consecutive `append` calls to the same slice can be combined into a single call.

Process execution helpers must not receive request-controlled executables or shell-interpreted arguments.

Array.equals compares references, not contents.

Returning Integer.MIN_VALUE from compareTo() can break comparison contracts and cause subtle ordering bugs.

Comparing two block expressions that both return `()` is likely unintended.

Comparing a float value with NaN using `==` or `!=` is always false or true.

Detects comparison with negative zero issues in JavaScript and TypeScript source.

Return statements that explicitly return true/false based on a condition can be simplified.

Detects compound assignment with await issues in JavaScript and TypeScript source.

Conditions have appropriate properties

Public Go HTTP servers should use `http.Server` with read, write, idle, and header timeouts instead of convenience `ListenAndServe` helpers or incomplete literals.

Labeled statements inside switch blocks can be confused with case clauses.

Detects confusing multiline expression issues in JavaScript and TypeScript source.

`find_by` is not incorrect, but `where(...).first` is more explicit and consistent with other query chain patterns.

A constant is defined with an uppercase identifier inside a method body. Constants defined within methods are re-assigned on each call and produce a warning.

Express view names should not cross into server-side rendering from untrusted input.

`res.sendFile()` should not resolve filenames or options from request input without a trusted root.

Local file writes should not derive their destination path from request or upload input.

`require()` and dynamic `import()` should not resolve modules from untrusted input.

Binding request parameters directly into entity-like models without `setAllowedFields` / `@InitBinder` controls risks mass-assignment privilege escalation.

Starting a thread in a constructor of a non-final class may expose a partially constructed object.

Avoid return, throw, break, or continue inside finally blocks.

Controller class directly subclasses `ActionController::Base` instead of `ApplicationController`.

Controlling access to an s3 bucket should be done with bucket policies

Casting between raw slices of different element sizes can produce out-of-bounds access and memory corruption.

Converting a `*const T` to `*mut T` violates Rust's aliasing guarantees and can introduce undefined behavior.

Serializable classes declaring writeObject, readObject, or readObjectNoData must use exactly the correct signatures expected by the serialization API.

Elements that handle both clicks and key events behave like custom controls and should advertise an appropriate ARIA role.

Class properties and methods should declare public, protected, or private visibility.

Vue computed properties referencing data Vue cannot reactively track should declare explicit dependencies.

Deeply nested control flow should be flattened where practical.

Default value cannot use refs

Default value is within parameter constraints

Assigning a mutable object (collection or array) directly to a field without a defensive copy exposes internal state.

A `defer func() { bar() }()` wrapping a single call can be simplified to `defer bar()`.

Detects delete operator on variable issues in JavaScript and TypeScript source.

Use of known deprecated APIs should be replaced with modern alternatives.

The `data` option in Vue components must be a function, not an object literal, to avoid shared state across instances.

`XMLInputFactory.newInstance()` and `XMLInputFactory.newFactory()` should set `SUPPORT_DTD` and `IS_SUPPORTING_EXTERNAL_ENTITIES` to false before reading untrusted XML.

`DocumentBuilderFactory`, `SAXParserFactory`, and `TransformerFactory` instances should enable secure processing and disable external entities before they parse untrusted XML.

Flask applications should not enable debug mode through `app.run`, config assignment, or `FLASK_DEBUG`.

Production-like Symfony configuration should not enable debug mode or web profiler surfaces.

Avoid using parentheses after DISTINCT as if it were a function call

Accessing a static property that is not declared on the target class will produce a runtime notice and return null.

express.static should not serve dotfiles from disk unless explicitly required and reviewed.

CORS should not fall back to wildcard or implicit allow-all origin settings.

Use rescue StandardError or rescue StandardError => e, not rescue => StandardError.

`createQuery`, `createNativeQuery`, `JdbcTemplate` calls, and string-based `@Query` values must not stitch SQL with request data using `+`, `String.format`, or similar.

NullPointerException indicates a programming error.

CORS middleware must not reflect every origin or use a wildcard while `credentials` is enabled.

