Rules Overview
All built-in VGuard rules.
VGuard ships with 35 built-in rules across 3 categories.
Security Rules (11)
| Rule | Severity | Description |
|---|---|---|
security/branch-protection | block | Blocks writes to protected branches |
security/destructive-commands | block | Blocks dangerous shell commands |
security/secret-detection | block | Detects API keys, tokens, passwords |
security/prompt-injection | warn | Detects injection patterns in fetched content |
security/dependency-audit | warn | Flags suspicious package installations |
security/env-exposure | block | Prevents env variable leakage in client code |
security/rls-required | warn | Ensures Row Level Security on SQL tables |
security/unsafe-eval | block | Blocks eval(), new Function(), string setTimeout |
security/no-hardcoded-urls | warn | Flags hardcoded localhost and API URLs |
security/xss-prevention | warn | Warns about dangerouslySetInnerHTML, innerHTML, v-html |
security/sql-injection | block | Blocks string-interpolated SQL queries |
Quality Rules (15)
| Rule | Severity | Description |
|---|---|---|
quality/import-aliases | block | Enforces path aliases over deep relative imports |
quality/no-use-client-in-pages | block | No "use client" in Next.js pages/layouts |
quality/naming-conventions | block | PascalCase components, use-prefixed hooks |
quality/no-deprecated-api | block | Catches deprecated API usage |
quality/anti-patterns | warn | CSS in Tailwind, inline styles, console.log |
quality/no-console-log | warn | Detects console.log in production code |
quality/max-file-length | warn | Warns when files exceed length threshold |
quality/file-structure | warn | Components/hooks in correct directories |
quality/hallucination-guard | warn | Verifies imports exist on disk |
quality/test-coverage | warn | Warns when files have no tests |
quality/dead-exports | warn | Detects unused exports |
quality/no-any-type | warn | Flags any type usage in TypeScript |
quality/error-handling | warn | Warns about empty catch blocks |
quality/a11y-jsx | warn | Accessibility checks: missing alt, onClick on divs |
quality/magic-numbers | info | Flags numeric literals that should be constants |
Workflow Rules (9)
| Rule | Severity | Description |
|---|---|---|
workflow/commit-conventions | warn | Conventional commit format |
workflow/pr-reminder | info | Reminds about unpushed work at session end |
workflow/migration-safety | warn | Dangerous SQL patterns |
workflow/review-gate | warn | Warns on direct commits to main |
workflow/todo-tracker | info | Tracks TODO/FIXME comments |
workflow/changelog-reminder | info | Reminds to update CHANGELOG |
workflow/format-on-save | info | Suggests running formatter |
workflow/branch-naming | warn | Enforces branch naming conventions |
workflow/lockfile-consistency | warn | Reminds to update lockfile after dependency changes |