Rule Reference

Browse representative rules from all 10 categories. Doorman includes 2,508 rules total.

Security (15 rules shown)

Rule ID	Title	Severity	Auto-fix
`SEC-INJ-001`	SQL Injection via string concatenation	Critical	Yes
`SEC-INJ-002`	NoSQL injection in MongoDB query	Critical	Yes
`SEC-INJ-003`	Command injection via exec/spawn	Critical	Yes
`SEC-XSS-001`	Reflected XSS via unsanitized output	Critical	Yes
`SEC-XSS-002`	DOM-based XSS via innerHTML	High	Yes
`SEC-AUTH-001`	Missing authentication on API route	Critical	No
`SEC-AUTH-002`	Hardcoded JWT secret	High	Yes
`SEC-KEY-001`	API key exposed in client-side code	Critical	Yes
`SEC-KEY-002`	Hardcoded database credentials	High	Yes
`SEC-CSRF-001`	Missing CSRF protection on form handler	High	Yes
`SEC-HDR-001`	Missing security headers (CSP, HSTS)	High	Yes
`SEC-CORS-001`	Overly permissive CORS configuration	Medium	Yes
`SEC-RATE-001`	No rate limiting on authentication endpoint	High	Yes
`SEC-MCP-001`	MCP tool handler without input validation	Critical	No
`SEC-AI-001`	Prompt injection vulnerability in AI API call	High	No

Performance (12 rules shown)

Rule ID	Title	Severity	Auto-fix
`PERF-N1-001`	N+1 query in loop (ORM)	High	No
`PERF-N1-002`	N+1 query in GraphQL resolver	High	No
`PERF-CACHE-001`	Missing cache headers on static assets	Medium	Yes
`PERF-CACHE-002`	No response caching on expensive API call	Medium	Yes
`PERF-BUNDLE-001`	Large dependency imported for small utility	Medium	Yes
`PERF-BUNDLE-002`	Unoptimized image assets	Low	No
`PERF-DB-001`	Missing database index on queried column	Medium	No
`PERF-MEM-001`	Memory leak via event listener not removed	High	Yes
`PERF-RENDER-001`	Unnecessary re-renders in React component	Medium	Yes
`PERF-RENDER-002`	Missing React.memo on pure component	Low	Yes
`PERF-ASYNC-001`	Sequential awaits that could be parallel	Medium	Yes
`PERF-REGEX-001`	Catastrophic backtracking regex	Low	No

Reliability (10 rules shown)

Rule ID	Title	Severity	Auto-fix
`REL-ERR-001`	Unhandled promise rejection	High	Yes
`REL-ERR-002`	Empty catch block swallowing errors	High	Yes
`REL-ERR-003`	Missing error boundary in React	Medium	No
`REL-RACE-001`	Race condition in shared state update	High	No
`REL-RACE-002`	TOCTOU (time-of-check-time-of-use) file access	Medium	No
`REL-NULL-001`	Null dereference without guard	Medium	Yes
`REL-RETRY-001`	Missing retry logic on network call	Medium	Yes
`REL-TIMEOUT-001`	No timeout on HTTP request	Low	Yes
`REL-LEAK-001`	Resource handle not closed (file, socket)	High	Yes
`REL-DEAD-001`	Deadlock potential in concurrent code	Medium	No

Cost (10 rules shown)

Rule ID	Title	Severity	Auto-fix
`COST-API-001`	Unbounded AI API calls without cost limits	High	Yes
`COST-API-002`	No response caching for paid API (est. waste)	Medium	Yes
`COST-API-003`	Using expensive model when cheaper works	Medium	Yes
`COST-DB-001`	Full table scan on large table	High	No
`COST-DB-002`	SELECT * fetching unnecessary columns	Medium	No
`COST-CLOUD-001`	Over-provisioned cloud resource in IaC	Medium	Yes
`COST-CLOUD-002`	Missing auto-scaling configuration	Low	No
`COST-LOG-001`	Excessive logging in production (storage cost)	Medium	Yes
`COST-CDN-001`	Missing CDN for static assets	Low	No
`COST-TOKEN-001`	Sending full context in every AI API request	Medium	Yes

Compliance (10 rules shown)

Rule ID	Title	Severity	Auto-fix
`COMP-GDPR-001`	PII stored without encryption	Critical	No
`COMP-GDPR-002`	No data deletion endpoint (right to erasure)	High	No
`COMP-GDPR-003`	User data logged without consent tracking	High	No
`COMP-PCI-001`	Credit card number in log output	Critical	Yes
`COMP-PCI-002`	Card data stored in plain text	High	No
`COMP-HIPAA-001`	PHI transmitted without TLS	Critical	Yes
`COMP-HIPAA-002`	Missing audit log for PHI access	High	No
`COMP-SOC2-001`	Missing access control on admin endpoint	Medium	No
`COMP-LIC-001`	Copyleft license in proprietary project	Medium	No
`COMP-A11Y-001`	Missing alt text on images	Low	No