PHP CORS responses should not allow credentials when origin is set to `*`.

Framing and CSP headers should not be set from request-controlled values.

Axum apps should keep a finite `DefaultBodyLimit` (or equivalent) so request bodies cannot exhaust memory.

Browser-facing Rails controllers should keep forgery protection enabled with a safe strategy.

Python HTTPS clients should not set `verify=False`, which disables server certificate validation.

An async function was called without awaiting or storing its returned Future.

echo should only be called with string-convertible scalar values. Objects, arrays, and arrays using array() syntax cannot be meaningfully converted to strings by echo and may produce warnings.

Debug handlers, stack-showing middleware, and diagnostic endpoints should stay behind explicit development-only guards.

Importing `net/http/pprof` or registering `/debug/pprof` handlers on the default mux exposes debugging endpoints to remote callers.

Do not assign properties on built-in prototype objects such as `Array.prototype`.

Forgetting a JoinHandle leaks the task and drops panic propagation.

Holding a std::sync::Mutex guard across an await point can deadlock the async executor.

Astro and Vite define entries for import.meta.env.PUBLIC_* must not map to high-risk process.env secrets.

Do not instantiate abstract classes

Modifying a collection with `add()`, `remove()`, or `clear()` inside a for-each loop will throw a ConcurrentModificationException.

Assigning to `this.state` bypasses React change detection and produces stale UI.

shell.openExternal should not receive request-controlled URLs without validation.

parseString and similar XML helpers should not consume request-controlled payloads without hardening.

Upload handlers should not store attacker-controlled filenames without generating or validating a safe local name.

Upload handlers should not store attacker-controlled filenames without generating or validating a safe local name.

print should only be used with strings. Objects, arrays, and array() expressions cannot be meaningfully converted to strings by print.

Do not assign to global native bindings such as `Object`, `Array`, or `undefined`.

`Access-Control-Allow-Origin` should not be set from request-controlled input.

By-reference arrow functions cannot safely return nullsafe property access.

`rand.Seed` from `math/rand` produces predictable streams; security-sensitive code must use `crypto/rand`.

A local variable shadows a Rust built-in type name, which can confuse readers and hide type errors.

JSON Web Token signing options must not enable the none algorithm.

Sensitive Nest routes should not disable `@nestjs/throttler` protections without a compensating throttle.

Session and signed cookie stores should not persist raw `params` blobs that attackers can influence.

Synchronizing on a boxed primitive (Integer, Long, Boolean, etc.) is unsafe due to interning and caching.

String literals are interned and shared across the JVM.

TrustManagers must validate certificates; empty `checkServerTrusted`/`checkClientTrusted` bodies or `TrustAllStrategy` accept any peer.

Catch blocks should handle or rethrow exceptions.

Exclusive range operator `..` between character literals like `'a'..'z'` excludes the upper bound.

Constructing `new NullCipher()` or `Cipher.getInstance("Null")` performs no encryption.

Function components have no instance, so `this` references are almost always mistakes copied from class components.

A local variable is assigned twice consecutively without being read between the assignments.

A double-checked locking pattern on a non-volatile field is unsafe.

Comparing a floating-point value to Double.NaN or Float.NaN using == or != always yields false (or true for !=) because NaN is not equal to any value, including itself.

Narrowing casts (short, byte, int) of subtraction results inside compare/compareTo methods can overflow and flip the comparison sign, producing incorrect ordering.

Same expression appears on both sides of a binary operator — likely a copy-paste bug.

Multiple assignments to the same constant were found. The previous value is discarded, which is likely a developer mistake.

Adjacent if-else branches have identical bodies. One branch is likely dead or wrong.

Duplicate case values mean the second case is unreachable.

Detects duplicate class member issues in JavaScript and TypeScript source.

Large duplicated function bodies across files make behavior harder to maintain safely.

Consecutive identical arguments may indicate a copy-paste error.

A function declares the same parameter name more than once.

Do not repeat the same test in an if-else-if chain.

