Rules

Detects `async def test_*` functions under `tests/` that instantiate `TestClient(...)`.

Flags GitHub-hosted macOS jobs that run `brew update` or `brew upgrade` during CI.

Detects `actions/upload-artifact` steps that upload very broad paths (`.`, `./`, `*`, or `**`) without an error-condition guard.

Avoid hardcoding `C:\` drive paths on Windows runners.

Steps using `uses: owner/repo` without `@ref`, `docker://`, or `./` qualifier.

Flags repositories whose visible ESLint config appears to wire Prettier into ESLint.

Flags `icons` registry imports from `lucide-angular`.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect `lucide-react/dynamic`.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` with Material UI's recommended top-level package restriction.

Detects mypy declared in production dependency sections or bundled into CDK deployment assets.

Flags repositories whose visible dependencies or config still indicate `prettier-eslint`, or workflows that call `prettier-eslint` directly.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect SVG imports that turn asset files into React, Vue, or similar framework components.

Flags GitHub-hosted macOS jobs that visibly install or download Xcode during CI.

Detects jobs that run `terraform init` without caching the downloaded provider plugins.

Detects redundant `cargo build` steps that immediately precede `cargo test` with identical build conditions.

CDK assets contain unnecessary files that inflate deployment package size.

CDK code that uses `BucketDeployment` without setting the `memoryLimit` property.

Detects multiple CDK assets with the same `sourceHash` in `cdk.out/manifest.json`.

CircleCI defaults to a blobless clone (`method: blobless`), which fetches only the reachable objects for the current commit. This is equivalent to `git clone --filter=blob:none` and is faster and uses less data than a full clone.

Detects CI jobs that run multiple separate `go build` commands.

Flags jobs that repeatedly install OS packages at runtime without visible package caching or a prebuilt image strategy.

Flags history-aware metadata jobs that may be able to use checkout `filter: blob:none`.

Flags CI jobs that run inside a visible Alpine or musl-based container image.

Database service containers and ad-hoc `docker run` commands in CI write to disk by default. On GitHub Actions hosted runners, this causes unnecessary I/O overhead that can significantly slow down test suites.

Detects `actions/checkout` configured with `fetch-depth >= 1000` when the job does not appear to need that much history.

Detects `actions/checkout` configured with `fetch-depth: 0` when the job does not appear to need full git history.

This repository-wide finding comes from an embedded `oxlint` scan using `oxc/no-barrel-file`.

This repository-wide finding flags excessive large data and binary files that bloat git clone and checkout operations.

Detects repositories that have a Docker bake file while CI bypasses it with direct Docker image builds.

Routine Docker builds should reuse cache whenever possible. `--no-cache` and build action `no-cache: true` force every layer to rebuild, even when the Dockerfile and copied files are unchanged.

`docker/build-push-action` with `load: true` loads the built image into the local Docker daemon. This adds serialization overhead and is only needed when a subsequent step in the same job uses the image locally (e.g., `docker run`, `docker compose`, `docker tag`, `docker save`).

Detects `docker/build-push-action` and `depot/build-push-action` steps that do not configure `cache-from` and `cache-to`.

`ADD` has extra behavior for remote URLs and archive extraction. For ordinary local files and directories, `COPY` is more explicit and avoids accidentally doing extra work in the Docker build.

Detects Dockerfile `RUN apk add` instructions that do not use `--no-cache` or a BuildKit cache mount.

Detects Dockerfile `RUN` instructions that perform apt package work without either cleaning apt lists in the same layer or using BuildKit apt cache mounts.

`apt-get install` installs recommended packages by default. In CI-built Docker images, those extra packages often increase layer size without improving the runtime image.

Untagged base images and `:latest` can move to new content independently of the repository. That makes rebuilds less predictable and can invalidate Docker cache layers even when application code has not changed.

Detects Node Dockerfiles that run Bun dependency installation without frozen lockfile behavior while a Bun lockfile is available in the Docker build context.

Detects Ruby Dockerfiles that run `bundle install` without a visible BuildKit cache mount on the same instruction.

Detects Rust Dockerfiles that run `cargo build --release` without a visible BuildKit cache mount on the same instruction.

Detects Rust Dockerfiles that install external Rust tools with `cargo install` without `--locked`.

