132 checks across 25 categories

• SEC001Hardcoded passwords, API keys, and secrets(Py, JS/TS, C#, Go, Rust, Ruby)
• SEC002SQL queries built with string concatenation
• SEC004Non-cryptographic random for security tokens

and 4 more checks

• CS001async void methods that crash on unhandled exceptions(C#)
• CS002Debug.Log / Console.WriteLine left in production code(C#)
• CS003GameObject.Find / GetComponent inside Unity Update() loops(C#)

• SCHEMA001Pydantic field nullability mismatches(Python)
• SCHEMA002Pydantic/SQLAlchemy field type misalignment(Python)

• QUAL001Silently swallowed exceptions hide real bugs(Py, JS/TS, C#, Go, Rust, Ruby)
• QUAL009Files too long to review effectively

• PROJ001Missing CLAUDE.md for AI assistant context
• PROJ005CLAUDE.md tracked in git but should be gitignored

• SESS002Thread-unsafe database session sharing

• STRUCT001Multiple classes in a single file(Python)

• ASYNC001Async function called without await(Py, JS/TS)

• SEC007OAuth callback missing state validation(Py, JS/TS)
• SEC013Missing security headers on HTTP responses(JS/TS)
• SEC017Regex-based HTML sanitizer can be bypassed(JS/TS)

and 6 more checks

• DET001Dictionary iteration without sorting causes flaky behavior
• DET005Random without seed causes non-reproducible results(Py, JS/TS)
• DET009Uncached LLM calls break reproducibility and waste tokens

and 6 more checks

• PERF001Database calls inside loops (N+1 queries)(Py, JS/TS)
• PERF005Render-blocking font imports slow first paint(JS/TS)
• PERF007Public pages without a CDN configured(JS/TS)

and 4 more checks

• QUAL004Mutable default arguments shared between calls(Python)
• QUAL011Functions with excessive cyclomatic complexity
• QUAL014Case-insensitive email comparison missing

and 14 more checks

• TYPE008Explicit 'any' type usage defeats TypeScript's purpose(TS)
• TYPE009process.env.VAR! non-null assertion can crash at runtime(TS)
• TYPE013JSON.parse without runtime validation is unsafe(Py, TS)

and 9 more checks

• ASYNC002Blocking calls inside async functions(Py, JS/TS)
• ASYNC003Fire-and-forget tasks without error handling(Py, JS/TS)
• CONC001Check-then-act race conditions

and 2 more checks

• API001API calls without error handling(Py, JS/TS)
• API005Frontend/backend type definitions drift apart
• API006Shared types defined in multiple places

and 3 more checks

• TRPC001tRPC procedures without input validation(TS)
• TRPC002Inline Zod schemas instead of shared types(TS)

and 2 more checks

• FRONT002window/document access without SSR guard(JS/TS)
• FRONT005useEffect used for side effects that should be event handlers(TS)
• FRONT007Unbounded AI output rendered in the DOM(JS/TS)

and 6 more checks

• TEST001Tests marked as skipped accumulate silently(Py, JS/TS)
• TEST007Critical user flows missing E2E test coverage
• TEST009Playwright waitForTimeout instead of event-driven waits

and 7 more checks

• STRUCT004Direct sys.path manipulation breaks packaging
• STRUCT010No clear frontend/backend separation(JS/TS)
• STRUCT011Duplicate modules across packages cause import ambiguity

and 5 more checks

• MEM001Unbounded database queries load entire tables into memory
• MEM003In-process accumulators grow without bound
• MEM004Global state singletons break in worker / serverless environments

and 1 more check

• DATE002Naive datetime without timezone causes silent bugs
• DATE003Database datetime used without timezone awareness
• DATE004getDay() returning UTC day mismatches local expectations

• KUBE001Local filesystem used for application data in containers
• KUBE002Ingress missing SSL redirect
• RATE001API endpoint without rate limiting(Py, JS/TS)

and 2 more checks

• PROJ002Project not using git version control
• PROJ003Missing pyright configuration
• PROJ004Depending on beta / pre-release packages

• SESS001Database session passed to background task

• A11Y001Button text may be invisible on background color