The file imports from the same module path more than once.

An object literal repeats the same static property name.

A switch repeats the same case discriminant.

Each table alias should be unique within a query

Two or more enum items share the same integer value, which will cause mapping collisions.

When an if-body ends with a return/break/continue, the else branch is unnecessary.

Sensitive Echo binds should use struct tags or validators so mutations cannot accept empty or malformed credentials and roles.

Declaring an array reference as volatile does not make array element accesses volatile.

Emit event validators are expected to return a boolean value indicating whether the event payload is valid.

A control-flow or try/catch branch uses an empty `{}` block.

The regular expression pattern contains an empty character class that never matches.

Detects empty destructuring pattern issues in JavaScript and TypeScript source.

Range expression where start > end, producing an empty range or runtime panic.

Django projects using cookie-backed sessions should include `CsrfViewMiddleware` in `MIDDLEWARE`.

Fastify instances listening on all interfaces should enable trustProxy or terminate behind a reverse proxy you register in code.

AutoAddPolicy disables SSH host key verification, enabling MITM attacks

Use of array syntax for enum declarations is brittle and can lead to unexpected values when enum items are reordered.

Enum fields that are not declared final create mutable state in a shared singleton instance.

An enum should not define an `equals()` method — enum equality is determined by identity.

A class defines an overloaded `equals` but does not override `equals(Object)`, so the parent's equals semantics are silently inherited.

A method named `equals` with a non-Object parameter type overloads rather than overrides equals.

An `equals(Object)` implementation accesses fields or methods without a preceding null guard, risking NullPointerException.

Error processing rule on the template

Catch blocks must log, reject, or rethrow failures instead of dropping them silently.

Thymeleaf `th:utext`, JSP scriptlets, and FreeMarker `?no_esc` patterns must not render untrusted request or model values without an explicit sanitization strategy.

GetLogger is an internal method on etcd's client type. Using it as a general-purpose application logger is a misuse pattern; the returned logger is configured for etcd's internal use.

Eval-like helpers, `vm` execution APIs, and string-evaluated timers should not execute dynamic code.

Methods annotated with `@WorkerThread` or `@Expensive` are invoked from a `@MainThread`, `@UIThread`, or `@PerformanceCritical` context, potentially blocking the UI.

Explicit calls to `System.gc()` or `Runtime.getRuntime().gc()` trigger full GC cycles that degrade performance.

Detected import declarations which import extraneous modules.

Sensitive Fiber parsers should pair structs with validator tags or explicit validation so roles and secrets cannot be silently omitted.

Fields in a class annotated with @Immutable or @Value should be declared final.

Final methods are redundant in final classes

Calling `.finalize()` explicitly is dangerous and deprecated.

Findinmap keys exist in the map

Findinmap validation of configuration

preg_* calls must use a valid delimiter and closing pattern literal.

String comparison using identical operands or locale-sensitive operators may indicate a bug.

`new Float(value)` and `new Double(value)` create unnecessary objects; use `valueOf()` instead.

Fn::equals will always return true or false

The loop condition checks one variable but a different variable is being incremented.

Iterating over `.next()` in a for loop iterates over the Option result, not the remaining iterator elements.

Prefer for-of or index loops instead of for-in on arrays.

Do not use the `this` keyword outside of a class body.

I/O operations return `Result` which should be handled to avoid silently ignoring errors.

Float literal approximates a known mathematical constant that should use `std::f64::consts::*` or `std::f32::consts::*`.

Detects patterns like `=+`, `=-`, `=!`, `=~` that suggest a typo in a compound assignment operator.

Detects use of single-character string literals where a char would be more performant.

Transmuting between a value type and its pointer/reference form is unsound.

Transmuting an integer to bool can produce invalid boolean values.

Usage of a known deprecated Rust standard library function, constant, or type.

A method parameter is reassigned on the first line of the method body before any read. This discards the caller's value and likely indicates a bug or unintended shadowing.

A function whose entire body consists of a single `go func()` call obscures the concurrent nature of the operation and makes error handling and cancellation invisible to the caller.

