Browse 354 rules, 42 knowledge articles, and 28 prompt templates across security, performance, architecture, and quality.
BeforeMerge scans your pull requests against these rules automatically. Get actionable feedback before code ships to production.
91 rules matching filters
Bind user input as parameters rather than concatenating it into SQL strings.
Enforce sslmode=require (or stricter, with CA verification) so no client can connect to the managed database over plaintext.
Create scoped application roles with only the privileges they need; reserve superuser/owner accounts for migrations and admin.
Issue per-service credentials from a secrets manager, rotate them on a schedule, and keep them out of source control.
Keep API keys, tokens, and credentials out of source; load them from environment variables or a managed secret store.
Run Node under a dedicated unprivileged user with only the permissions it needs; never run as root.
Build database queries with parameter binding or an ORM, never by concatenating user input into SQL/NoSQL strings.
Commit a lockfile and install with integrity verification (npm ci) so exact, tamper-checked versions are used.
Return generic error messages to clients and log details server-side; never expose stack traces or internals.
Protect non-idempotent requests with anti-CSRF tokens or SameSite cookies plus origin verification.
Track and update dependencies regularly; run npm audit or an SCA tool in CI to block builds with known-vulnerable packages.
Serve all traffic over HTTPS and set Secure, HttpOnly, and SameSite attributes on session and auth cookies.
Cap the maximum accepted request/payload size so large uploads cannot exhaust memory or bandwidth.
Apply per-IP / per-account rate limiting and throttling to login, signup, password-reset, and other public endpoints.
Inject secrets from the CI secret manager at runtime; never commit them or print them to logs.
Run dependency and container-image vulnerability scans in the pipeline and fail on critical findings.
Require authentication on all non-public routes and enforce per-resource authorization (object-level) on every request.
Return sanitized error messages for 4xx/5xx; log full stack traces server-side only and never expose them to clients.
createAdminClient() bypasses RLS. Use it only for writes that need service_role privileges. For reads, use createClient().
Public pages (explore, content detail) should use createReadOnlyClient() with the anon key, not the service_role.
The SUPABASE_SERVICE_ROLE_KEY must never be in a NEXT_PUBLIC_ env var or imported in "use client" files.
Every table must have Row Level Security enabled. Tables without RLS are fully accessible via the anon key.
Every insert/update/delete must include organization_id from requireAuth(). RLS is defense-in-depth, not the only defense.
Add import "server-only" to any module that uses secrets, database connections, or server-only APIs.