Available Tags

Complete reference of all tags available for categorizing rules in diffray.

Tags help organize rules, filter findings in reports, and group related checks. When writing custom rules, use tags from this list for consistency.

Tag Usage

rules:
  - id: my_custom_rule
    # ... other fields
    tags:
      - security
      - typescript
      - owasp

Most Used Tags

These are the most frequently used tags across all default rules:

Tag	Usage Count	Description
`bugs`	308	Bug detection and prevention
`typescript`	296	TypeScript-specific rules
`maintainability`	275	Code maintainability patterns
`security`	237	Security vulnerabilities and best practices
`performance`	235	Performance optimization
`javascript`	234	JavaScript-specific rules
`python`	171	Python-specific rules
`readability`	157	Code readability and clarity
`error-handling`	141	Exception and error management
`java`	136	Java-specific rules
`style-conventions`	131	Naming and style conventions
`csharp`	128	C# and .NET rules
`architecture`	107	Architectural patterns and design
`quality`	95	General code quality
`go`	95	Go language rules
`ruby`	92	Ruby and Rails rules
`database`	79	Database and SQL patterns
`best-practices`	79	Industry best practices
`testing`	78	Testing and test quality
`php`	77	PHP-specific rules

Tags by Category

Language-Specific Tags

Frontend Languages

Tag	Description
`typescript`	TypeScript code patterns
`javascript`	JavaScript code patterns
`react`	React and JSX patterns
`vue`	Vue.js patterns
`svelte`	Svelte patterns
`angular`	Angular patterns
`nextjs`	Next.js specific rules
`nuxt`	Nuxt.js specific rules
`jsx`	JSX syntax rules
`tsx`	TSX syntax rules
`html`	HTML markup rules
`css`	CSS styling rules
`scss`	SCSS/Sass rules

Backend Languages

Tag	Description
`python`	Python code patterns
`java`	Java code patterns
`go`	Go language patterns
`ruby`	Ruby code patterns
`php`	PHP code patterns
`rust`	Rust code patterns
`kotlin`	Kotlin code patterns
`swift`	Swift code patterns
`csharp`	C# and .NET patterns
`nodejs`	Node.js specific patterns
`scala`	Scala code patterns
`cpp`	C++ code patterns

Database & ORM

Tag	Description
`sql`	SQL query patterns
`database`	General database patterns
`postgresql`	PostgreSQL specific
`mysql`	MySQL specific
`orm`	ORM usage patterns
`prisma`	Prisma ORM rules
`typeorm`	TypeORM rules
`sequelize`	Sequelize ORM rules
`activerecord`	ActiveRecord (Rails) rules
`hibernate`	Hibernate (Java) rules

Framework Tags

Tag	Description
`react-patterns`	React design patterns
`hooks`	React hooks patterns
`state-management`	State management libraries
`redux`	Redux patterns
`express`	Express.js patterns
`fastapi`	FastAPI patterns
`django`	Django patterns
`rails`	Ruby on Rails patterns
`spring`	Spring Framework patterns
`laravel`	Laravel (PHP) patterns
`flask`	Flask patterns
`nestjs`	NestJS patterns

Stack Tags

Use these to target rules for specific tech stacks:

Tag	Description
`stack-python`	Python stack rules
`stack-nodejs`	Node.js stack rules
`stack-react`	React stack rules
`stack-vue`	Vue.js stack rules
`stack-nextjs`	Next.js stack rules
`stack-php`	PHP stack rules
`stack-flutter`	Flutter/Dart stack rules
`stack-dart`	Dart stack rules

Security Tags

Core Security

Tag	Description
`security`	General security issues
`owasp`	OWASP guidelines
`owasp-top10`	OWASP Top 10 vulnerabilities
`owasp-a01`	OWASP A01: Broken Access Control
`owasp-a03`	OWASP A03: Injection
`owasp-a07`	OWASP A07: Auth Failures
`authentication`	Authentication issues
`authorization`	Authorization issues
`access-control`	Access control problems
`encryption`	Encryption usage
`cryptography`	Cryptographic issues

Vulnerability Types

Tag	Description
`injection`	All injection types
`sql-injection`	SQL injection vulnerabilities
`command-injection`	Command injection
`code-injection`	Code injection
`template-injection`	Template injection (SSTI)
`xss`	Cross-site scripting
`xss-prevention`	XSS prevention patterns
`csrf`	Cross-site request forgery
`csrf-prevention`	CSRF prevention
`ssrf`	Server-side request forgery
`idor`	Insecure direct object reference
`path-traversal`	Path traversal attacks
`rce`	Remote code execution
`open-redirect`	Open redirect vulnerabilities