A `function` or `var` declaration appears inside a nested block instead of the enclosing scope top level.

Oversized or overly complex functions should be split into smaller units.

Getatt validation of parameters

Getaz validation of parameters

Calling getClass() inside an enum body returns the anonymous subclass for constants with custom bodies, not the enum class itself. Prefer getDeclaringClass().

One of a getter/setter pair is synchronized and the other is not.

Sensitive Gin binds should use `binding` or validator tags so authentication and mutation payloads cannot be silently empty.

`gin.LoadHTMLGlob()` with an ill-formed glob pattern silently matches zero files and causes a runtime panic when rendering templates.

Buttons, links, and inputs need labels, aria attributes, or visible text so assistive technologies can describe them.

A built-in namespace object such as `Math` or `JSON` is called like a function.

`DryRun` is set to `true` in gorm.Config. When DryRun is enabled, GORM generates SQL statements without executing them. If actual execution is needed, DryRun should be disabled.

Setting `SkipDefaultTransaction` to `false` in gorm.Config causes GORM to wrap every operation in a transaction. Audit if this is intentional.

`db.Updates(Struct{...})` or `db.Model(...).Updates(Struct{...})` silently skips zero-value fields (0, "", false, nil), potentially leaving stale data in the database.

`db.Where(&Struct{...})` silently ignores zero-value fields (0, "", false, nil) in the WHERE clause, leading to unintended broader queries.

Using double parentheses in a method call like `foo((a, b))` passes a single argument instead of two. The inner parentheses create grouping via comma operator, not multiple arguments.

`io.Copy` or `io.CopyBuffer` with an uncompressed reader from a decompressor (`gzip.NewReader`, `zlib.NewReader`, etc.) without a size limit can exhaust memory or disk in a decompression bomb attack.

Unconditional setState in componentDidUpdate can recurse through renders when props or state change on every pass.

`defer f.Close()` silently discards the error returned by `Close()`. For writable files, this can mask data loss when buffered writes fail on close.

Source files should not embed credential-like string literals.

Config-like values should usually come from configuration sources rather than source literals.

AJV should not compile schemas with allErrors true unless strict mode is enabled.

Auth and session cookies should set HttpOnly, Secure, and SameSite.

Multipart handlers should cap body size, sanitize filenames with `filepath.Base`, and avoid concatenating user filenames into destination paths.

Electron renderers should not run with unsafe webPreferences that weaken isolation or transport protection.

Fiber upload helpers should enforce size limits and never persist client-controlled filenames without normalization.

Global ValidationPipe instances should enable whitelist-style stripping for unexpected fields.

Session/cookie configuration should keep secure, httpOnly, and safe same-site posture for authenticated contexts.

XML parsing should disable external entities and avoid LIBXML_NOENT or libxml_disable_entity_loader(false).

Session-like cookies must not disable HttpOnly or Secure, and explicit insecure builder flags should be removed.

Calling hashCode() directly on an array uses Object's identity-based hashCode rather than a content-based hash code.

`.contains()` on `Hashtable` and `ConcurrentHashMap` checks for value existence. Use `.containsKey()` to check for key existence.

Use http.NoBody for HTTP requests with no body instead of nil.

Both sides of a comparison use the same source text.

The same boolean expression appears on both an `if` and the following `else if` branch. This is likely a copy-paste error; the second condition should probably be different.

Combining `only:`/`except:` with `if:`/`unless:` on a skip filter creates confusing conditional logic.

An `if`, `elsif`, or `unless` branch has no body expression. Add the intended behavior or remove the dead branch.

Intrinsic iframe elements embedding untrusted third-party content should declare a sandbox attribute to reduce blast radius.

An ActiveRecord model references a column that has been declared in self.ignored_columns.

IllegalMonitorStateException indicates a programming error; handling it masks the bug.

Dereferencing the flag pointer at the call site defeats the purpose of using a flag method.

Non-abstract functions with empty bodies hide missing behavior.