Compiled Docker builds often need source files only temporarily to produce a binary or build artifact. A broad `COPY . .` before `go build` or `cargo build` creates a source layer that changes frequently and can invalidate later layers.

Detects Dockerfiles that copy broad source context before dependency installation.

Detects `COPY --link` instructions whose cache benefit is unlikely to beat their build graph overhead.

Detects Dockerfiles where the final image stage copies the broad build context.

Detects Go Dockerfiles that run `go build` without a visible BuildKit cache mount on the same instruction.

Detects Go Dockerfiles that run `go mod download` without a visible BuildKit cache mount on the same instruction.

Detects Java Dockerfiles that run Gradle build tasks without a visible BuildKit cache mount on the same instruction.

Detects Java Dockerfiles that run Gradle dependency resolution without a visible BuildKit cache mount on the same instruction.

Detects Java Dockerfiles that run Maven build goals without a visible BuildKit cache mount on the same instruction.

Detects Java Dockerfiles that run `mvn dependency:go-offline` without a visible BuildKit cache mount on the same instruction.

Detects Node Dockerfiles that run `pnpm install` without `--frozen-lockfile` while `pnpm-lock.yaml` is available in the Docker build context.

Detects Node Dockerfiles that run project-level `npm install`-style commands while `package-lock.json` is available in the Docker build context.

Detects Python Dockerfiles that run project-level `uv sync` without frozen or locked lockfile behavior while `uv.lock` is available in the Docker build context.

Detects Node Dockerfiles that run Yarn dependency installation without a lockfile-immutable flag while `yarn.lock` is available in the Docker build context.

Detects Docker build contexts where a `.dockerignore` file exists but still allows noisy root paths into the build context.

Detects multiple non-matrix jobs that each perform checkout before similar install-heavy work inside one workflow.

Detects non-matrix jobs that repeat the same dependency install and lint combination within one workflow.

Detects outdated Elixir and OTP (Erlang) versions across your CI configuration, Dockerfiles, and `.tool-versions` files.

Detects broad `go build ./...` steps that run before broad race-enabled Go tests.

Detects broad Go test runs that serialize package execution with `-p 1`.

Detects Go CI jobs that run `go vet` and then run `go test` without `-vet=off`.

Flags repositories and CI jobs that use Hatch without `installer = "uv"` configured.

This repository-wide finding comes from an embedded `oxlint` scan using `jest/no-large-snapshots`.

Flags test jobs that use a shard-like matrix but do not visibly pass the matrix value into the test command.

Flags workflows that visibly run Angular CLI tasks while Angular CLI cache is not fully wired for CI.

Detects heavy workflows that do not define workflow-level or job-level `concurrency`.

Detects setup steps that prepare a language runtime but do not visibly enable dependency caching.

Detects Docker image builds that use a wide build context without a visible `.dockerignore` file.

Flags workflows that visibly run Gradle tasks while no repository-level Gradle build cache configuration is visible.

Detects workflow steps that run `make`, `gmake`, or `cmake --build` without any parallelization mechanism.

Flags workflows that visibly run `next build` while no cache step for `.next/cache` is visible.

Detects heavy workflows that do not ignore obviously non-code changes such as docs and markdown.

Detects heavy workflows that respond to `push` or `pull_request` without `paths` or `paths-ignore`.

Flags release-like downstream jobs that already use a status-based `if:` expression but do not also visibly guard on upstream success.

Flags direct test-runner commands on standard GitHub-hosted runners when no visible worker tuning is present.

Buildkite pipeline steps do not have a default timeout. Without `timeout_in_minutes`, a hung or degraded step can run indefinitely and consume agent capacity.

GitLab CI jobs use a project-level default timeout (60 minutes). Heavy jobs should use an explicit `timeout` to prevent runaway builds and wasted CI minutes.

Detects non-matrix jobs of interest that do not define job-level `timeout-minutes`.

Flags workflows that visibly run `turbo run ...` tasks while no local Turbo cache path or remote-cache wiring is visible.

Flags repositories that use native-heavy packages while the workflow also shows install conditions that may bypass wheels or prebuilt binaries.

Flags repositories and CI jobs that use nox without the `--uv` flag or `nox.options.uv = True`.

Detects workflows that use `npm install` instead of `npm ci` when `package-lock.json` exists in the repository.

