Skip to main content

Built-in Policies

MergeGuide includes a comprehensive library of security and code quality policies.

Security Policies

no-hardcoded-secrets

Detects hardcoded secrets, API keys, passwords, and credentials.
PropertyValue
IDno-hardcoded-secrets
SeverityError
LanguagesAll
FrameworksNIST SSDF PW, OWASP ASVS V14, CIS 16.4
Detects:
  • API keys (AWS, Google, Stripe, etc.)
  • Passwords and passphrases
  • Private keys and certificates
  • Database connection strings
  • OAuth tokens
Configuration: 
policies:
  no-hardcoded-secrets:
    enabled: true
    severity: error
    settings:
      detect_aws_keys: true
      detect_api_keys: true
      detect_passwords: true
      detect_private_keys: true
      custom_patterns:
        - "MY_COMPANY_KEY_\\w+"

no-sql-injection

Detects potential SQL injection vulnerabilities.
PropertyValue
IDno-sql-injection
SeverityError
LanguagesJavaScript, TypeScript, Python, Java, PHP, Ruby
FrameworksOWASP ASVS V5, CIS 16.4
Detects:
  • String concatenation in SQL queries
  • Template literal interpolation in queries
  • User input passed directly to queries
Configuration: 
policies:
  no-sql-injection:
    enabled: true
    severity: error
    settings:
      check_orms: true
      allowed_functions:
        - parameterizedQuery
        - preparedStatement

no-xss

Detects potential Cross-Site Scripting (XSS) vulnerabilities.
PropertyValue
IDno-xss
SeverityError
LanguagesJavaScript, TypeScript, PHP
FrameworksOWASP ASVS V5
Detects:
  • innerHTML assignments with user data
  • document.write with user input
  • dangerouslySetInnerHTML in React
  • Unescaped template output

no-eval

Detects dangerous dynamic code execution.
PropertyValue
IDno-eval
SeverityError
LanguagesJavaScript, TypeScript, Python
FrameworksNIST SSDF PW, CIS 16.4
Detects:
  • eval() function calls
  • new Function() constructors
  • setTimeout/setInterval with strings
  • exec() in Python

no-command-injection

Detects potential command injection vulnerabilities.
PropertyValue
IDno-command-injection
SeverityError
LanguagesJavaScript, Python, Ruby, PHP
FrameworksOWASP ASVS V5
Detects:
  • Shell commands with user input
  • child_process.exec with variables
  • os.system() with user data

Code Quality Policies

no-console-in-production

Detects console statements that shouldn’t be in production.
PropertyValue
IDno-console-in-production
SeverityWarning
LanguagesJavaScript, TypeScript
Detects:
  • console.log()
  • console.debug()
  • console.info()
  • console.warn() (configurable)
  • console.error() (configurable)
Configuration: 
policies:
  no-console-in-production:
    enabled: true
    severity: warning
    settings:
      allow_warn: true
      allow_error: true

no-debugger

Detects debugger statements.
PropertyValue
IDno-debugger
SeverityError
LanguagesJavaScript, TypeScript, Python

require-error-handling

Detects unhandled promise rejections and missing try-catch.
PropertyValue
IDrequire-error-handling
SeverityWarning
LanguagesJavaScript, TypeScript
Detects:
  • Promises without .catch()
  • Async functions without try-catch
  • Unhandled rejection patterns

no-todo-in-production

Detects TODO/FIXME comments.
PropertyValue
IDno-todo-in-production
SeverityInfo
LanguagesAll

Configuration Policies

no-debug-config

Detects debug configuration in production code.
PropertyValue
IDno-debug-config
SeverityWarning
LanguagesAll
Detects:
  • DEBUG=true
  • NODE_ENV=development
  • Debug flags in config files

require-https

Detects insecure HTTP URLs.
PropertyValue
IDrequire-https
SeverityWarning
LanguagesAll
Configuration: 
policies:
  require-https:
    enabled: true
    settings:
      allow_localhost: true
      allowed_domains:
        - internal.company.com

no-cors-wildcard

Detects overly permissive CORS configuration.
PropertyValue
IDno-cors-wildcard
SeverityWarning
LanguagesJavaScript, TypeScript, Python
Detects:
  • Access-Control-Allow-Origin: *
  • cors({ origin: '*' })

Enabling/Disabling Policies

Global Configuration

In .mergeguide.yaml: 
policies:
  # Disable a policy
  no-todo-in-production:
    enabled: false

  # Change severity
  no-console-in-production:
    severity: error

  # Enable with custom settings
  no-hardcoded-secrets:
    enabled: true
    settings:
      detect_aws_keys: true

Per-File Override

// mergeguide-disable no-console-in-production
console.log("This is allowed");
// mergeguide-enable no-console-in-production

Per-Line Override

console.log("Allowed"); // mergeguide-ignore-line no-console-in-production

Policy Categories

View policies by category in the dashboard:
CategoryPolicies
Securityno-hardcoded-secrets, no-sql-injection, no-xss, no-eval, no-command-injection
Qualityno-console-in-production, no-debugger, require-error-handling, no-todo-in-production
Configurationno-debug-config, require-https, no-cors-wildcard

Framework Mapping

Policies map to compliance frameworks. MergeGuide supports 18 frameworks — the table below shows the primary built-in policies for each:
FrameworkRelevant Built-in Policies
NIST SSDFno-hardcoded-secrets, no-eval, no-sql-injection, no-command-injection
OWASP Top 10no-sql-injection, no-xss, no-command-injection, no-eval
OWASP ASVS L1/L2no-sql-injection, no-xss, no-command-injection, require-https, no-cors-wildcard
CWE Top 25no-sql-injection, no-xss, no-command-injection, no-hardcoded-secrets, no-eval
CIS Controlsno-hardcoded-secrets, no-eval, require-https, no-cors-wildcard
SOC 2no-hardcoded-secrets, require-https, no-debug-config
HIPAAno-hardcoded-secrets, no-debug-config, require-https
PCI-DSSno-hardcoded-secrets, no-sql-injection, require-https, no-eval
ISO 27001no-hardcoded-secrets, require-https, no-cors-wildcard
GDPRno-hardcoded-secrets, no-debug-config
FedRAMPno-hardcoded-secrets, require-https, no-debug-config
EU AI Actno-hardcoded-secrets, no-eval
DORAno-hardcoded-secrets, require-https, no-debug-config
NIS2no-hardcoded-secrets, require-https, no-eval
SLSAno-hardcoded-secrets, no-eval
StateRAMPno-hardcoded-secrets, require-https, no-debug-config
Colorado AI Actno-hardcoded-secrets, no-eval
See the dashboard under Compliance > Frameworks for the complete control-level mapping for each framework.