Avoid implicit column aliases without the AS keyword

Avoid implicit table aliases without the AS keyword

Functions that return a value on some paths must not fall through implicitly.

Importvalue validation of parameters

Casting the result of no-arg toArray() to a specific array type will throw ClassCastException.

Interface value compared to nil when the underlying concrete type is always non-nil. The nil check is always false because an interface holding a nil concrete pointer is not itself nil.

Accessing a property that is not visible from the current scope will cause a runtime error.

Django settings should include `django.middleware.security.SecurityMiddleware` in `MIDDLEWARE`.

Checking `xs != nil` before indexing a slice is not sufficient — a non-nil empty slice still panics on index access.

SQL keywords should be consistently cased throughout a file

Identifiers should be consistently capitalized throughout a file

The same receiver is accessed with both `&.` and bare `.` in close proximity. This inconsistency suggests the nil-safety strategy is applied inconsistently.

Comparison chains on the same value must use the boolean operator that matches the intended logic.

Using `Math.max(A, Math.min(A, ...))` or `Math.min(A, Math.max(A, ...))` with a repeated argument is suspicious.

A method named main does not match the required public static void main(String[]) or String... signature, so it will not be usable as a program entry point.

ActiveRecord lifecycle callbacks (before_validation, after_validation, before_save, around_save, before_create, around_create, after_create, after_save, after_commit) should appear in that order within a class body.

Uses pluralized ActiveSupport duration or byte method names with `1` (e.g. `1.days`) instead of the singular form (`1.day`).

Operations like `counter++` on a volatile field are not atomic.

Increment or decrement only valid lvalues

Assigning a post-incremented variable to itself (e.g., x = x++) discards the increment because the old value is assigned back.

A `private`, `protected`, or `public` modifier at top-level scope has no effect. Access modifiers must be inside a class or module definition.

Linear membership checks or key projections should be reviewed for more suitable lookup structures.

Iterating over `Map.keySet()` and calling `Map.get(key)` for each key performs redundant hash lookups.

`new String(String)` creates an unnecessary copy; use the string literal directly.

Writing to a nil map panics at runtime.

Typed class properties without a default value should be initialized in the constructor.

AngularJS `inject` callbacks should only contain variable assignments for injected dependencies.

Outbound transport should not use plain HTTP for sensitive requests.

Pushing an `Rc::clone()` from an `Rc` defined outside a vector ties cleanup to the vector lifetime.

`Instant.plus()`, `Instant.minus()`, and `Instant.until()` throw `UnsupportedTemporalTypeException` when called with date-based units such as WEEKS, MONTHS, or YEARS.

Narrowing an integer type (e.g., `int8(x)`, `uint16(y)`) can lose precision or produce unexpected results when the source value exceeds the target type's range.

`new Integer(value)` and `new Long(value)` create unnecessary objects; use `valueOf()` instead.

An interface declares a method that clashes with a final or differently-typed method in Object, making the interface impossible to implement correctly.

Interfaces can only extend interfaces

Interfaces cannot use implements

Single-quoted strings do not support interpolation. `#{expr}` inside a single-quoted string is treated as a literal, which is likely unintended.

The

Await only promise-like values

Control characters and zero-width Unicode codepoints in JSX text content can cause rendering anomalies and accessibility issues.

`%q` and `%Q` string literals use non-alphanumeric delimiters. An unmatched opening delimiter makes the literal span to the end of the file, likely causing a syntax error.

`%i` and `%I` literal arrays (and `%w`/`%W` word arrays) use non-alphanumeric delimiters. An unmatched opening delimiter causes a syntax error.

Invalid constructor property promotion

Invalid extends target for declaration

A string literal passed to `RegExp` or `new RegExp` is not a valid regular expression.

Regex pattern contains invalid syntax such as reversed character ranges.

The regex pattern string contains invalid syntax (e.g. unmatched brackets, reversed character range, or invalid escape).

`rescue` is followed by a non-class expression such as `nil`, a number, or a string literal. Rescue clauses must reference exception classes.