Detects Datadog Lambda Extension versions below v88 in GitHub Actions workflows and recommends upgrading to v88 or later.

Flags repositories that use Husky `< 9.1.2` and also have workflows that look relevant to local hook workloads such as lint, format, test, or TypeScript checks.

Detects older `actions/setup-*` majors when no cache configuration is visible.

Flags repositories and CI jobs that use PDM without `use_uv = true` configured.

Detects CI jobs that build multiple Docker images or targets through separate Docker build invocations.

Detects CI jobs that run legacy `docker build` instead of `docker buildx build`.

Flags top-level Angular Material imports that can expand the module graph for CI tooling.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `@ant-design/icons` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `antd` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `date-fns` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from top-level Effect package entries.

Flags top-level Font Awesome icon pack imports that can expand the module graph for CI tooling.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `@headlessui-float/react` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `@headlessui/react` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect grouped Heroicons imports.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `lodash-es` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from Material UI v4 package roots.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `mui-core` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `ramda` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `react-bootstrap` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect grouped `react-icons` icon-set imports.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `react-use` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `recharts` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `rxjs` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `@tabler/icons-react` package root.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `@tremor/react` package root.

`actions/upload-artifact` steps that upload a single already-compressed or binary file without using `archive: false`, or that use a version older than v7 which does not support direct uploads.

This repository-wide finding comes from an embedded `oxlint` scan using `eslint/no-restricted-imports` to detect imports from the `@visx/visx` package root.

Detects workflows where multiple heavy component-scoped jobs run on broad PR or branch push triggers without a visible `dorny/paths-filter` gate.

Flags repositories whose visible ESLint setup appears to use `eslint-plugin-import` without visible `eslint-plugin-import-x` usage.

Large Vite-family repositories should prefer explicit file extensions for relative JavaScript and TypeScript imports.

Jest 29 repositories should consider Jest 30 when the visible TypeScript and JSDOM compatibility conditions are already satisfied.

Flags repositories whose Git hook setup looks moderately complex and may be easier to maintain with Lefthook.

Detects mypy versions below known performance milestones in the 1.x series and suggests incremental upgrades.

Detects Docker image builds that target ARM through QEMU emulation in GitHub Actions.

Flags a repository that depends on TypeScript 5.x but is still below the next notable 5.x performance milestone.

Flags heavy-looking Rust test jobs that still run `cargo test` without visible `cargo-nextest` adoption.

Flags workflows that visibly run `next build` when the repository depends on Next.js `12.0`, `12.1`, or `12.2`.

Flags workflows that visibly run `next build` when the repository depends on Next.js `13.0`, `13.1`, or `13.2`.

Flags workflows that visibly run `next build` when the repository depends on Next.js `14.0` or `14.1`.

Detects simple GitHub Actions steps and package.json scripts that run package scripts through `npm run` when `node --run` may be a lower-overhead replacement.

Flags repositories that appear to use Prettier without visible Oxfmt adoption.

Flags repositories that appear to use ESLint without visible Oxlint adoption.

Detects Python dependency files that pin or request Pydantic v1.

Detects repositories that appear to use `black` without visible Ruff formatting adoption.

Detects repositories that appear to use `isort` without visible Ruff import-sorting adoption.

Flags jobs that:

Flags jobs that:

Flags build or release jobs that use only a narrow working tree and may still benefit from sparse checkout.

Flags API-bound CLI jobs that run on standard x64 Ubuntu GitHub-hosted runners and may be good candidates for the matching standard arm64 Ubuntu runner.

Flags lightweight lint or format tooling jobs that run on standard x64 Ubuntu GitHub-hosted runners and may be good candidates for the matching standard arm64 Ubuntu runner.

Flags workflows that visibly run `build-storybook` or `storybook build` when the repository depends on Storybook `6.0`, `6.1`, `6.2`, `6.3`, or `6.4`.

Flags workflows that visibly run `build-storybook` or `storybook build` when the repository depends on Storybook `7.0`, `7.1`, `7.2`, `7.3`, `7.4`, or `7.5`.

Tailwind CSS v3 projects should usually start a v4 migration with the official upgrade tool, but only when the visible compatibility signals look reasonable.

Flags repositories that appear to rely primarily on npm, use more than two workspace patterns, and do not use Turborepo.