Secrets & Credentials

Tag	Description
`secrets`	Secret detection
`credentials`	Credential exposure
`secrets-credentials`	Combined secrets/credentials
`api-keys`	API key exposure
`api-security`	API security patterns
`hardcoded-secrets`	Hardcoded secrets

Session & Auth

Tag	Description
`session-management`	Session handling
`session-security`	Session security
`session-fixation`	Session fixation attacks
`authentication-bypass`	Auth bypass risks
`least-privilege`	Least privilege principle
`zero-trust`	Zero trust patterns

Compliance Tags

Tag	Description
`compliance`	General compliance
`compliance-gdpr`	GDPR compliance
`compliance-soc2`	SOC 2 compliance
`compliance-soc2-essentials`	SOC 2 essential controls
`compliance-hipaa`	HIPAA compliance
`compliance-pci-dss`	PCI DSS compliance
`compliance-lgpd`	LGPD (Brazil) compliance
`compliance-ccpa`	CCPA compliance
`pii`	Personal identifiable information
`pii-protection`	PII protection
`privacy`	Privacy concerns
`privacy-pii`	Privacy and PII
`phi`	Protected health information
`gdpr`	GDPR specific
`hipaa`	HIPAA specific
`soc2`	SOC 2 specific
`pci-dss`	PCI DSS specific

Code Quality Tags

Quality Metrics

Tag	Description
`quality`	General code quality
`maintainability`	Code maintainability
`readability`	Code readability
`code-complexity`	Cyclomatic complexity
`complexity`	General complexity
`code-smells`	Code smell patterns
`code-smell`	Single code smell
`duplication`	Code duplication
`dead-code`	Unused/dead code
`technical-debt`	Technical debt

Style & Conventions

Tag	Description
`style-conventions`	Style conventions
`style-consistency`	Style consistency
`code-style`	Code style rules
`naming`	Naming issues
`naming-conventions`	Naming conventions
`formatting`	Code formatting

Design Principles

Tag	Description
`architecture`	Architectural patterns
`design-patterns`	Design pattern usage
`design-pattern`	Single design pattern
`anti-pattern`	Anti-pattern detection
`solid`	SOLID principles
`srp`	Single responsibility
`dry`	Don't repeat yourself
`dry-principle`	DRY principle
`refactoring`	Refactoring needed
`modularity`	Module organization
`encapsulation`	Encapsulation issues
`dependency-injection`	DI patterns

Architecture Tags

Tag	Description
`clean-architecture`	Clean architecture
`layered-architecture`	Layered architecture
`microservices`	Microservices patterns
`monorepo-hygiene`	Monorepo best practices
`api-design`	API design patterns

Performance Tags

Tag	Description
`performance`	General performance
`optimization`	Code optimization
`memory-leak`	Memory leak detection
`memory-safety`	Memory safety
`memory-optimization`	Memory optimization
`memory-management`	Memory management
`resource-leak`	Resource leak detection
`resource-cleanup`	Resource cleanup
`resource-exhaustion`	Resource exhaustion

Database Performance

Tag	Description
`query-optimization`	Query optimization
`n-plus-one`	N+1 query problem
`lazy-loading`	Lazy loading patterns
`eager-loading`	Eager loading patterns
`indexing`	Database indexing
`caching`	Caching patterns
`caching-strategy`	Caching strategies

Frontend Performance

Tag	Description
`bundle-size`	Bundle size optimization
`code-splitting`	Code splitting
`compression`	Compression usage

Concurrency

Tag	Description
`concurrency`	Concurrency issues
`race-condition`	Race conditions
`deadlock`	Deadlock detection
`threading`	Threading issues
`timeout`	Timeout handling

Error Handling Tags

Tag	Description
`error-handling`	Error handling patterns
`exception-handling`	Exception handling
`null-safety`	Null safety checks
`null-pointer`	Null pointer issues
`nil-safety`	Nil safety (Go/Ruby)
`edge-cases`	Edge case handling
`bounds-check`	Bounds checking
`overflow`	Overflow detection
`underflow`	Underflow detection
`runtime-error`	Runtime error prevention
`panic`	Panic handling (Go/Rust)
`crash`	Crash prevention

Testing Tags

Tag	Description
`testing`	General testing
`testing-quality`	Test quality
`test-quality`	Test quality metrics
`test-coverage`	Test coverage
`unit-testing`	Unit test patterns
`integration-testing`	Integration tests
`e2e`	End-to-end testing
`end-to-end`	E2E testing
`test-isolation`	Test isolation
`flaky-tests`	Flaky test detection
`mocking`	Mocking patterns
`fixtures`	Test fixtures
`test-data`	Test data management
`brittleness`	Test brittleness
`determinism`	Test determinism
`testability`	Code testability