`clientv3.Compare()` with a result operator other than `=`, `!=`, `>`, or `<` causes a runtime panic.

Shebang `#!` must appear on line 1 at column 0.

Compare typeof results only to known typeof strings.

The `use` keyword is used in a context where it does not apply — inside interfaces, anonymous classes, or referencing a non-trait class.

The `Integer#times` method is called with an integer literal value that produces a no-op or unexpected behavior (`0.times`, `1.times`, or negative values).

Calls to java.time factory methods with literal arguments outside valid ranges (month > 12, day > 31, hour >= 24, minute/seconds >= 60) will always throw DateTimeException at runtime.

Detects invalid variable usage issues in JavaScript and TypeScript source.

Declare `inverse_of:` on associations where Rails cannot automatically determine the inverse.

Invisible Unicode characters such as zero-width spaces, bidi markers, and BOM characters can be used for Trojan Source attacks.

`IO.select` called with only one input/output array. This pattern is hard to make compatible with the Ruby 3 scheduler.

isset argument must be a variable reference

A class implementing both Iterable and Iterator that returns this from iterator() cannot support multiple concurrent iterations and violates the Iterator contract.

`Path` implements `Iterable<Path>`, so `Iterable<Path>` creates confusing APIs. Use `Collection<Path>` instead for clarity.

Calling .next() inside a hasNext() implementation mutates iterator state during a query operation.

@param tags must include a description of the parameter.

Javadoc block tags must have content following the tag name.

Join validation of parameters

Using return, throw, or break in a finally block overrides any exception or return value from the try block.

Disabled tests without a reason string or nearby tracker note are hard to triage.

Only abstract classes may declare abstract methods.

Apollo Server should not explicitly disable CSRF prevention for browser-accessible endpoints.

Inconsistent thrown or rejected error shapes make error handling brittle.

Functions that mix transport, persistence, validation, and domain logic are hard to change safely.

Server-side Handlebars compilation should not disable HTML escaping with `noEscape: true`.

Headings, captions, and phrasing content should not pretend to be buttons or tabs without restructuring the markup.

Modules exporting too many symbols become hard to evolve safely.

Production environments should not enable local-style exception pages or verbose Action Dispatch exception rendering.

Sensitive credentials must not be exposed through runtimeConfig.public, which is visible to client bundles.

Symfony forms and controllers handling state changes should not disable CSRF protection without a clear API token boundary.

Production modules should not import test doubles or gate behavior on test-only environment flags.

Avoid using SQL keywords as table aliases

Whole-payload reads of likely large content should be reviewed for streaming alternatives.

Length validation of parameters

Diffs that change critical logic should usually update the matching tests in the same change.

A loop condition that evaluates to false at compile time means the loop body will never execute.

Detect obvious infinite loops that have no exit path via break, return, throw, or yield.

Non-trivial literals in logic should be named to explain their meaning.

Elements that manage active descendants must participate in the tab order or be native controls that already receive focus.

Go doc comment does not follow the `// Deprecated:` convention. Use `// Deprecated: <explanation>` so tools like `go doc` and `gopls` can mark the symbol as deprecated.

Javadoc comments must use valid tag syntax without double @ symbols.

Mapping attribute limit

Mapping attribute limit not exceeded

Mapping keys are strings and alphanumeric

Mapping limit

Mapping limit not exceeded

Mapping name limit

Mapping name limit not exceeded

Mappings are appropriately configured

Mappings have appropriate names

`java.net.URL` performs DNS resolution on `equals()` and `hashCode()`, making Map and Set operations unexpectedly expensive.

Empty markTestSkipped() calls without a tracker note are hard to triage.

Match arms must return a value

Metadata interface have appropriate properties

Metadata interface parameters exist

Methods annotated @Nonnull, @NotNull, or @NonNull that contain explicit return null statements are buggy.

`render`, `hydrate`, and `unmountComponentAtNode` from `react-dom` are legacy APIs replaced by the `createRoot` and `hydrateRoot` clients.

Mark promise callbacks async when using await