Flags `pip install` commands in jobs that already have `setup-uv` available. If uv is already installed (via `astral-sh/setup-uv`), plain `pip install` should be replaced with `uv pip install` for faster installs.

Detects pushed BuildKit Docker image builds that do not request zstd layer compression.

Detects Pyramid `config.scan()` calls that do not specify an `ignore=` filter when the scan target contains directories that are unlikely to contain runtime application code.

The project has `norecursedirs` explicitly set in a pytest config file **and** does not have `testpaths` configured. The check also verifies that directories corresponding to pytest's default `norecursedirs` entries exist in the repository but are missing from the custom list.

The project uses pytest but has not configured `testpaths` in any pytest config file (`pytest.ini`, `pyproject.toml`, `setup.cfg`, `tox.ini`), and CI workflow steps do not pass explicit test paths either.

Detects heavy client, connection, or model initialization at module top level in `src/**/*.py` for FastAPI, Django, and Flask repositories.

This rule detects repositories using webpack 5.x that could benefit from migrating to rspack.

This rule detects repositories using Babel that could benefit from migrating to SWC.

This rule detects repositories using webpack 4.x at a version below 4.47.

This rule detects repositories using webpack 5.x at a version below 5.50.

Flags repositories whose `.husky/*` hook files still use deprecated Husky bootstrap or x-runner wrapping such as `npx`.

Flags GitHub-hosted Ubuntu, Windows, or macOS jobs that visibly install a CLI already present on the runner image and then use that CLI later in the same job.

Detects jobs that configure a setup action's built-in dependency cache and also define a matching manual `actions/cache` layer for the same dependency family.

Detects jobs that already install dependencies and still invoke common local CLI tools through bootstrap runners such as `npx`, `pnpx`, `pnpm dlx`, `bunx`, `yarn dlx`, `uvx`, or `uv tool run`.

Renovate configuration does not group AWS SDK dependencies, and the repository uses multiple AWS SDK v3 packages.

Renovate configuration does not group CDK dependencies, and the repository uses multiple CDK packages.

Renovate configuration does not explicitly set `rebaseWhen` locally.

Detects the same build family running in multiple non-matrix jobs within one workflow.

Detects the same install command running multiple times within one job.

Detects the same lint tool family running in multiple non-matrix jobs within one workflow.

Flags heavy scheduled workflows that appear to run more often than every 3 hours.

Detects `actions/setup-node` steps that enable caching without specifying `cache-dependency-path` when lock files exist outside the repository root.

Tailwind CSS content configuration must be present and scoped to avoid unnecessary file scanning.

GitHub App authentication via `app_auth` provides significantly higher API rate limits compared to a personal access token (PAT). Higher rate limits reduce the risk of hitting API limits during large `terraform plan`/`apply` operations, concurrent plans, and provider refreshes. Rate limit pauses can delay CI workflows by up to an hour.

**Severity**: suggestion **Confidence**: high

These resources already have an implicit repository scope via the GitHub provider. Looking up `data.github_repository` triggers an extra GitHub API call **per resource**, which inflates `terraform plan` and `apply` duration. In repositories with many branch protections, environments, or secrets, this compounds significantly and can trigger API rate limits.

Repositories that run `terraform` in CI but have no `.terraform.lock.hcl` file committed.

Repositories that use `pagerduty_team_membership` with a PagerDuty provider version constraint that allows versions below v3.32.2.

Terraform defaults to `parallelism=10`, which is slow for large configurations. Tuning parallelism to match runner capacity is one of the highest-leverage Terraform CI optimizations.

Flags jobs that run `tox` without `tox-uv` installed.

This rule detects webpack configurations using `ts-loader` with `transpileOnly: true` or `happyPackMode: true` but missing `fork-ts-checker-webpack-plugin`.

Detects heavy jobs with no visible `if` condition inside broadly triggered workflows.

Detects jobs that install full application dependencies but only run lint or check tools.

Detects `actions/checkout` steps in jobs that only use artifact actions (`actions/download-artifact@` or `actions/upload-artifact@`) without any visible dependency on repository files.

Jobs that use yarn, pnpm, or bun for package management but still run `npm install -g npm@latest` (or similar npm global upgrade commands).

Jobs that run inside a Docker container (`container:`) but install OS packages (`apt-get install`, `apk add`, `brew install`, etc.) in workflow steps where the installed packages are not referenced in later steps.