Testing Frameworks

Tag	Description
`jest`	Jest patterns
`mocha`	Mocha patterns
`vitest`	Vitest patterns
`cypress`	Cypress patterns
`playwright`	Playwright patterns
`pytest`	Pytest patterns

API Tags

Tag	Description
`api`	General API patterns
`api-design`	API design
`api-documentation`	API documentation
`api-security`	API security
`rest`	REST API patterns
`rest-api`	REST API rules
`graphql`	GraphQL patterns
`grpc`	gRPC patterns
`http`	HTTP patterns
`http-client`	HTTP client usage
`http-headers`	HTTP headers
`cors`	CORS configuration
`webhooks`	Webhook patterns
`rate-limiting`	Rate limiting
`status-codes`	HTTP status codes

Infrastructure & DevOps Tags

Tag	Description
`infrastructure`	Infrastructure code
`devops`	DevOps patterns
`ci-cd`	CI/CD pipelines
`deployment`	Deployment patterns
`kubernetes`	Kubernetes patterns
`docker`	Docker patterns
`dockerfile`	Dockerfile rules
`container-docker-hygiene`	Container best practices
`aws`	AWS patterns
`azure`	Azure patterns
`gcp`	GCP patterns

Infrastructure as Code

Tag	Description
`terraform`	Terraform patterns
`infrastructure-as-code`	IaC patterns
`iac`	IaC abbreviation
`infra-as-code`	IaC patterns
`cloudformation`	CloudFormation
`aws-cdk`	AWS CDK patterns
`pulumi`	Pulumi patterns

CI/CD

Tag	Description
`github-actions`	GitHub Actions
`gitlab-ci`	GitLab CI
`jenkins`	Jenkins patterns

Observability Tags

Tag	Description
`observability`	Observability patterns
`logging`	Logging patterns
`debugging`	Debug code detection
`tracing`	Distributed tracing
`metrics`	Metrics collection
`monitoring`	Monitoring patterns
`audit`	Audit requirements
`audit-logging`	Audit logging
`error-boundary`	Error boundaries

Accessibility Tags

Tag	Description
`accessibility`	General accessibility
`accessibility-a11y`	A11y patterns
`a11y`	Accessibility shorthand
`wcag`	WCAG compliance
`wcag-1-4-1`	Specific WCAG criteria
`keyboard-navigation`	Keyboard navigation
`screen-reader`	Screen reader support
`aria`	ARIA attributes
`semantic-html`	Semantic HTML

Documentation Tags

Tag	Description
`documentation`	Documentation issues
`docstring`	Docstring requirements
`docstrings`	Multiple docstrings
`jsdoc`	JSDoc comments
`javadoc`	Javadoc comments
`readme`	README files
`changelog`	Changelog maintenance
`comments`	Code comments
`api-documentation`	API docs

Reliability & Resilience Tags

Tag	Description
`reliability`	Reliability patterns
`resilience`	Resilience patterns
`availability`	Availability concerns
`high-availability`	HA patterns
`disaster-recovery`	DR patterns
`scalability`	Scalability patterns
`bulk-operations`	Bulk operation safety

Using Tags Effectively

Filtering by Tags

Tags can be used to filter rules in your .diffray/config.yaml:

# Only run security-related rules
rules:
  include_tags:
    - security
    - owasp

# Exclude certain tags from review
rules:
  exclude_tags:
    - style-conventions
    - documentation

Combining Tags

Use multiple tags to precisely categorize rules:

rules:
  - id: py_sql_injection
    tags:
      - security          # Category
      - python           # Language
      - sql-injection    # Specific vulnerability
      - owasp-a03        # Compliance reference

Creating Custom Tags

While using standard tags is recommended for consistency, you can create custom tags for project-specific needs:

rules:
  - id: internal_api_auth
    tags:
      - security
      - internal-api      # Custom tag
      - team-platform     # Custom tag

See also:

Writing Effective Rules — how to create custom rules
Project-Specific Rules — examples of custom rules
Agents — specialized review agents

Tag Usage​

Most Used Tags​

Tags by Category​

Language-Specific Tags​

Frontend Languages​

Backend Languages​

Database & ORM​

Framework Tags​

Stack Tags​

Security Tags​

Core Security​

Vulnerability Types​

Secrets & Credentials​

Session & Auth​

Compliance Tags​

Code Quality Tags​

Quality Metrics​

Style & Conventions​

Design Principles​

Architecture Tags​

Performance Tags​

Database Performance​

Frontend Performance​

Concurrency​

Error Handling Tags​

Testing Tags​

Testing Frameworks​

API Tags​

Infrastructure & DevOps Tags​

Infrastructure as Code​

CI/CD​

Observability Tags​

Accessibility Tags​

Documentation Tags​

Reliability & Resilience Tags​

Using Tags Effectively​

Filtering by Tags​

Combining Tags​

Creating Custom Tags​