CodeTitanDocs
FeaturesPricingSign in →
On this site · docs
DocsRules
§ 03Engine · Rules

Rules catalog.

266 rules for JavaScript & TypeScript. Every rule has a stable id and severity, and every finding carries its rule id in the category field — ask the engine about any of them with codetitan explain.

§ 01 · Coverage

  • Data flow (3-pass taint) — SQL injection, command injection, SSRF, path traversal, template injection. Cross-file reachability.
  • Secrets — known key formats (Stripe, AWS-style, private keys) plus entropy heuristics.
  • Injection & execution — eval, dynamic exec, prototype pollution, XXE, insecure deserialization.
  • Auth & crypto — JWT none algorithm, weak hashes, timing attacks, missing security headers.
  • Supply chain — known-vulnerable dependencies via OSV (--deps / --deps-transitive).
  • AI drift — patterns that diverge from your repo's own conventions, the failure modes typical of unreviewed LLM output.
  • Performance & quality — sync IO on hot paths, awaits in loops, oversized functions, test hygiene.

§ 02 · Severity levels

CRITICAL

Exploitable. Blocks the build when you gate at high.

HIGH

Likely exploitable. Blocks the build when you gate at high.

MEDIUM

Risky pattern. Surfaced, not gated, at the common setting.

LOW

Minor concern. Informational.

Gate in CI with --fail-on critical|high|medium|never — exit code 1 at or above the chosen level.

§ 03 · Suppress a finding

Three real mechanisms, from surgical to learned:

// codetitan-suppress: TAINT_SQL_INJECTION
db.query(buildQuery(input));  // suppressed — directive on the previous line
# teach the learned profile — after 3 dismissals the finding
# is auto-suppressed for this repo
codetitan analyze --dismiss "HARDCODED_SECRET:fixture-key"
# .codetitan.yml — raise the floor for the whole project
rules:
  severity_threshold: MEDIUM

For whole paths, use .codetitanignore — it works like a .gitignore for the scanner.

§ 04 · Sample of the catalog

A verified sample, grouped by category — every id below is real and appears in findings as the category field. JavaScript & TypeScript is what ships today.

Data flow · cross-file taintSource → sink tracing across file boundaries, 3-pass.
TAINT_SQL_INJECTIONTAINT_COMMAND_INJECTIONTAINT_PATH_TRAVERSALTAINT_SSRFTAINT_EVALTAINT_TEMPLATE_INJECTIONTAINT_INSECURE_DESERIALIZATION
SecretsKnown key formats plus entropy heuristics.
HARDCODED_SECRETSECRET_FROM_ENV
Injection & executionSingle-file pattern and AST rules.
SQL_INJECTIONCOMMAND_EXECEVAL_USAGEREGEX_INJECTIONPROTOTYPE_POLLUTIONPOTENTIAL_XXEINSECURE_DESERIALIZATION
Auth & cryptoToken handling and cryptographic hygiene.
JWT_NONE_ALGORITHMWEAK_HASHTIMING_ATTACKMISSING_HEADER
PerformanceHot-path and async pitfalls.
AWAIT_IN_LOOPNESTED_LOOPSSYNC_IOSYNC_FILE_PARSEASYNC_TIMEOUT
Quality & testsMaintainability and test hygiene.
LONG_FUNCTIONFILE_TOO_LONGMISSING_TESTSFOCUSED_TESTTODO_TESTS

§ 05 · Custom rules

Write your own in YAML (Semgrep-compatible format), register them with codetitan rules add, and test them with codetitan rules test. See the Advanced guide for the schema and a working example.

← PreviousAuthenticationNext →MCP server
Last updated·2026-06-12Feedback →