Built for how developers actually review code
BeforeMerge is a code review knowledge base designed from the ground up for AI-assisted development. Every feature exists to make code reviews more consistent, thorough, and actionable.
Structured rule format
Every rule is a Markdown file with YAML frontmatter. The format is consistent, predictable, and parseable by both humans and machines.
- YAML frontmatter with title, impact, tags, CWE, OWASP mappings
- Bad code example showing the vulnerability or anti-pattern
- Good code example showing the corrected approach
- Detection hints with grep patterns for finding violations
- References to external documentation and standards
---
title: Rule Title Here
description: "What this rule checks"
impact: CRITICAL | HIGH | MEDIUM | LOW
tags: [security, performance, ...]
cwe: ["CWE-XXX"]
owasp: ["AXX:2021"]
detection_grep: "pattern to find"
---
## Rule Title Here
**Impact: LEVEL (why it matters)**
Explanation of the vulnerability
or anti-pattern.
**Incorrect:**
```tsx
// Bad code with inline comments
```
**Correct:**
```tsx
// Good code with inline comments
```
**Detection hints:**
```bash
# Commands to find violations
```$ npx skills add BeforeMerge/beforemerge-skills --skill nextjs-review$ npx skills add BeforeMerge/beforemerge-skills --skill nextjs-review$ npx skills add BeforeMerge/beforemerge-skills --skill nextjs-review$ npx skills add BeforeMerge/beforemerge-skills --skill nextjs-reviewAI-native from day one
BeforeMerge rules are designed to be consumed by AI coding agents. Install a skill with one command, and your agent loads the rules automatically on every session.
The structured format means AI agents don't just read the rules — they understand the context, severity, and exactly what patterns to look for. No prompt engineering required.
Compatible with any tool that supports the skills protocol. One install, every AI code review session is enhanced.
CWE & OWASP mapped
Every security rule maps directly to CWE identifiers and OWASP Top 10 categories. This gives compliance teams traceability and developers immediate context about why a rule matters.
CWE
Common Weakness Enumeration identifiers on every security rule
OWASP
Top 10 2021 category mapping for compliance reporting
Framework-specific, not generic
Every rule targets real patterns in real frameworks. No abstract advice — actionable code examples that show exactly what to look for in your stack.
Next.js
App Router patterns, Server Actions auth, middleware bypass prevention, cache poisoning, and client data exposure.
Supabase
RLS policy gaps, service role exposure, SQL injection via raw queries, auth pattern enforcement, and connection pooling.
SOLID Architecture
Dependency direction, repository pattern, service layers, interface segregation, and domain entity boundaries.
WordPress
wpdb SQL injection, nonce verification, output escaping, privilege escalation, and object caching patterns.
Built-in detection hints
Every rule includes a detection_grep pattern in the frontmatter, plus full detection hint sections with commands AI agents can run to find potential violations.
This means AI agents don't just know the rules — they know how to actively search your codebase for violations. Proactive review, not passive checklists.
# Frontmatter detection pattern: detection_grep: "dangerouslySetInnerHTML" # Full detection hints section: # Find all uses of dangerouslySetInnerHTML grep -rn "dangerouslySetInnerHTML" src/ --include="*.tsx" --include="*.jsx" # Check if DOMPurify is imported nearby grep -rn "dangerouslySetInnerHTML" src/ --include="*.tsx" -l | \ xargs grep -L "DOMPurify|sanitize" # AI agent runs these automatically # and reports findings with context
skills/
nextjs-review/
rules/
security/
sec-xss-dangerouslysetinnerhtml.md
sec-sql-injection.md
sec-csrf-server-actions.md
sec-route-handler-auth.md
...
performance/
perf-server-vs-client.md
perf-dynamic-imports.md
perf-n-plus-one.md
...
quality/
qual-typescript-any-boundary.md
qual-validate-boundaries.md
...
architecture/
arch-error-boundaries.md
arch-loading-error-states.md
...
SKILL.md
metadata.jsonOrganized by domain
Rules are organized into four categories within each skill: security, performance, quality, and architecture. This makes it easy to find, contribute, and maintain rules.
- Security — XSS, SQL injection, auth bypass, CSRF, data exposure
- Performance — N+1 queries, bundle size, caching, lazy loading
- Quality — Type safety, error handling, validation, DRY patterns
- Architecture — SOLID principles, separation of concerns, patterns
Automated PR scanning
We're building a SaaS platform that automatically scans your pull requests against BeforeMerge rules. Connect your repo, configure your skills, and get review comments on every PR.
Automated PR Comments
BeforeMerge posts review comments directly on your pull requests with specific rule violations and fixes.
Custom Private Rules
Create organization-specific rules that encode your team's patterns and requirements.
Dashboard & Analytics
Track rule violations over time, see trends, and measure improvement across your codebase.
API Access
Integrate BeforeMerge scanning into your existing CI/CD pipeline and tooling.
Compliance Reporting
Generate reports showing CWE/OWASP coverage for security audits and compliance reviews.
Team Collaboration
Shared rule configurations, team dashboards, and collaborative rule authoring.