Custom Rules
CodeStax lets you define custom security and quality rules in plain English. The AI engine translates your intent into detection patterns that run on every scan and PR review.
Creating a Rule
Navigate to Settings → Custom Rules → Add Rule.
Fields
| Field | Required | Description |
|---|---|---|
| Name | Yes | Short descriptive name (e.g., “No console.log in production”) |
| Description | Yes | Plain English description of what to detect |
| Severity | Yes | critical, high, medium, low, or info |
| Category | No | Grouping label (e.g., “Security”, “Compliance”, “Style”) |
| Languages | No | Limit to specific languages; blank means all |
| Scope | No | organization (all repos) or specific repositories |
Example Rules
Block console.log in production code:
Name: No console.log
Description: Detect any use of console.log, console.warn, or console.error
in TypeScript or JavaScript files outside of test directories.
Severity: medium
Languages: javascript, typescriptRequire error handling in API routes:
Name: API error handling required
Description: All Express or FastAPI route handlers must have try-catch
or error handling middleware. Flag handlers that call external
services or database queries without error handling.
Severity: high
Languages: javascript, typescript, pythonPrevent direct database queries:
Name: No raw SQL
Description: Detect raw SQL query strings passed to database drivers.
All database access must use the ORM layer. Flag any use of
cursor.execute, db.query, or pool.query with string literals.
Severity: critical
Languages: python, javascriptEnforce environment variable usage for secrets:
Name: No inline secrets
Description: Detect hardcoded API keys, passwords, connection strings,
or tokens assigned to variables. All secrets must come from
environment variables or a secrets manager.
Severity: criticalSeverity Levels
| Level | Impact | Gate Behavior |
|---|---|---|
| Critical | Security vulnerability or data exposure | Blocks quality gate by default |
| High | Significant risk or policy violation | Counted toward gate threshold |
| Medium | Best practice violation | Warning, does not block by default |
| Low | Minor suggestion | Informational |
| Info | Observation | Never blocks |
How Custom Rules Work
- You write the rule in natural language
- CodeStax’s AI engine converts it into a detection pattern
- The pattern runs during scans and PR reviews alongside built-in rules
- Findings from custom rules appear in results tagged with your rule name
- Custom rule findings are included in quality gate evaluation
Managing Rules
Enable / Disable
Toggle a rule on or off without deleting it. Disabled rules are skipped during scans.
Edit
Update the description, severity, or scope of an existing rule. Changes take effect on the next scan.
Delete
Permanently remove a rule. Historical findings from this rule remain in past scan results.
Test a Rule
Click Test to run the rule against a selected repository without triggering a full scan. Results show which files and lines would be flagged.
Scope & Inheritance
Rules follow a hierarchy:
- Organization rules apply to all repositories
- Repository rules apply to a single repo and override org rules with the same name
- Rules can be restricted to specific file patterns (e.g.,
src/**/*.ts)
Limits by Plan
| Plan | Custom Rules |
|---|---|
| Free | 0 |
| Pro | 5 |
| Team | 25 |
| Enterprise | Unlimited |