Data (10 rules shown)

Rule ID	Title	Severity	Auto-fix
`DATA-LEAK-001`	PII in AI API prompt (sent to third party)	Critical	No
`DATA-LEAK-002`	Sensitive data in error response to client	Critical	Yes
`DATA-LEAK-003`	Stack trace exposed in production	High	Yes
`DATA-ENC-001`	Weak encryption algorithm (DES, MD5 for passwords)	High	Yes
`DATA-ENC-002`	Hardcoded encryption key	High	Yes
`DATA-VAL-001`	Missing input validation on user data	Medium	No
`DATA-VAL-002`	No schema validation on API request body	Medium	No
`DATA-LOG-001`	Password logged in plain text	High	Yes
`DATA-SER-001`	Unsafe deserialization of user input	Medium	No
`DATA-CLEAN-001`	Orphaned data not cleaned up on delete	Low	No

Dependencies (10 rules shown)

Rule ID	Title	Severity	Auto-fix
`DEP-VULN-001`	Dependency with known critical CVE	Critical	Yes
`DEP-VULN-002`	Dependency with known high CVE	High	Yes
`DEP-OUT-001`	Major version behind on critical dependency	Medium	Yes
`DEP-OUT-002`	Minor version behind on dependency	Low	Yes
`DEP-LOCK-001`	Missing lockfile (package-lock.json / yarn.lock)	High	No
`DEP-LOCK-002`	Lockfile out of sync with package.json	Medium	No
`DEP-TYPO-001`	Possible typosquat package name	Medium	No
`DEP-SUPPLY-001`	Dependency with install scripts (postinstall)	High	No
`DEP-SIZE-001`	Unnecessarily large dependency for feature used	Low	Yes
`DEP-MAINT-001`	Dependency unmaintained (no updates in 2+ years)	Medium	No

Infrastructure (10 rules shown)

Rule ID	Title	Severity	Auto-fix
`INFRA-SEC-001`	S3 bucket with public access	Critical	Yes
`INFRA-SEC-002`	Security group allowing 0.0.0.0/0 on all ports	Critical	Yes
`INFRA-SEC-003`	Database publicly accessible	High	Yes
`INFRA-TLS-001`	Missing TLS/SSL on load balancer	High	Yes
`INFRA-LOG-001`	Missing access logging on cloud resource	Medium	Yes
`INFRA-IAM-001`	Overly permissive IAM policy (Action: *)	Medium	No
`INFRA-DOCKER-001`	Docker container running as root	High	Yes
`INFRA-DOCKER-002`	Docker image using latest tag	Medium	No
`INFRA-K8S-001`	Kubernetes pod with privileged mode	High	Yes
`INFRA-K8S-002`	Missing resource limits on Kubernetes pod	Medium	Yes

Quality (10 rules shown)

Rule ID	Title	Severity	Auto-fix
`QUAL-COMPLEX-001`	Function exceeds cyclomatic complexity threshold	Medium	No
`QUAL-COMPLEX-002`	Deeply nested conditionals (4+ levels)	Low	No
`QUAL-DUP-001`	Duplicated code block (3+ occurrences)	Low	No
`QUAL-DEAD-001`	Dead code (unreachable statements)	Low	Yes
`QUAL-DEAD-002`	Unused variable or import	Low	Yes
`QUAL-TYPE-001`	Implicit any type in TypeScript	Medium	No
`QUAL-NAME-001`	Non-descriptive variable name (single letter)	Medium	No
`QUAL-MAGIC-001`	Magic number without named constant	Low	No
`QUAL-SIZE-001`	File exceeds 500 lines	Medium	No
`QUAL-TODO-001`	TODO/FIXME/HACK comment in production code	Low	No

Deployment (10 rules shown)

Rule ID	Title	Severity	Auto-fix
`DEPLOY-ENV-001`	.env file committed to repository	High	Yes
`DEPLOY-ENV-002`	Debug mode enabled in production config	High	Yes
`DEPLOY-HEALTH-001`	Missing health check endpoint	Medium	No
`DEPLOY-HEALTH-002`	No readiness/liveness probe configured	Medium	Yes
`DEPLOY-SECRET-001`	Secret in environment variable without vault	High	No
`DEPLOY-LOG-001`	Missing structured logging	Medium	No
`DEPLOY-GRACE-001`	No graceful shutdown handler	Low	Yes
`DEPLOY-ROLLBACK-001`	No rollback strategy defined	Medium	No
`DEPLOY-MONITOR-001`	No error monitoring integration	Low	No
`DEPLOY-CI-001`	No CI pipeline configuration found	Medium	No

Showing ~100 representative rules. Doorman includes 2,508 rules total. Run npx getdoorman check --verbose to see all matched rules for your codebase.